Saturday, September 20, 2014

Optimize QNAP NAS security

In this post I will talk about tweaking your QNAP NAS device to be more secure than it's configured by default.
I'm going to assume that the main settings of user and folder structure have been configured at this point, and you're good to go, but you'd like to maximize security for the NAS using the built in features.

As a side note - I am using QOS firmware version 4.1.0 to demonstrate the features depicted in this post.

Let's start by enabling SSL for the web management console of the NAS.


You can force secure connection so there would be no other way but to connect securely to the web console, but if something goes wrong (with the SSL certificate) - you may not be able to log onto the web console. So pick the right option for yourself.
By default, the NAS will use a self generated SSL certificate, it is also possible to upload and utilize a third party SSL certificate, which can come from a verified provider.
The certificate and the private key both can be uploaded inside the Security > Certificate & Private Key tab.

Now we can set up email alerting. I believe that email alerts are a very practical way of staying up to date on server's health and security issues. This can be done under the Notification section, First set up the SMTP server, I suggest using Gmail, as its configuration is already built into the console, and Gmail provides a very stable and free email service, so if you don't already use Gmail, you may want to create an account specifically for this server alerting system. Put in your Gmail address and password, and hit the "Send a Test Email" button to see if you can receive email alerts from the server. If you can't - your network hardware maybe blocking it. so it's something you should look into. Open outbound SMTP SSL ports in your router/gateway, for example.
Once the test email arrives, you need to set the server to send you email alerts to your preferred email address, this is done in the Alert Notification tab.
Check the "Send system error alert by: Email" and "Send system warning alert by: Email", and make sure to enter your target email address(es) under "Email Notification Settings". If you don't set this up - you will not receive alerts to your email address.
Once done, hit the Apply All button on the bottom of the page.

Now, I should mention that if your NAS server is planned to be accessible remotely - be it via VPN, FTP, or you would simply like to remotely administer it using the web console - there will be constant hack attempts coming from the Internet. Most of the time these are not targeted at your server specifically but rather automated by certain malicious machines online to try and guess the username and password of a NAS or any other protected machine that is accessible remotely. So to get rid of that potential threat to the data and stability of your NAS we need to set the server to automatically ban or block IPs that are trying to hack your device. The feature that controls this is located under Network Access Protection inside the Security section of the web console.


First tick the box "Enable Network Access Protection", and then configure protocols for which the server will monitor access attempts and react accordingly.
I usually prefer setting the connection methods shown in the screen-grab. Note that SAMBA and AFP are not monitored as they are local connection types and may interfere with your users' access stability. You don't have to block the offending IPs forever, you can just ban their access temporarily, but I see no reason to do that as they will continue right on trying to penetrate your network after they are unblocked.
Once done, make sure to hit Apply or Apply All.
This feature was introduced after version 3.8.0 so if your NAS is running an older firmware version - maybe it is time to update.

Another important issue to consider is evaluating the connection methods that are open in your NAS.
If you don't plan to administer the NAS via SSH - do turn it off, because a lot of hack attempts will come via SSH. SSH is enabled by default, so it may be a good idea to turn it off to raise the level of security.
To disable SSH and/or FTP, go into the Network Services section and disable the unnecessary connection methods.

Finally, you may want to enable logging of file usage on your NAS. This can also tell you about internal users' actions in detail, as well as log incoming hack attempts. This is done in System Connection Logs under System Logs. Click the Options button and check all of the connection methods relevant to your situation. Make sure to check SAMBA to monitor the local users' connections. Once your log fills up to 10,000 events - you can automatically dump it into a CSV file onto one of the shared folders. You can create a protected log folder that only you as the admin have the access to, and point the CSV file creation there.

It is worth mentioning that QNAP NAS comes with an internal antivirus feature that is disabled by default, so if you want the NAS to scan the files that it hosts you can enable the Antivirus application (located under the Applications section on the bottom of the console), you can schedule scan jobs and automatic definition updates here as well.

2 comments:

  1. The particular college student whom examine which guide should can 2 stuff: hint his or her's title at stake not to mention create in your name in the e book these people go through. https://imgur.com/a/q5L6H0W https://imgur.com/a/AKTe3MR http://vdwxfs7uvl.dip.jp https://imgur.com/a/L1piAIS https://imgur.com/a/xeMYyjZ https://imgur.com/a/pcVJL4Z https://imgur.com/a/ghY1FXl

    ReplyDelete
  2. Casinos Nearby Macau - Mapyro
    Find Casinos 전주 출장안마 Nearby Macau in 2021 - Use this simple 여주 출장마사지 form to find 경산 출장안마 casinos and other gaming 전라북도 출장안마 facilities in Macau. Hotel, 과천 출장샵 Casino, Macau.

    ReplyDelete