Synology NAS - Help stop attacks from USA via port 80

Hoggorm · November 28, 2019, 9:41am

Hello,

I have a Synology NAS with Let’s Encrypt certificate. To allow for auto renew of the certificate port 80 has to be open. In my firewall I’ve blocked basically every country other than my own, but USA has to be allowed since that is where Let’s Encrypt renews the certificate from (as far as I understand?).

Now the problem is that there are quite a few attacks towards my NAS from USA so I’d like to close down access from the country, but how can I still allow Let’s Encrypt to auto renew?

Any ideas?

Thank you

JuergenAuer · November 28, 2019, 9:48am

Hi @Hoggorm

that's wrong. Letsencrypt uses different ip addresses. And will change that -> worldwide ip addresses are used.

If a webserver is online, there are "attacks". You have to handle that.

Osiris · November 28, 2019, 9:58am

Why don't you just ignore the "attacks"? I'm sure your server is up to date and secure?

Also, those attacks on port 80 could also be directed to port 443. The webserver behind those ports is probably the same. So by blocking port 80 you don't necessarily make your webserver more secure.

Hoggorm · November 28, 2019, 10:30am

I have to admit that my technical knowledge in this area is somewhat limited so I might be confusing things.

I do not run any webserver at all.

The only reason for me to leave port 80 open (port 443 is closed by the way) is to allow for auto renew of the Let’s Encrypt certificate as I was under the impression that it was necessary to leave 80 open to allow for this. Do I understand you correct in that I safely can close the port and still auto renew?

The NAS is up to date and as mentioned no server is running at all. As to why I do not want to just ignore the “attacks” is this: I’ve enabled auto block on IP addresses that try to log into the NAS and fails. From time to time this Auto Block feature blocks the local IP 192.168.1.1 (!) in the middle of the night. I do not know what happens, and why that local IP is being used, but since my knowledge of this is very limited, I’d like to stop all access that I possibly can.

Since I understand port 80 is especially interesting for hackers etc. I find it somewhat uncomfortable leaving it open…

I’d prefer to put the relevant Let’s Encrypt IP addresses to a white list, but I understand those IPs are changing all the time and not published…

JuergenAuer · November 28, 2019, 10:37am

That's

correct.

That's

wrong if you use http validation. Read

Hoggorm · November 28, 2019, 10:49am

I do belive Synology only allows HTTP-01 validation unfortunately. So then I’m stuck with leaving port 80 open as far as I understand…

Osiris · November 28, 2019, 11:49am

Your Synology NAS probably does. For what service would it need a certificate otherwise?

That probably isn't true.

Correct, Let's Encrypt doesn't support white lists.

Correct.

orangepizza · November 28, 2019, 12:31pm

Can you make prehook and post hook so it open port 80 only when there is a renewal happens?

Hoggorm · November 28, 2019, 1:11pm

As mentioned I’m not the brightest mind regarding these things… I was just thinking about a “normal” website, and I do not host any. The certificate is however required for various NAS applications when I access them from outside my own network.

Hoggorm · November 28, 2019, 1:12pm

That would be a very nice feature, but I do not know if this is possible at all with the Synology NAS, and as far as I can see the renewal periode is somewhat random. It is not exactly every 90 days for example…

system · December 28, 2019, 1:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.