External access: Should we be worried?

Hi everyone, I am new here. I’m sorry if this topic has been raised before.

My name is Michael, and I run a tech business where I from time to time need clients to upload files so that we can work with them. We have recently switched from Google Drive where we could simply share a folder with a client, to Synology. I thought sending file requests was going to be super easy (And it is), but after watching a few videos on external access I must say I have become quite unsure whether our files are secure or not. I hope some of you would be able to shine some light on that.

Is my setup secure, or should I be worried about ransomware, brute force attacks, zero days and whatever is out there?

My setup is the following:

  • All internal workers connect to the NAS via Tailscale.
  • I have turned on QuickConnect, and changed the default port.
  • I have opened up the port on the router to give QuickConnect direct access.
  • I set up auto-block after a few attempts to log in.
  • I have made firewall rules to block countries that we dont have clients in.
  • I have set up 2FA on the user accounts.
  • We redirect all requests to HTTPS.

Are there anything additional to do to secure the NAS? Or should I completely turn off QuickConnect? I guess QuickConnect is the security risk since the VPN is quite secure. My concern is whether I should be worried about the direct access to the internet. There are very different opinions about this on the internet.

I think you did your homework correctly. You could add account protection. See Will’s latest video on that.
You will always get different opinions on the web. QuickConnect is not as bad as often suggested.
A good backup is there, too, I assume.

Thank you, yes I also have a local and an external backup of the entire NAS :slight_smile:

1 Like

This is opposite. Instead, allow only countries where clients exist. Deny all else.

I would also suggest dismantling QuickConnect which directs traffic through Synology networks, and imposes bandwidth caps.