Basic NAS Security Guidelines

First of all with all the different models of NAS devices, we have put together a simple guide detailing key steps towards securing your NAS. It is impossible to give a one size fits all guide to securing your NAS. Instead, focus on learning these principles and the reasoning behind them. Once you learn what to look for and why, you can find specific instructions for your NAS from the manufacturer’s website.

Admin Accounts and Passwords

Always change the default password for the administrator account. If possible, create a new administrator account with a different name and delete the default “admin” account, as brute-force attacks only work by repeatedly trying to guess the password for this account.

Enable SSL

When you access your NAS via the web interface, you should see “https://” at the beginning of your address bar along with a padlock, indicating your connection is encrypted. If this isn’t enabled by default, turn it on. Otherwise, your credentials are transmitted in the open and available to potential attackers.

Only Enable What’s Necessary

Your NAS can run various web apps that will be accessible over the net. Only enable what you need and if you open a port on your router to access your NAS from the Internet, make sure you are using a strong username and password. Consider enabling any filtering or auto-blocking features your NAS offers to eliminate brute-force login attempts.

Use a VPN

If your NAS can run a VPN server, you can use this when away from home to access your device securely. When you connect to the VPN, you’ll have access to your local area network (LAN). This means you only have to open up a port on your router for the VPN, greatly reducing the attack surface for your NAS.

Connecting to your NAS via a VPN is one of the best ways you can keep your NAS secure. Check the manufacturer’s website to learn how to set up a VPN on your specific device. Also make sure to check out our selection of best VPN providers as well as our overview of VPN reviews to get an idea of what’s available out there.

Following the guidelines above will increase the security of your setup, and they’re easy steps to implement. Now, we’ll look at some specific features offered in the various Synology and QNAP devices.

Securing a Synology NAS

Synology devices offer users several options to lock down their NAS and enhance security. We’ll start by removing the default account and creating a new one with a secure passphrase.

Create a New User

Step 1. Login to DiskStation Manager and from the main menu click “control panel” then click “users.”

Step 2. Click “create,” then click “create user.”

Step 3. Enter the username and password of your choice, then click “next.”

Step 4. Click the “add” checkbox to add your new user to the “administrators” group, then click “next.”

Step 5. Give the new administrator account access to all folders by ticking the “read/write” box, then click “next.” Click “next” again, unless you want to set a disk quota.

Step 6. Tick the “grant” box to give the new admin account access to applications, then click “next.”

Step 7. Click “next” at the to skip setting a speed limit, then click “apply.”

That’s it, you now have a new administrator and can proceed to disable the old admin account.

Disable the Admin Account

Step 1. Log out of the DSM and then log in with the newly created administrator account.

Step 2. From the main menu, go to “control panel” and click “users.”

Step 3. Click the “admin” account, then click “edit.”

Step 4. Tick the box for “disable this account” and click “ok.”

Now that we have a new administrator account and have disabled the old default account, let’s look at setting up two-step verification.

Two-Step Verification for Synology NAS

This process requires a mobile phone with an authenticator app installed, such as Google Authenticator. Install the app now before you continue. You’ll always need your phone when logging into DSM.

Enabling two-step verification means that an attacker attempting to access your account needs your password as well as your phone, greatly reducing the possibility of compromise.

Step 1. Click the user icon, then click “options.”

Step 2. Tick the “enable 2-step verification” to launch the wizard. Click “next.”

Step 3. Enter an email address in case your phone is lost. Click “next.”

Step 4. Open the authenticator app on your phone and scan the QR code displayed by the wizard. Click “next.”

Step 5. Enter the code generated by the authenticator app. Codes are updated periodically, so do this quickly before it expires. Click “next.”

Step 6. Click “close” and click “ok” to save your changes.

You’ll now be prompted to enter a verification code every time you log in to the DSM. While it may seem like a hassle at first, it only takes a few seconds and greatly increases the security of your NAS.

Enabling Auto-Block for Synology NAS

Lastly, we’ll enable auto-block. Attackers use automated tools to scan and exploit other computers, and by enabling auto-block we can blacklist the IP address of any attackers after a certain number of failures.

Step 1. From the main menu, click “control panel,” then click “security.”

Step 2. Click “auto-block,” then tick the box labeled “enable auto-block.”

Step 3. We’ll enter the number five for both “login attempts” and “within (minutes)” here, as this is a safe default.

Step 4. You can tick the box for “enable block expiration” if you want the block to expire after a certain number of days.

Step 5. Click “apply” to save your changes.

You can always edit the block list by going back to this screen and clicking “allow/block list.” Enabling auto-block, two-step authentication and creating a new administrator account are three simple steps towards enhancing the security of your NAS device. Check out Synology’s site for more information – https://www.synology.com/en-uk.