…without snark or jumping down my throat. I genuinely want to know why it’s so unsafe.
I’m running a Synology DS920+, with my DSM login exposed through a Cloudflare tunnel. I have 2FA enabled, Synology firewall enabled with these rules in place. I also have this IP blocklist enabled.
After all of this, how would someone be able to break in via the DSM login?
NAS vendors aren’t known for understanding security. Opening ssh to the world is no problem, because ssh is everywhere, it’s constantly attacked, and half the world would know if an exploitable vulnerability was found.
If NAS vendor ABC has a vulnerability in the login code written by a programmer who hasn’t done much more than CSS, it would surprise nobody, and you wouldn’t hear about it on any IT news sites. It would just be exploited until all the machines were exploited or until they’re all patched.
It really is a world of difference between something known and secure and some random login page.
That seems to go against the general consensus… Why is everyone/everything online telling me to either disable SSH entirely, or change the SSH port to something incredibly obscure (and even that’s not safe)?
Because they’re being silly. There is no other public facing service more secure than a relatively modern OpenSSH.
In some instances, yes, it’s best to disable the ssh that comes with whatever NAS OS you’re running, because they often ship old code and don’t care about updates and security.
But if you’re running a relatively up to date OpenSSH and you’re using keys, not passwords, then you are as secure as you can reasonably be. There’s no math suggesting otherwise. Moving to a different port will reduce the frequency of attack, but that will have zero impact on the possibility of intrusion.
Put it this way: if relatively recent OpenSSH has a remotely exploitable vulnerability, you’ll see it on the news on TV. You’ll see it and hear about it literally everywhere. The world will stop for 24 hours and there will be widespread panic. You’ll know.
If your NAS has an exploit, you might read about it on The Register a few months later.
Well said!