Security Findings Register¶
Findings observed during lab discovery and ongoing operations. Each finding has a target phase for remediation and is tracked through to closure.
Process: When a SEC-* item is closed, update the status here and note the PR/commit that resolved it.
Active Findings¶
| ID | Finding | Severity | Target Phase | Status |
|---|---|---|---|---|
| SEC-002 | VLANs are organizationally segmented but no inter-VLAN firewall rules enforce isolation. A compromised IoT or Security-VLAN device can reach the Servers VLAN. | Medium | Phase 7 | Closed — ZBF enabled on UDM, 8 custom policies verified via API scan (2026-05-15). See docs/architecture/firewall-policy.md |
| SEC-003 | DSM HTTP/HTTPS (5000/5001) forwarded from public internet. DSM has a recurring CVE history; access should require Tailscale. | Medium | Phase 7 | Closed — port forwards deleted from UDM (2026-05-15). DSM accessible only via Tailscale at 100.71.93.130; off-LAN verified 2026-06-19 |
| SEC-004 | Port-forward omgwtfbbq to 192.168.1.84:9001. Purpose unknown; operator does not recall creating it. |
Medium | Phase 0.5 (investigate) / Phase 7 (remediate) | Closed — port forward deleted from UDM (2026-05-15) |
| SEC-005 | All four WiFi SSIDs share the same networkconf_id and land on VLAN 1 (GenPop). The EAP-secured SSIDs likely intend tier separation that isn't network-enforced. |
Low-Medium | Phase 7 | Closed — SSID network assignments updated and verified via API (2026-05-15). IsThisTheKrustyKrab → Personal, HotSignalsInYourArea → IoT, Rebellious Amish Family → Appliances |
| SEC-006 | Tailscale node recordurbate health-check warning: advertising routes but --accept-routes=false. Cosmetic/operational, not exploitable, but should be fixed when the node comes under management. |
Low | Phase 3 | Closed — tailscale set --accept-routes applied (2026-05-12) |
| SEC-007 | Tailscale tailnet has 6+ nodes offline for 53-590 days. Confirmed as real devices to be rehydrated. Evaluate retention policy and ACL hygiene. | Low | Phase 0.5 (audit) / Phase 7 (ACL policy) | Closed — ACL in infra/tailscale/acl.json; GitHub Action sync green (2026-06-19, run 27811413868) |
| SEC-008 | DSM admin UI exposed via SEC-003 forwards. 2FA must be confirmed on all DSM admin accounts as a compensating control until SEC-003 closes. | Medium | Phase 0 (confirm 2FA) | Closed — 2FA, AutoBlock, Account Protection confirmed (2026-05-11); SEC-003 closed 2026-05-15 |
Compensating Controls¶
SEC-008: DSM 2FA Verification (historical)¶
SEC-003 is closed. This section records the verification performed while DSM was still WAN-reachable:
All DSM admin accounts must have 2FA enabled. Verified 2026-05-11:
- Log in to DSM at
https://<synology-ip>:5001 - Go to Control Panel > User & Group
- For each user with admin privileges:
- Click the user, go to the Security tab (or Personal > Security for your own account)
- Confirm 2-Step Verification is enabled
- If Adaptive MFA is available (DSM 7.2+), enable it
- Under Control Panel > Security > Account:
- Enable Auto Block (10 failed attempts in 5 minutes)
- Enable Account Protection to lock accounts after repeated failures
Note
DSM is reachable only via Tailscale (100.71.93.130:5001) since 2026-05-15.
SEC-001 (public SMB) closed 2026-06-21 — see closed findings.
Closed Findings¶
| ID | Closed | Resolution |
|---|---|---|
| SEC-002 | 2026-05-15 | ZBF policies applied on UDM |
| SEC-001 | 2026-06-21 | Verified absent from UDM port-forward list; see scripts/hotfix-disable-smb-forward.md |
| SEC-003 | 2026-05-15 | WAN port forwards removed; Tailscale-only access |
| SEC-004 | 2026-05-15 | Unknown port forward deleted |
| SEC-005 | 2026-05-15 | WiFi SSID → VLAN mapping corrected |
| SEC-006 | 2026-05-12 | recordurbate accept-routes fixed |
| SEC-007 | 2026-06-19 | ACL GitOps workflow + secrets |
| SEC-008 | 2026-05-15 | 2FA verified; SEC-003 closed |
| SEC-009 | 2026-06-21 | dr-public-edge.md — tabletop proven (Cloudflare token rotation, Traefik ACME, Authentik backup restore paths) |