There is no doubt that 2022 will be a year when you will be talking more about NAS security issues than new NAS features. These attacks are fueled by the popularity of NAS and will only increase in the future.
Regardless of what brand of NAS you own, you should follow some standard security guidelines to protect it from known security holes and vulnerabilities.
We recommend the following measures to protect your NAS from attacks
1. stop brute force attacks on your NAS.
Brute force attacks do not require a high level of skill. A port scanner (to find the open ports of an IP), an IP address spinner and a large database of commonly known usernames/passwords is all the attackers need.
Brute force attacks have increased, but they are easy to prevent.
Enable HTTPS with https so that your username, password and other data are transmitted in encrypted form. This means that your data cannot be leaked.
DO NOT use default administrator names. Do not use names like root, admin, administrator, etc. A complex username ( john12@! Instead of johndoe) is a good idea. A complex password is so cliché, I do not need to tell you.
2-factor authentication is great. Enable it if you can. But remember your backup pins, because if you do not have access to your token generator, you can be locked out of the device.
Now the most important part - your dynamic DNS name should be complex. And why? Because it's easy for a hacker to try popular names like johndoe.dyndns.org and then use the username 'johndoe' with the password 'johndoesecret'.
You can also lock the IP address after a certain number of attempts, but this will not help if the attacker has a pool of large IP numbers, which is usually the case.
2. Remote access via VPN. No direct port forwarding to your NAS
I am not going to ask you to disable remote access on your NAS. Sure, if it's not on the Internet, it's safe, but that's not what you bought your NAS for.
There are ways for secure remote access like VPN. I know port forwarding is easier than VPN, but it's not very secure either.
Access via a VPN is more secure. Use openvpn or wireguard if your vendor supports it. Most NAS vendors make it easy for you to run a VPN server.
Remote access via VPN is quite secure, not that there are no vulnerabilities , openvpn had 2 publicly listed vulnerabilities in 2021,but VPNs stil are safer than direct port forwards.
3. minimize the number of third-party applications.
There are numerous third-party applications in the QNAP and Synology app stores. They can be installed with a single click, but it is difficult to maintain them in the long run. If you do not update them in time and be aware of any vulnerabilities in the apps , your NAS will become more insecure.
Delete all the apps you do not use, update all the apps you have regularly, and keep an eye out for any new security vulnerabilities related to the apps you use.
4. Keep your NAS firmware updated.
Keep the firmware up to date. It is very easy and you will usually be prompted to install the latest version as soon as it is available. The new version includes the patches, so it is always advisable to use the latest version.
5. take advantage of all the security, logging and notification applications that your NAS provider offers.
QNAP and Synology offer antivirus packages, security advisors, and malware scanners. Look for and use the apps that your NAS vendor offers.
Occasionally look at the log for suspicious activity and enable notifications so that you are notified immediately if something is wrong.
6. Secure your Docker containers and virtual machines running on NAS
High-end NASes give you the option to run a virtual machine on the NAS itself using KVM, but this is not advisable. Unless you are able to secure every VM you run on your NAS, you should not do this.
The same goes for Docker applications. If you are an advanced user, it is tempting to use Docker applications because they are lightweight and easy to install. If you absolutely must have the application, make sure you use the image from a credible source and upgrade to the latest version whenever it is available.
7. no SSH. No copy-paste commands. No password login.
If you do not need SSH, do not enable it. If you need it, make sure you secure it with a public/private key and never use password authentication. It is better to disable the feature and enable it only when you need it.
And offcoure Never execute a command unless you know exactly what it does. Copying and pasting commands from forums without knowing what they do is not a very good idea.
8. A backup of your NAS backup - offline copies, snapshots
If you have done everything we have suggested so far, you have minimized the likelihood of an intrusion, but not completely eliminated it. A determined hacker can get past even the most secure organizations, so you are not offlimit.
So the final part is to be prepared in case your device is attacked.
This can be achieved by doing 2 things
First - snapshots are a must. Snapshots allow you to restore your data to a previous state. So if a ransomware encrypts your file, you can restore it to its previous state. If you have deleted your file or need a previous version of a file, snapshots are also very useful.
Second - you need an offline copy. The only copy that is safe from malicious software is the offline copy. The easiest way to offload some data from your NAS for offline storage is to use the RDX dock. Connect an RDX dock to your NAS via the USB port and use the RDX cartridge to copy data. After copying, remove the RDX Cartridge and store it safely.
Here is the checklist of everything we have suggested so far.