Your NAS is probably one of the most important devices on your home network, but are you giving it the attention it deserves when it comes to security?
The last thing you want is for your NAS to get hacked and/or invaded by malware, like the SynoLocker ransomware that crawled its way onto Synology NAS boxes a couple of years ago. The good news is that there are ways to stay protected from future attacks and prevent your NAS box from getting cracked into.
Note: Most of the steps and images below are based on my Synology NAS, but you can do these things on most other NAS boxes, as well.
Be Diligent About Updates
Perhaps the easiest thing you can do to help secure your NAS is keep the software up to date. Synology NAS boxes run DiskStation Manager, and there’s usually a new update every couple of weeks.
The reason you want to keep on top of updates isn’t just for the cool new features, but also for bug fixes and security patches that keep your NAS safe and secure.
Take the SynoLocker ransomware as an example. Newer versions of DiskStation Manager are safe from this, but if you haven’t updated in several years, you might be vulnerable. Plus, newer exploits are always being released—another reason to keep up with updates.
Disable the Default Admin Account
Your NAS comes with a default admin account, and the username is most likely “admin” (real creative, huh?). The problem is that you usually can’t change the username of this default account. We recommend disabling the default admin account and creating a new admin account with a custom username.
The reason for this is to give hackers yet another layer they have to break through. With a default account, they can use “admin” as the username and just focus on cracking the password. It’s similar to how people never change the login credentials of their router—by default the username is usually “admin” and the password is “password,” making it super easy to break in.
By creating an admin account with a username like “BeefWellington” and then using a strong password, you severely decrease the chances of your account credentials getting cracked by a lazy script kiddy.
Enable Two-Factor Authentication
If you aren’t using two-factor authentication already for your various online accounts, then you should be. Your NAS likely has the capability for this, too, so take advantage of it.
Two-Factor Authentication is great because not only do you need the username and password to login, but you also need another device you own (like a smartphone) to confirm the login. This makes it near impossible for a hacker to break into your account (although, never say never).
When you’re accessing your NAS remotely, you’re probably doing so over HTTP if you haven’t messed around with any settings. This isn’t secure, and can leave your connection wide open for the taking. To fix this, you can force your NAS to use a HTTPS connection at all times.
However, you need to install an SSL certificate on your NAS first, which can be quite the process. For starters, you need a domain name to link the SSL certificate to, and then link your NAS’s IP address to the domain name.
You’ll also have to pay for an SSL certificate, but they’re usually not more than $10 per year from any reputable domain registrar. And Synology even has support for Let’s Encrypt SSL certificates for free if you want to go that route.
Set Up a Firewall
A firewall is an overall good defense to have because it can automatically block any connection that your NAS doesn’t recognize. And you can usually customize the rules that it uses to keep certain connections open, while shutting all other connections out.
By default, most firewalls on any device aren’t even enabled, which allows anyone and everyone through without inspection, and this is generally a bad idea. So be sure to check your firewall settings on your NAS and customize any rules to fit your needs.
For example, you could have a rule that blocks all IP addresses from certain countries, or a rule that only allows certain ports from IP addresses in the US—the world is your oyster.
Keep It Off the Internet In the First Place
While all of the above steps are great things to do in order to keep your NAS secure, they’re not 100% safe by any means. The best thing you can do is to just keep your NAS disconnected from the outside world entirely.
Of course, this isn’t easy to do, especially if you have certain programs running on your NAS that benefit from being accessible remotely (like using your NAS as your own cloud storage service).
But the important thing to note here is that you’re at least aware of the risks when exposing your NAS to the outside world, and that the above steps won’t keep your NAS 100% safe, necessarily. If you’re looking for the best way to keep your NAS secure, it’s keeping it accessible to only your local network.