Network Attached Storage

NETWORK ATTACHED STORAGE (NAS)

NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.

Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
Don't allow direct access to the NAS from the Internet.
- On Synology, that means avoiding QuickConnect.
- Disable UPnP in the router to prevent the NAS from opening ports for itself.
- My Test your Router page links to many websites that offer tests of the firewall in a router.
- Case in point: A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition by Vera Mens and Sharon Brizinov (August 9, 2023). Synology offers their customers remote access to NAS boxes via the Synology QuickConnect cloud-based infrastructure. Team82 has developed a technique that allowed them to impersonate a Synology NAS and force the QuickConnect cloud service to redirect users to an attacker-controlled device. They uncovered credential theft flaws and remote code execution vulnerabilities that could allow a bad guy to control your NAS and steal your files. Synology has fixed the bugs and has updated its cloud service. Still, it is a bad idea to open up a NAS to the Internet.
If open ports are necessary, do not use the default ports.
If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
Chances are the NAS is able to turn itself on and off. If the NAS is off at night, then no data can escape. If data is being stolen during the day, it is more likely to be noticed. Plus, this saves electricity.
As always, disable features not being used; perhaps SSH and Telnet access.
As always, avoid short passwords.
The NAS operating system will have its own security scheme. Create multiple userids, one with full Admin privileges but all the others having a limited set of privileges. This will probably take some trial and error.
If there is lightning in your area, power off and unplug the NAS. No surge protector can stand up to lightning.
February 3, 2022: Recent QNAP and Synology Security Alerts: How to Protect Your NAS by Jeremy Milk of BackBlaze.
In August 2021, I blogged about how I use a router firewall rule to prevent my NAS from making any outbound connections, except for 30 minutes a day: A firewall rule can help block ransomware.

SYNOLOGY

The DSM Auto Block features offers protection from brute force password guessing. After too many bad guesses you can either lock out the IP address where the guesses are coming from, or the userid that the bad guys are trying to log into.
DSM 7 IP address blocking: Control Panel -> Security -> Protection tab
DSM 7 Account Protection: Control Panel -> Security -> Account tab
DSM version 7 supports two factor authentication (2FA)
Most Synology devices support the BTRFS file system. If your does, the Snapshot feature offers protection from ransomware. It is part of the Snapshot Replication add-on package. You need to install the app from the Package Center.
Snapshots are read-only copies of your data and thus protect from ransomware. Snapshots are configured on a folder by folder basis. When enabled, Synology creates Snapshots on a schedule you set. The system allows for a maximum of 1,024 snapshots.
Security Advisor is an app that runs on the NAS.
Synology NAS Security: How to Ensure Data Integrity (against Ransomware, etc.) by Dong Ngo (August 2021). A very long article
What can I do to enhance the security of my Synology NAS? from Synology. Last updated: Oct 13, 2021. For DSM versions 6 and 7.
10 security tips to keep your data safe from Synology. March 12, 2020. Much like the above
Protect Yourself against Encryption-Based Ransomware Undated and somewhat lame.
What network ports are used by DSM services? Needless to day, no date.
Synology Product Security Advisories
Synology Company News

QNAP

They finally recommend not using port forwarding and UPnP to open the NAS to the world. Take Immediate Actions to Secure QNAP NAS January 7, 2022
They have both a Malware Remover and a Security Counselor app in their App Center. Keep them up to date and run them periodically.
The Network Access Protection feature offers protection from brute force password guessing
Periodically check this: QNAP Security Advisories. It is annoying that the dates of the advisories are not shown front and center, you have to click on each one to see when it was issued.
Rather than look for new security issues manually, you can subscribe to them by email.
Checkmate Ransomware via SMB Services Exposed to the Internet July 7, 2022
QNAP Security Newsroom

WESTERN DIGITAL

Western Digital (WD) has a poor track record as far as security goes. The articles below illustrate this. Probably best to avoid their NAS devices. Dong Ngo has tested many NAS devices over many years. He recommends Synology.
Western Digital struggles to fix massive My Cloud outage, offers workaround by Sergiu Gatlan for Bleeping Computer. April 8, 2023. The response from WD to this outage has been poor. Affected services: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, SanDisk Ixpand Wireless Charger, and their linked mobile, desktop, and web apps. The outage has prevented users from accessing files stored on their WD NAS devices, as this requires access to the company's cloud services.
March 26, 2023 they discover a network security incident
April 3, 2023 They announce it
April 8, 2023 They provide a workaround so that customers can access their local files
April 11, 2023 still off-line with no estimate for when things will go back to normal
Western Digital's My Cloud goes offline after hack by Mark Hachman for PCWorld April 11, 2023. "WD's My Cloud service remains offline as of April 11, and the company has provided no additional information on when the service will be restored."
Another 0-Day Looms for Many Western Digital Users by Brian Krebs. July 2, 2021. Quoting: "Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system."

This Page Last Updated November 6, 2023	Site Page Views TOTAL 737,635	Site Page Views TODAY 229	Previous Website View 3.6 minutes ago	Website by Michael Horowitz @defensivecomput	top
Website Average Daily Page Views: November 2023: 687 See the website change log 2023: Jan 724 \| Feb 853 \| March 782 \| April 694 \| May 618 \| June 617 \| July 497 \| Aug 558 \| Sept 837 \| Oct 757 2022: Jan 368 \| Feb 315 \| March 320 \| April 328 \| May 367 \| June 379 \| July 685 \| Aug 1,568 \| Sept 671 \| Oct 664 \| Nov 901 \| Dec 1,222 2021: Jan 337 \| Feb 377 \| March 332 \| April 246 \| May 282 \| June 227 \| July 214 \| Aug 275 \| Sept 290 \| Oct 315 \| Nov 411 \| Dec 293 2020: Jan 212 \| Feb 377 \| March 303 \| April 296 \| May 317 \| June 267 \| July 258 \| Aug 282 \| Sept 279 \| Oct 333 \| Nov 318 \| Dec 332 2019: . . . . . . . . . . . . . . . . . . . . . . . . . Aug 176 \| Sept 178 \| Oct 194 \| Nov 180 \| Dec 200