Dan Druce · Portfolio

NAS Homelab: Synology NAS Security & Infrastructure

Overview

This project documents the design, configuration, and ongoing maintenance of a personal home lab built around a Synology 4-bay NAS running SHR-1 (Synology Hybrid RAID). The lab serves two purposes: providing resilient personal storage and acting as a practical environment for developing skills in security hardening, access control, infrastructure monitoring, and log-based threat detection.

Grafana Security Overview dashboard showing authentication failures, login activity, and brute force detection panels

Infrastructure & Storage

The NAS runs SHR-1, which provides single-drive fault tolerance while allowing drives of mixed sizes, balancing redundancy with cost efficiency. The setup is accessed across Windows, macOS, and iOS, reflecting real-world multi-platform organisational contexts.

The NAS volume is encrypted at rest, ensuring that data remains protected against physical theft or unauthorised hardware access. Even if the drives were removed from the device, the data would be unreadable without the encryption key — a critical control in any environment handling sensitive data.

Backup resilience is maintained across three copies on separate media: live data on the NAS with automated backups running on a consistent schedule, a second encrypted external drive kept locally, and a third encrypted drive stored offsite. Both external drives are strongly password protected and updated regularly, ensuring recoverability against drive failure, system failure, and physical loss or disaster scenarios.

Snapshot management is configured to provide point-in-time recovery capability, allowing rollback to previous states without requiring a full restore. This is particularly valuable for protection against accidental deletion or ransomware, where a recent clean snapshot can be recovered quickly without data loss extending beyond the snapshot interval.

Security Configuration

Security hardening was approached systematically, applying principles consistent with the ISC2 CC framework and least-privilege thinking:

  • Firewall rules restrict inbound and outbound traffic to defined, necessary services only, reducing the attack surface at the network perimeter.
  • Role-based access controls (RBAC) ensure each user account has access only to the shares and services relevant to their function, preventing lateral movement between resources.
  • Multi-factor authentication (MFA) is enforced across accounts, adding a credential layer that protects against password-based compromise.
  • Automated patch management ensures DSM and installed packages receive updates on a defined schedule, reducing exposure to known vulnerabilities without requiring manual intervention.
  • Tailscale VPN provides secure remote access using a zero-trust mesh network model, avoiding the need to expose ports directly to the internet.

Monitoring Stack

A full monitoring stack was designed and deployed as a containerised project, comprising four services orchestrated via docker-compose:

  • Prometheus scrapes and stores time-series metrics from the NAS at 15-second intervals, with a 30-day retention window, providing a continuous record of system performance.
  • Node Exporter exposes hardware-level metrics including CPU utilisation, memory pressure, and network throughput, giving granular visibility into resource consumption over time.
  • Loki provides log aggregation, collecting system logs from the NAS in real time via Promtail, the log shipping agent, creating a searchable, centralised log store.
  • Grafana serves as the visualisation layer, with dashboards covering both infrastructure metrics and security events. A pre-built Node Exporter dashboard was imported for system metrics, and a custom Security Overview dashboard was built from scratch.

Security Dashboard & Threat Detection

A dedicated Security Overview dashboard was built in Grafana using LogQL queries against the Loki data source, providing real-time visibility into:

  • Authentication failures — failed and unauthorised access attempts across system logs
  • Login activity — successful session opens tracked to identify unexpected access patterns
  • Brute force detection — alert conditions configured to trigger notifications when failure thresholds are exceeded within a defined time window

This represents a foundational SIEM capability: centralised log collection, real-time querying, pattern-based detection, and alerting — implemented on self-hosted open source tooling at no additional cost.

Reflection & Next Steps

Building and maintaining this lab has required making real security trade-offs, balancing access and usability, applying least-privilege without creating friction, and designing for recoverability as well as protection. Deploying the monitoring stack from scratch, including troubleshooting container permissions, network configuration, and log pipeline issues, developed practical skills directly applicable to security operations environments.