Keep NAS Secure

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
Desmac
New here
Posts: 7
Joined: Sun Jan 12, 2020 11:36 pm

Keep NAS Secure

Post by Desmac » Thu Mar 26, 2020 3:07 am

QNAP TS251D, 2no 4TBWD Red Drives, Raid 1

I'm a noobie to the NAS world, apart from one at my office which I do not administer.
Everybody on this forum is quite clear that a NAS should not be exposed to the outside world.
How do I then keep software up-to-date as also advised.
I have been advised that as long as the client is protected there should not be a problem.
My NAS is connected to a Netgear switch which is connected to a BT Home Hub 6.
How do I protect this set-up?
Sorry if this is a FAQ. I've searched the forum but almost everything I've found is out of date.
TIA
Desmac

User avatar
OneCD
Ask me anything
Posts: 6989
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Keep NAS Secure

Post by OneCD » Thu Mar 26, 2020 3:14 am

Desmac wrote:
Thu Mar 26, 2020 3:07 am
Everybody on this forum is quite clear that a NAS should not be exposed to the outside world.
In this context, "exposed to the outside world" means the NAS is able to respond to requests that originate outside your LAN (i.e. the Internet). This is a bad idea, as the QNAP services listening on your NAS are not great at handling intentionally malformed requests, which can create security vulnerabilities that can be taken advantage-of by remote attackers.

Your NAS is considered "exposed" if you have forwarded ports in your router to the NAS. Be aware - this can happen automatically if your router has a working UPnP service. So, disable UPnP in your router.
Desmac wrote:
Thu Mar 26, 2020 3:07 am
How do I then keep software up-to-date as also advised.
You can still update the software on your NAS. These requests originate inside your LAN (from your NAS) and are heading out to the Internet. Your router automatically allows responses to these requests back into your LAN. :geek:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8357
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Keep NAS Secure

Post by Moogle Stiltzkin » Thu Mar 26, 2020 3:59 am

in QTS you can tick to auto warn whenever a new firmware update is available.

although updating day 1 is usually the best idea, because sometimes a qts build may or may not be a good update, and sometimes they do get pulled, but not always. most of us defer update by a week or probably a few more. but everyone should be checking the forum to check that a qts build is stable or not before updating to it
viewforum.php?f=142

some builds you can skip, but anything that has security related patches or important bug fixes, you should update to. subscribe to the newsletter, usually they will email you if it's an important update
https://www.qnap.com/en/security-advisory

don't port forward your NAS. Do not enable myqnapcloud and cloud link. use a secure password (although this won't save you from vulnerabilities, as long as you don't port forward you should have limited your exposure).

Careful what you put onto your NAS. Keep regular backups
https://www.reddit.com/r/qnap/comments/ ... _a_backup/

if you insist on remote access, at least use a vpn setup
https://www.reddit.com/r/qnap/comments/ ... _from_the/


update your router regularly. all devices on the network needs to also be regularly updated e.g. windows 10 etc. Any device on the network can also put at risk your NAS and any other device which is also on that same network. Some users get hit thinking they did everything right for their QNAP, but they didn't carefuly practise safe basic network security practises even home users should be doing (mostly keeping up to date, and probably having anti virus, anti malware, and not downloading dodgy stuff onto their devices, and NEVER port forwarding to the internet or exposing yourself to it in some unsafe way).

if you are using IOT devices, consider segregating them out using VLANs so that those high risk devices don't affect your other network devices from getting exposed to attacks via that route.

Desmac wrote:
Thu Mar 26, 2020 3:07 am
I'm a noobie to the NAS world, apart from one at my office which I do not administer.
this is already a red flag. A nas isn't a device you put your stuff on it and thats all you do. No. You need to regular update, and backup. For raid you would also have automated raid scrub once a month. being a newbie doesn't rely justify or give the excuse to wash your hands of managing your NAS (Unless you want to get hacked or lose your data at some point. it's not even a matter of if, but when, with that kind of attitude :S ).

You don't have to keep up with the happenings on forum too diligently, but at least subscribe to the security advisory newsletter and have it email you whenever a crisis does happen which they urge you to update to fix some urgent issue.

same for when a new qts gets released, you can setup notifications to inform you when a new qts gets released.


afaik most of the NAS security related guides and answers more or less is generally still applicable. Nothing much has changed from before in regards to properly securing your NAS to avoid getting hacked, or hit by malware, or losing your data (due to no backup).
Last edited by Moogle Stiltzkin on Thu Mar 26, 2020 1:52 pm, edited 2 times in total.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

User avatar
Toxic17
Ask me anything
Posts: 5299
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Keep NAS Secure

Post by Toxic17 » Thu Mar 26, 2020 4:05 am

Install QNAPs Security Counselor to help you lock down the NAS.

https://www.qnap.com/solution/security-counselor/en/
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.2.1262 • TVS-463-16GB 4.4.2.1262 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1161 • APC Back-UPS ES 700G •
QPKG's: Plex 1.18.9 • Apache73 v2441.7316 • QSonarr 3.0.3.750 • QNBZGet 21.0 • phpMyAdmin 4.9.5 • Qmono 5.20.1.19 • McAfee 3.0.2 -6010 • HBS 3.0.200212 • LEgo v3.3.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Desmac
New here
Posts: 7
Joined: Sun Jan 12, 2020 11:36 pm

Re: Keep NAS Secure

Post by Desmac » Thu Mar 26, 2020 6:35 am

Thanks for your very rapid responses, gents.
OneCD,Thanks for that explanation. That clarifies things considerably.
Moogle, when I said that I did not administer my work NAS I should have said that there is an administered by a rwch consultant, not by me. I mentioned that I was a noobie to advise everybody that I am asking stupid questions out of ignorance; that's why I am asking, to learn. Thanks for your comprehensice response.
Toxic, I'm now on QNAP Security counselor.
Thanks to you all
Desmac

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 8357
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Keep NAS Secure

Post by Moogle Stiltzkin » Thu Mar 26, 2020 1:52 pm

asking if fine. and thx for clarifying. but you'd be surprised how many people who are way too lax on this, thats why i got to say just in case. kinda like people who don't take corona virus seriously then they end up sick, and some even die :S in regards to NAS, you can lose data (ransomware or straight up delete, corruption etc..), or it gets stolen (once they download it, you can do nothing about that). prevention is better than the cure 8)

and yes qnap counselor is a checklist of security things to help harden your QNAP NAS. but what it doesn't do for you, is help to secure your router port forwarding (disable that), and to update router, and update all client devices on your network.

it's still better than nothing and at least helps you configure security related stuff on your NAS without having to browse ages looking for things you are not sure whether you missed or not in qts (which is what security counselor is for)
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

Post Reply

Return to “Miscellaneous”