QNAP NAS security – the 11 golden rules
Secure your QNAP NAS exposed on the internet, and protect it from ransomware attacks. I’ll explain the 11 golden rules.
2021 has shown us in a blatant and violent way: the new ransomware-type threats not only affect PC networks but also NAS of the famous QNAP brand. In April 2021, the famous Qlocker ransomware attacked millions of devices, encrypting their contents.
In addition to ransomware, there are other security risks that plague all NAS that are exposed to the internet in some way.
What is a NAS?
A NAS, acronym for Network Attached Storage, is a network device whose function is to allow multiple users to access a mass storage (disk space) in which to store and share their contents. Simplifying as much as possible, it is a kind of “external hard disk” accessible via the network and therefore also via the internet. The NAS can therefore be placed anywhere on the planet.
There is a multitude of NAS brands and models, the most famous ones being those of the well-known QNAP brand.
QNAP NAS
The definition of NAS given above is very limited if we talk about QNAP NAS because this brand has made their NAS of technology prodigies. In fact, they are systems with their own operating system called QTS, capable of significantly extending the number and type of services that can be provided through the possibility of installing APPs, which can be downloaded directly from the NAS or from the Official QNAP App Center.
You can do tons of things with a QNAP NAS!
They range from remote synchronization of folders (even between mobile devices) via Qsync, to video surveillance with QVR Pro, to viewing multimedia content (photos, videos and music) on your TV with HybridDesk Station, to the possibility of installing Windows and Linux virtual machines , create FTP servers and much more!
Among the various things you can do is upload the photos and videos you make to your mobile phone, directly to your NAS without using services such as Google Photo and therefore without giving up the high resolution of the photos and without any problems for privacy given to Google.
This feature, along with others, have made QNAP very famous. I personally tried several other brands before coming to QNAP, and I have to say I wouldn’t go back. QNAP is the best system for those who, besides a NAS, want to have much more!
If you want to learn more about QNAP NAS don’t miss out this: A Beginner’s Guide: What is NAS? | QNAP
Exposing a NAS to the internet, why doing it?
A NAS can be used in the home or office / company without necessity to expose it to the internet. For most users a NAS is just a place to store files.
However when we talk about QNAP it is almost a waste not to use it on the internet, given the services it can provide.
For example, I find it very useful to be able to keep it at home, connected to the internet, to be able to access it remotely and consult my documents or my works.
I will not explain here how to expose a NAS to the internet, but I will give 10 tips to minimize the risks.
The 10 golden rules for securing your QNAP NAS
I’ll explain the 11 golden rules that I personally experienced and collected for you, some of these are part of the best practices recommended by QNAP itself.
1. Update the firmware often
Perhaps the most obvious rule. You have to check often for firmware updates, and if any, install them as soon as possible! This rule should apply to any device in general. QNAP releases one or two updates per month for the latest models. So check every 15 days.
How to do the check. As soon as you enter the web management panel you are notified and you can proceed with the installation of the new firmware. Otherwise go to:
Control Panel -> Firmware Update
and then Check for Updates
2. Update the apps often
Enter the APP Center of your NAS, you will see all the apps installed. Check if they need an update.
Remember : an app installed on the NAS, even if not used, is a gateway for ransomware!
So if you don’t use a particular app decide to uninstall it or to update it, but don’t leave it NOT updated!
3. Elect a user as administrator and disable the admin user
The “admin” user is the default admin user. Attacks will try to use this user, this is why you have to disable it. Before you can disable it, however, you have to elect another user as “administrator”.
Login the web management page with the admin user.
Then create a user with a name that IS NOT “administrator”, “admin_user” or something similar, but choose a name that does not evoke the role it will have. For example, call it with a proper name, for example “alessandro”.
Once created, from the user list click on the “Edit user group” icon
Check the administrators group and confirm with Apply
QNAP QTS abilitazione gruppo administrators
Now LOG OUT and log back in with the newly created user.
From the list of users locate admin and click on the pencil icon to edit it.
Check Disable this account and click on OK to confirm.
At this point you should find the admin user disabled
4. Stop or disable these network services
Stop or disable these network services:Telnet / SSH (unckeck the checkboxes below)
it is also recommended to disable these other services: SQL server, phpMyAdmin and PostgreSQL.
5. Enable the HTTPS encrypted protocol and force its use
To encrypt web traffic it is recommended to enable the HTTPS protocol and also to force the NAS to use only that!
Go to Control Panel -> System -> General Settings -> System Administration
Please tick the items as follows:
- System port: change from 8080 (default value) to another value as desired, for example 9527
- Enable Secure Connection (HTTPS)
- Compatibility with 1.2 and later
- Enable complex cipher suites
- Port number: change here from 443 to another … for example 455
- Force secure connection only (HTTPS)
Furthermore is also possible to install free Let’s Encrypt SSL certificates.
You can find this options here: Control Panel –> QTS SSL Certificate
6. Change the default web ports http and https
the standard ports of http and https services are the most exploited for attacks as hardly anyone modifies them.
These default ports are: 80, 443, 8080 and 8081 for the web part
Go to the screenshot previously seen Control Panel –> Applications –> Web Server and change port 80 and 8080/8081 to something else, for example 8080 change it to 9527. Port 80 really should no longer serve you since in the previous step we forced only https connection. Modify it anyway so as not to forget it in case you accidentally deactivate the https.
7. Choose strong passwords for your users
Always choose strong passwords for your users, especially for the administrator user.
As a rule for choosing passwords, I recommend following these rules:
- length of at least 10-15 characters
- presence of both upper and lower case characters
- presence of special characters such ~! @ # $% ^ & * _ – + * = | () {} []:; “‘<>,.? /)
- presence of numbers. attention DO NOT use consecutive numbers such as 1234, etc and do not use the dates of birth of family members or the current year !!
- it must not contain proper names of people or pets
If you dont have much fantasy I recommend this site to generate your passwords: https://passwordsgenerator.net/
8. Enable 2FA (two-factor authentication)
2-factor authentication, also known as 2FA, allows you to set up extra security in addition to your username and password. You can use the Google Authenticator app on your mobile to validate your login every time you log in.
Essendo la procedura un po’ laboriosa, ti lascio il link alla guida ufficale Migliorare la protezione dell’account tramite la verifica in 2 fasi
9. Block IP addresses that attempt intrusions
The QTS system allows you to block for a specific time (30 minutes, 1 day, …. or even forever) the IP addresses from which numerous access attempts for the various protocols come.
Go to Control Panel –> Security –> IP access protection
You can decide for each protocol after how many attempts to block IPs and for how long.
10. Schedule anti-malware scans with Malware Remover
There is an app for your QNAP that regularly scans for malware. Is called Malware Remover. Install and update it often.
11. Turn off the NAS when not in use
It seems trivial but few think about it. If the NAS is turned off it is not attackable 🙂
So turn it off at night, on weekends, or when you don’t plan on using it.
QNAP allows you to schedule power on and shutdown based on a customized daily schedule.
This setting is under Control Panel –> System –> Power–> Power schedule
What to do if you find yourself infected with ransomware?
You will notice if you find your files encrypted and zipped in password protected 7Zip format, with a text file with clear instructions to pay the ransom.
In this case first of all DO NOT SWITCH OFF THE NAS! If you do, you will not be able to attempt to recover the data later.
Then contact immediately the QNAP Service
Help me support this blog
If you want you can help me concretely to support this blog. You can do it with a free donation, by credit card or paypal. I will be grateful to you.