NAS Security Guide: How to Secure Your Network-Attached Storage
Network-attached storage, or NAS, is a cheap and efficient way to expand your storage at home or in the office. Today we’ll look at the steps you can take to keep your NAS secured and your data safe. You don’t need to be an experienced sysadmin to follow along: anyone can learn how to secure their NAS by taking these steps and keeping a few security principles in mind.
A NAS makes a great file server and local backup solution. They’re fairly cheap off-the-shelf, and if you’re feeling adventurous you can always roll your own. We’ve written a practical guide explaining what is a NAS in case you’re unfamiliar.
What You’ll Need
In short, all you’ll need to secure your NAS are the login credentials for your router. It’s usually admin/admin or admin/password, unless you’ve changed it. Google your router model plus “default password” if you’re having trouble finding it.
The process of securing your NAS varies depending on which device you own. At CommQueR.com, we’re big fans of the QNAP and Synology devices. They’re affordably priced while offering all the features users need, like integrated cloud backups. We’ve covered the best cloud backup for Synology and we have a general roundup of the best cloud backup for NAS devices this year.
Basic Security Principles
The first line of security is your home network. In 2014, security researcher Jacob Holcomb audited NAS devices from 10 manufacturers, finding vulnerabilities in all of them.
That’s the bad news. The good news is that to carry out these attacks, cybercriminals have to have direct access to your network. Securing your router and your home network will greatly reduce the risk of your NAS device being compromised. You can further reduce the risk of a hack by following these basic security principles:
- Always change default passwords
- Do not click suspicious links in emails or elsewhere, especially if they redirect to your local network (http://192.168.x.x for example)
- Use random, alphanumeric passwords for both your router and NAS logins
- Regularly update the firmware on your router or NAS. Turn on automatic updates if supported
Following these simple security principles will go a long ways towards keeping you safe online. Stopping any would-be attackers at the router level is the first step to securing your NAS device, and we’ll take a quick look at securing your router next.
Secure Your Router
Now, it’s hard to give step-by-step instructions since there are so many different routers, so this is just a general overview to get you started. Your router manufacturer should have a section on their website with instructions and details for your particular device.
You can login to your router by typing its IP address in the address bar. Usually this is http://192.168.1.1 or similar, but a quick search for your router model should pull up the information you need: the IP, default username and password.
Step 1. Login to your router and change the default password. If you have the option to change the username from “admin,” do so as well. Attackers use automated tools to scan networks, so changing “admin” to something else makes these attacks useless.
Step 2. Disable WPS if your router has this feature. Don’t ever use WPS as it is terribly insecure.
Step 3. Enable HTTPS login if it’s available (this differs per device, so we can’t give exact instructions). This encrypts your connection when accessing your router’s configuration page. Disable traditional HTTP and only use HTTPS whenever possible.
Step 4. Ensure remote access is disabled unless you know exactly what you’re doing. Remote access lets you login from anywhere and opens your device up for attack.
Step 5. Enable WPA2 encryption for your wireless network and select a long, random passphrase. Choose a passphrase that even the NSA can’t break.
Step 6. Update your router’s firmware. Enable automatic updating if your router supports it.
Step 7. Enable logging so that in the event something happens, you have a record to track the problem down.
That’s it for router security basics. Now that you’ve locked your network down, let’s take a look at how to secure your NAS device.
Basic NAS Security Guidelines
With all the different models of NAS devices, it’s impossible to give a one size fits all guide to securing your NAS. Instead, focus on learning these principles and the reasoning behind them. Once you learn what to look for and why, you can find specific instructions for your NAS from the manufacturer’s website.
Admin Accounts and Passwords
Always change the default password for the administrator account. If possible, create a new administrator account with a different name and delete the default “admin” account, as brute-force attacks only work by repeatedly trying to guess the password for this account.
Enable SSL
When you access your NAS via the web interface, you should see “https://” at the beginning of your address bar along with a padlock, indicating your connection is encrypted. If this isn’t enabled by default, turn it on. Otherwise, your credentials are transmitted in the open and available to potential attackers.
Only Enable What’s Necessary
Your NAS can run various web apps that will be accessible over the net. Only enable what you need and if you open a port on your router to access your NAS from the Internet, make sure you are using a strong username and password. Consider enabling any filtering or auto-blocking features your NAS offers to eliminate brute-force login attempts.
Use a VPN
If your NAS can run a VPN server, you can use this when away from home to access your device securely. When you connect to the VPN, you’ll have access to your local area network (LAN). This means you only have to open up a port on your router for the VPN, greatly reducing the attack surface for your NAS.
Connecting to your NAS via a VPN is one of the best ways you can keep your NAS secure. Check the manufacturer’s website to learn how to set up a VPN on your specific device. Also make sure to check out our selection of best VPN providers to get an idea of what’s available out there (and read our guide on how secure VPNs are).
