WARNING: Don't leave your web GUI open to the world

Dear users of Syncthing,

By default, the web GUI only listens for connections from localhost (127.0.0.1 or ::1 for ipv6).

If you decide to change this to make it listen to the whole world (for example, 0.0.0.0), then make sure you set up a username, password and HTTPS.

Otherwise, anybody can connect to your server and do anything they want with your Syncthing. This includes editing or deleting your files, impersonating you to other Syncthing users in your network, filling up your computer’s storage, etc.

This setting is configured in the “GUI Listen Addresses” of the web-based configuration menu, or the <gui> element of config.xml: http://docs.syncthing.net/users/config.html#gui-element

If you want to be able to access your web GUI remotely without a username and password, you should use SSH port forwarding like this:

$ ssh -L 9384:127.0.0.1:8384 my_remote_hostname
4 Likes

Maybe this should be mentioned in the documentation for not-power users

1 Like

We’ll have a warning of some kind in the UI in the next release as well.

4 Likes

The default is safe — it only allows connections from the local machine. It is the so-called “power users” who are changing the default and leaving themselves open to the world.

Can’t I set it to 192.168.0.0:8080 to allow access from within my LAN only?

Nothing like that can stop you from setting up port forwarding on your router to forward connections from the outside world to your LAN.

By doing this I locked me out from the GUI. Again: How can I limit the access to my LAN?

1 Like

Again: you cannot. Your computer will accept any incoming connections on a given interface. Something like your router - which is on your LAN - could quite happily forward packets from the wider internet onto your LAN, if you’ve configured it to do this, for example.

You could use a firewall to reject packets with a particular source, but Syncthing cannot know about this.

I use NGINX with reverse proxying with its own auth, how do I disable the big red warning? There’s nothing in the documentation (I assume this is the blessed doc http://docs.syncthing.net/users/config.html)

1 Like

Check advanced config.

For a reverse proxy setup only listening to localhost should be enough, except if your webserver is not on the same machine like syncthing.

1 Like

@JoePalma check advanced options for insecureAdminAccess

@AudriusButkevicius are you sure it’s in the docs? (see search)

I am not claiming its in the docs

@uok Thanks!

@alex I have three segregated syncthing instances running in jails and the webserver is in its own jail.

A post was split to a new topic: Username and password not accepted?

If your syncthing machine is behind a firewall not allowing 8384 in from the wan surely 0.0.0.0 is ok?

If you trust every device that will ever be on your network (“behind a firewall”), then I guess it’s okay.

Personally, I see no reason to make that assumption, so I use SSH port forwarding as described above.

2 Likes

And “every device in your network” probably includes printers and other hardware with software which very rarely gets updated. This is a recipe for disaster and printers, coffee machines, fax devices, copiers and so on have all been used in malware campaings before. Also if your network uses wifi and you ever gave the key to anybody with an Android, Apple, Windows Phone or Windows 10 device, chances are very high that your wifi key is already in someone elses hands, because backing up wifi keys as cleartext is the default behaviour on those systems.

Oh Apple and Google also know where to find your wifi, because this data is needed for the “wifi-assisted” location services. If you should be concerned about this is your decision. But I prefer to use SSH forwarding.

3 Likes