Network Attached Storage

NETWORK ATTACHED STORAGE (NAS)

NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.

Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
Create a second admin account. I say this from experience, you don't want all your eggs in one basket.
Don't allow direct access to the NAS from the Internet.
- On Synology, that means avoiding QuickConnect.
- Disable UPnP in the router to prevent the NAS from opening ports for itself.
- My Test your Router page links to many websites that offer tests of the firewall in a router.
- Case in point: A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition by Vera Mens and Sharon Brizinov (August 9, 2023). Synology offers their customers remote access to NAS boxes via the Synology QuickConnect cloud-based infrastructure. Team82 has developed a technique that allowed them to impersonate a Synology NAS and force the QuickConnect cloud service to redirect users to an attacker-controlled device. They uncovered credential theft flaws and remote code execution vulnerabilities that could allow a bad guy to control your NAS and steal your files. Synology has fixed the bugs and has updated its cloud service. Still, it is a bad idea to open up a NAS to the Internet.
If open ports are necessary, do not use the default ports.
If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
Chances are the NAS is able to turn itself on and off. If the NAS is off at night, then no data can escape. If data is being stolen during the day, it is more likely to be noticed. Plus, this saves electricity.
As always, disable features not being used; perhaps SSH and Telnet access.
As always, avoid short passwords.
The NAS operating system will have its own security scheme. Create multiple userids, one with full Admin privileges but all the others having a limited set of privileges. This will probably take some trial and error.
If there is lightning in your area, power off and unplug the NAS. No surge protector can stand up to lightning.
February 3, 2022: Recent QNAP and Synology Security Alerts: How to Protect Your NAS by Jeremy Milk of BackBlaze.
In August 2021, I blogged about how I use a router firewall rule to prevent my NAS from making any outbound connections, except for 30 minutes a day: A firewall rule can help block ransomware.

SYNOLOGY

The DSM Auto Block features offers protection from brute force password guessing. After too many bad guesses you can either lock out the IP address where the guesses are coming from, or the userid that the bad guys are trying to log into.
DSM 7 IP address blocking: Control Panel -> Security -> Protection tab
DSM 7 Account Protection: Control Panel -> Security -> Account tab
DSM version 7 supports two factor authentication (2FA)
Most Synology devices support the BTRFS file system. If your does, the Snapshot feature offers protection from ransomware. It is part of the Snapshot Replication add-on package. You need to install the app from the Package Center.
Snapshots are read-only copies of your data and thus protect from ransomware. Snapshots are configured on a folder by folder basis. When enabled, Synology creates Snapshots on a schedule you set. The system allows for a maximum of 1,024 snapshots.
Security Advisor is an app that runs on the NAS.
Synology NAS Security: How to Ensure Data Integrity (against Ransomware, etc.) by Dong Ngo (August 2021). A very long article
What can I do to enhance the security of my Synology NAS? from Synology. Last updated: Oct 13, 2021. For DSM versions 6 and 7.
10 security tips to keep your data safe from Synology. March 12, 2020. Much like the above
Protect Yourself against Encryption-Based Ransomware Undated and somewhat lame.
What network ports are used by DSM services? Needless to day, no date.
Synology Product Security Advisories
Synology Company News

QNAP

Maybe don't chose QNAP. See: Researchers call out QNAP for dragging its heels on patch development by Connor Jones of The Register. May 20, 2024. Quoting: "QNAP failed to fix various vulnerabilities that were reported to it months ago ... QNAP's security practices have been called into question numerous times in recent years."
They finally recommend not using port forwarding and UPnP to open the NAS to the world. Take Immediate Actions to Secure QNAP NAS January 7, 2022
They have both a Malware Remover and a Security Counselor app in their App Center. Keep them up to date and run them periodically.
The Network Access Protection feature offers protection from brute force password guessing
Periodically check this: QNAP Security Advisories. It is annoying that the dates of the advisories are not shown front and center, you have to click on each one to see when it was issued.
Rather than look for new security issues manually, you can subscribe to them by email.
Checkmate Ransomware via SMB Services Exposed to the Internet July 7, 2022
QNAP Security Newsroom

D-LINK

In April 2024, it came out that some D-Link NAS devices had a backdoor. That is, D-Link could get into the devices whenever they pleased. This is not something a reputable company does. See Critical takeover vulnerabilities in 92,000 D-Link devices under active exploitation by Dan Goodin for Ars Technica. The article describes two issues, one is a bug, the other is the backdoor account enabled by credentials hardcoded into the firmware. The devices at issue are old and D-Link will do nothing about either issue.

WESTERN DIGITAL

Western Digital (WD) has a poor track record as far as security goes. The articles below illustrate this. Probably best to avoid their NAS devices. Dong Ngo has tested many NAS devices over many years. He recommends Synology.
Western Digital struggles to fix massive My Cloud outage, offers workaround by Sergiu Gatlan for Bleeping Computer. April 8, 2023. The response from WD to this outage has been poor. Affected services: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, SanDisk Ixpand Wireless Charger, and their linked mobile, desktop, and web apps. The outage has prevented users from accessing files stored on their WD NAS devices, as this requires access to the company's cloud services.
March 26, 2023 they discover a network security incident
April 3, 2023 They announce it
April 8, 2023 They provide a workaround so that customers can access their local files
April 11, 2023 still off-line with no estimate for when things will go back to normal
Western Digital's My Cloud goes offline after hack by Mark Hachman for PCWorld April 11, 2023. "WD's My Cloud service remains offline as of April 11, and the company has provided no additional information on when the service will be restored."
Another 0-Day Looms for Many Western Digital Users by Brian Krebs. July 2, 2021. Quoting: "Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system."