Since the default is 5000 and 5001 and hackers are scanning for these ports, should I just change these two ports to something random and less frequently used as a threat vector for hackers? I have a Ubiquiti network with VPN that I use to access my local apps whenever I’m not on my LAN so having ports at all is kind of a needless practice. Assuming nothing is open on my Ubiquiti gateway, changing this setting really won’t do anything at all… right? Just making sure I understand all of this properly as it would be a super easy thing to just change real quick. This change would only be affected if I had those ports open on my firewall settings within the gateway though, correct? If my ports are all locked down then changing these defaults would have zero affect since the outside can’t even see them at all… right?
If your router isn’t set up for port-forwarding 5000/5001 and your network is secure, it doesn’t matter. If your network isn’t secure, you have bigger problems to worry about!
If you are going to port forward from your router to your NAS, I would suggest not using a common port. Whilst security by obscurity is not great, “every little helps”. An even better way of port forwarding is perhaps to use port 443 for everything and run a reverse proxy to pass particular stuff to the right place.
I beleive you are 100% right. But have no fear, others will probably disagree at some point. In theory, in order to get to your NAS, someone would have to guess your VPN credentials, then scan every device on your LAN, and then try to guess your NAS credentials. While this is absolutely possible…. probably not likely. I’ve had Synology NAS’s open to the internet for years and have never had a problem. Can something happen? Absolutely. All my data could be gone tomorrow. But I feel I’ve done what I can to prevent that from happening, including a full “offline” back up. So while I think you are on the right track, no doubt others will disagree and tell you to change those ports.
If I don’t gain any convenience by having them default, I see to reason to leave them as such. Unless, of course, this would break something that I do gain convenience from that I’m not thinking of. Hence the post.
Does Synology Photos use these ports? If so, can I modify them to something custom within Photos? Just trying to think of all of the things I may break before I break them to make sure this is something I want to even bother with.
Speaking of Photos:
So I log in from my phone using the built-in Synology Quick Connect method. I had changed my 5000-5001 ports awhile ago, and am 99% sure those port changes were auto-updated on Synology’s QuickConnect servers, so on my phone, with any of the iOS Synology apps, I continue to use the QuickConnect method, and so the connection is automatically sent to the right port since QuickConnect servers know what those ports are. By that I mean I just enter my QuickConnect ID on the iOS apps, but don’t need to enter the new port numbers.
And of course, as soon as someone hacks those Synology servers, we’re all toast!
You bite your tongue for even suggesting such devastation! lol
So, if I’m reading what you’re saying correct, as long as I use Synology Quick Connect to access externally via (Android in my case) apps, it knows what ports to use to get the proper path to the files that app needs to function. The way Synology Quick Connect knows is that it uses the ports listed in the login screen, right? So if I change them there… I don’t have to go into some Quick Connect menu to also update the same ports there, right?
Yes.
The only other thing to be aware of is connecting via a web browser. You can still use the slightly longer http://QuickConnect.to/(your quickconnect id), and since this connecting goes thru Synology servers, it too will automatically use the right port.
And at home you can also connected directly with 123.234.345.432:xxxx where xxxx is your new port number. Of course you’d have to enter 123.234.345.432:5001, so this isn’t much of a change.
Good Luck!
(and while I hope those servers are never hacked, I’ve long ago lost hope of anything on the internet not being hack-able)