Top 10 QNAP NAS Security Tips
Top 10 QNAP NAS Security Tips. We’re going to cover the top 10 things that you should do with your QNAP NAS to keep your data secure. These tips are actually pretty generic and would apply to basically any NAS, but in some cases I’ll be specific to QNAP as that’s the type of NAS I have here.
1. Data encryption
By default all data stored on the disks within the NAS are stored in cleartext, which basically means that anyone with physical access to the NAS is capable of reading any files stored on the disks. We can encrypt the data at rest on the disks to keep it secure from this sort of attack, that way if the NAS is stolen the thief won’t be able to view your rare memes.
This only protects the data at rest when the NAS is powered off, for instance if someone unplugs the NAS when stealing it. While powered on once you’ve entered the password to decrypt the volume, the data is readily available for reading. If you’re encrypting your data, make sure that you have up to date backups of all of your content in the off chance that something goes wrong or you forget the password.
2. Latest updates
Keeping your NAS up to date with the latest firmware available is just as important as installing updates on your phone or computer.
Security vulnerabilities are found fairly regularly in different pieces of software running on the NAS, and should be patched as soon as possible. This process is pretty simple, you just log into the web interface, and if there are any major updates it will prompt you to install them. Alternatively you can manually check through control panel by selecting firmware update, this is also where you can configure the NAS to automatically check for updates, but don’t worry it won’t automatically install them. It’s also worth subscribing to the security notifications by email so that you’re aware when any major issues are identified, I’ll leave a link to this page in the post description. All it takes is one vulnerability to be exploited and someone could gain access to your precious data.
3. Reduce attack surface
Reduce attack surface: By default many different services will be running on the NAS, and many more may be available depending on the number of third party applications that you’ve installed onto it. The more services that you run on the NAS, the larger your attack surface as there’s more code actively running which may contain security vulnerabilities. More running services may also mean that the NAS is listening on more ports, potentially allowing more ways for an attacker to connect in, especially if these ports are open on the Internet and not just on a local network.
Application updates are also handled separately from the main firmware updates mentioned previously, so you’ll also need to install these from the Application Center from time to time. It’s worth going through your installed applications and evaluating what’s still required, if there’s something that you no longer use then consider removing it through the app center.
4. Strong password
Strong password: By default the admin password on my QNAP NAS was admin, so you definitely want to change the password to something stronger as soon as possible. With the admin password you can access the web interface to manage the NAS, browse all file shares, or even SSH into it directly which will essentially allow you to do anything. In an ideal world each NAS would come with its own unique password string that was included with the purchase, but for now just make sure you change the password from admin to something more secure. You can change the password through control panel, followed by users. You can also define a password policy through control panel, security, then password policy which may be useful if you have many different users who have access to the NAS.
5. HyperText Transfer Protocol Secure
HTTPS: By default when you load up the admin web interface for the NAS the page will be requested over HTTP. This may be a problem, as the HTTP protocol transfers data over the network in cleartext, meaning that if someone else has access to your network they can potentially capture the credentials to the NAS when you login. While this may be an acceptable risk in an internal network at home, many people have their NAS available for access over the Internet, which can essentially allow anyone the ability to login and increases the likelihood of a man in the middle style attack where your username and password will be captured. You can instead use HTTPS, when loading the admin web interface you have the option of ticking if you want to use a secure login, which will redirect you to a HTTPS page.
By default the NAS will use a self signed certificate, so you can either accept that or otherwise look at creating your own trusted certificate and setting it on the NAS instead. You can also force the NAS to only use HTTPs through control panel under general settings, while the self signed certificate can be replaced through security, then certificate and private key. HTTPS will encrypt communications between your browser and the NAS.
Firewall settings can be adjusted through the control panel, security, then the security level tab. By default all connections to the NAS are allowed in, however we can change this to optionally deny or allow connections from a specified list of IP addresses. Similarly, network access protection can be enabled in the next tab which will automatically block an IP address after a defined number of failed access attempts over the set protocol. Enabling these settings will ensure your NAS is only accessed by trusted IP addresses, or if you can’t lock down to a specific list, you can at least ensure that unauthorized login attempts are blocked.
By default the NAS has an antivirus application which will search all files stored on it for malicious content, from what I can tell it appears to rely on ClamAV which is pretty widely used. AV is enabled through antivirus found on the home screen, simply select to enable it, and ideally you should also select to have it regularly update, you can then define scans in the following tabs.
8. Review Privileges
Review Privileges: From time to time it’s a good idea to have a look at the level of access the user accounts on your NAS have. It’s pretty common that over time some user accounts may no longer be required, and others may have permissions to shares that they no longer need. By reviewing these settings you can remove accounts that are no longer needed and tighten up permissions where possible so that if an account is compromised in the future, it’s limited in what data it can access. I personally like giving read only access where possible, that way if something like cryptolocker appears on someone’s machine their account has no write access to encrypt the data on the share.
9. Check Logs
Check Logs: Logs store data about events that happen on the NAS, they can be found through the control panel followed by system logs. By reviewing the logs regularly you can determine if there is any strange behaviour taking place on the NAS that shouldn’t. If you have an external syslog server you can optionally forward the NAS logs there, this is recommended, because if the NAS does get compromised an attacker may be able to simply delete the logs which contain evidence of the intrusion, however if they are forwarded to an external server that’s another thing they’d have to get access to to cover their tracks. We can also view users online and using NAS resources, and optionally enable logging for connections to the NAS.
10. Power Off
Your NAS can’t be compromised if it’s not powered on without physical access. This is quite simple, you can go to the control panel, power options, and then the power schedule tab where you can define a schedule to automatically power on and power off the NAS. For instance if the NAS is used in an office environment between 9 and 5, it may be acceptable to have the NAS power down from say 7pm then turn itself back on at 7am. Files become pretty difficult to steal if they can’t be accessed.
So those are my 10 best tips to help you secure your QNAP NAS, by putting these simple steps in place your data will be significantly more secure than previously. There are definitely more advanced security settings available but these ones are fairly simple to configure as a starting point.
Let me know down in the comments what other things you’ve implemented to secure your NAS, and leave a share this post if you found the information useful. Thanks for reading, and don’t forget to bookmark for future tech posts like this one.