Security Findings Register¶
Findings observed during lab discovery and ongoing operations. Each finding has a target phase for remediation and is tracked through to closure.
Process: When a SEC-* item is closed, update the status here and note the PR/commit that resolved it.
Active Findings¶
| ID | Finding | Severity | Target Phase | Status |
|---|---|---|---|---|
| SEC-001 | SMB (port 445) forwarded from public internet to Synology (192.168.6.215). Public-facing SMB is a known ransomware vector with a long history of remotely exploitable bugs. |
High | Phase 0 hotfix | Open |
| SEC-002 | VLANs are organizationally segmented but no inter-VLAN firewall rules enforce isolation. A compromised IoT or Security-VLAN device can reach the Servers VLAN. | Medium | Phase 7 | Open |
| SEC-003 | DSM HTTP/HTTPS (5000/5001) forwarded from public internet. DSM has a recurring CVE history; access should require Tailscale. | Medium | Phase 7 | Open |
| SEC-004 | Port-forward omgwtfbbq to 192.168.1.84:9001. Purpose unknown; operator does not recall creating it. |
Medium | Phase 0.5 (investigate) / Phase 7 (remediate) | Closed — device unidentified, firewall rule permanently disabled (2026-05-12) |
| SEC-005 | All four WiFi SSIDs share the same networkconf_id and land on VLAN 1 (GenPop). The EAP-secured SSIDs likely intend tier separation that isn't network-enforced. |
Low-Medium | Phase 7 | Open |
| SEC-006 | Tailscale node recordurbate health-check warning: advertising routes but --accept-routes=false. Cosmetic/operational, not exploitable, but should be fixed when the node comes under management. |
Low | Phase 3 | Closed — tailscale set --accept-routes applied (2026-05-12) |
| SEC-007 | Tailscale tailnet has 6+ nodes offline for 53-590 days. Confirmed as real devices to be rehydrated. Evaluate retention policy and ACL hygiene. | Low | Phase 0.5 (audit) / Phase 7 (ACL policy) | Open |
| SEC-008 | DSM admin UI exposed via SEC-003 forwards. 2FA must be confirmed on all DSM admin accounts as a compensating control until SEC-003 closes. | Medium | Phase 0 (confirm 2FA) | Verified — 2FA, AutoBlock, Account Protection confirmed enabled (2026-05-11) |
| SEC-009 | Public-facing services under realemail.app depend on Cloudflare + Traefik + Authentik chain. No documented runbook for Cloudflare API token leak or Authentik DB corruption scenarios. |
Low | Phase 6 (DR runbooks) | Open |
Compensating Controls¶
SEC-008: DSM 2FA Verification¶
Until SEC-003 (closing DSM public port forwards) is complete in Phase 7, the following compensating control must be in place:
All DSM admin accounts must have 2FA enabled. Verify as follows:
- Log in to DSM at
https://<synology-ip>:5001 - Go to Control Panel > User & Group
- For each user with admin privileges:
- Click the user, go to the Security tab (or Personal > Security for your own account)
- Confirm 2-Step Verification is enabled
- If Adaptive MFA is available (DSM 7.2+), enable it
- Under Control Panel > Security > Account:
- Enable Auto Block (10 failed attempts in 5 minutes)
- Enable Account Protection to lock accounts after repeated failures
- Document which accounts have 2FA enabled and the date verified
Action Required
If any admin account does NOT have 2FA enabled, enable it immediately. SMB and DSM are publicly reachable until SEC-001 and SEC-003 are closed.
Closed Findings¶
No findings closed yet.