Following the guidelines above will increase the security of your setup, and they’re easy steps to implement. Now, we’ll look at some specific features offered in the various Synology and QNAP devices.
Securing a Synology NAS
Synology devices offer users several options to lock down their NAS and enhance security. We’ll start by removing the default account and creating a new one with a secure passphrase.
Create a New User
Step 1. Login to DiskStation Manager and from the main menu click “control panel” then click “users.”
Step 2. Click “create,” then click “create user.”
Step 3. Enter the username and password of your choice, then click “next.”
Step 4. Click the “add” checkbox to add your new user to the “administrators” group, then click “next.”
Step 5. Give the new administrator account access to all folders by ticking the “read/write” box, then click “next.” Click “next” again, unless you want to set a disk quota.
Step 6. Tick the “grant” box to give the new admin account access to applications, then click “next.”
Step 7. Click “next” at the to skip setting a speed limit, then click “apply.”
That’s it, you now have a new administrator and can proceed to disable the old admin account.
Disable the Admin Account
Step 1. Log out of the DSM and then log in with the newly created administrator account.
Step 2. From the main menu, go to “control panel” and click “users.”
Step 3. Click the “admin” account, then click “edit.”
Step 4. Tick the box for “disable this account” and click “ok.”
Now that we have a new administrator account and have disabled the old default account, let’s look at setting up two-step verification.
Two-Step Verification for Synology NAS
This process requires a mobile phone with an authenticator app installed, such as Google Authenticator. Install the app now before you continue. You’ll always need your phone when logging into DSM.
Enabling two-step verification means that an attacker attempting to access your account needs your password as well as your phone, greatly reducing the possibility of compromise.
Step 1. Click the user icon, then click “options.”
Step 2. Tick the “enable 2-step verification” to launch the wizard. Click “next.”
Step 3. Enter an email address in case your phone is lost. Click “next.”
Step 4. Open the authenticator app on your phone and scan the QR code displayed by the wizard. Click “next.”
Step 5. Enter the code generated by the authenticator app. Codes are updated periodically, so do this quickly before it expires. Click “next.”
Step 6. Click “close” and click “ok” to save your changes.
You’ll now be prompted to enter a verification code every time you log in to the DSM. While it may seem like a hassle at first, it only takes a few seconds and greatly increases the security of your NAS.
Enabling Auto-Block for Synology NAS
Lastly, we’ll enable auto-block. Attackers use automated tools to scan and exploit other computers, and by enabling auto-block we can blacklist the IP address of any attackers after a certain number of failures.
Step 1. From the main menu, click “control panel,” then click “security.”
Step 2. Click “auto-block,” then tick the box labeled “enable auto-block.”
Step 3. We’ll enter the number five for both “login attempts” and “within (minutes)” here, as this is a safe default.
Step 4. You can tick the box for “enable block expiration” if you want the block to expire after a certain number of days.
Step 5. Click “apply” to save your changes.
You can always edit the block list by going back to this screen and clicking “allow/block list.” Enabling auto-block, two-step authentication and creating a new administrator account are three simple steps towards enhancing the security of your NAS device.
Secure a QNAP NAS
QNAP provides several features built-in that will strengthen the security of your device. Similar to Synology’s auto-block, QNAP offers “network access protection” to block repeated attacks against your NAS. We’ll also use QNAP’s built-in antivirus to keep your NAS clean of any nasty surprises.
Enabling Network Access Protection
Step 1. From the control panel, click “system settings.”
Step 2. Click “security” and click “network access protection.”
Step 3. Click “enable network access protection” and click “apply all.”
You can tick the box for each service that you’ve enabled on your NAS. In general, you should enable network access protection for each service you’ve enabled. Stopping automated attacks is as easy as turning this on.
Enable QNAP’s Antivirus
Step 1. From the control panel, click “applications.”
Step 2. Click “antivirus” and click “enable.”
Step 3. Tick the box for “check and update automatically…” and set the value to one day. Keeping your virus definitions updated ensures your antivirus doesn’t let new malware slip by.
QNAP offers a wealth of features, including SMS/email notifications of unusual activity, setting up your device as a VPN server and far more beyond the scope of this guide.
Conclusion
Securing your NAS is easy, especially with all the features built-in to modern devices. Locking your NAS down is just a matter of keeping basic security principles in mind, changing default passwords and ticking a few boxes.
A NAS is a great addition to the home or office, and you don’t have to worry about attackers stealing your data or losing it in a crash. At CommQueR.com, we’ve covered cloud backup solutions for your NAS to prevent data loss, and now we’ve shown you how to secure your NAS device.
Thank you for reading and, as always, feel free to reach out to us in the comments below.