Recently, some Synology owners discovered that all the files on their NAS system were encrypted. Unfortunately, some ransomware had infected the NAS and demanded payment to restore the data. Here’s what you can do to secure your NAS.
How to Avoid the Ransomware Attack
Synology is warning NAS owners of several ransomware attacks that hit some users recently. The attackers use brute-force methods to guess the default password—essentially, they try every password possible until they get a match. Once they find the right password and gain access to the network-attached storage device, the hackers encrypt all the files and demand a ransom.
You have several options to choose from to prevent attacks like this. You can disable remote access altogether, allowing only local connections. If you need remote access, you could set up a VPN to restrict access to your NAS. And if a VPN isn’t a good option (because of slow networks, for instance), you can harden your remote access options.
Option 1: Disable Remote Access
The most secure option you can choose is disabling remote connection features entirely. If you can’t access your NAS remotely, then neither can a hacker. You will lose some on-the-go convenience, but if you only work with your NAS at home—to watch movies, for instance—then you may not miss the remote features at all.
Most recent Synology NAS units include a QuickConnect feature. QuickConnect takes care of the hard work for enabling remote features. With the feature turned on, you don’t have to set up router port forwarding.
To remove remote access through QuickConnect log in to your NAS interface. Open the control panel and click on the “QuickConnect” option under Connectivity in the sidebar. Uncheck “Enable Quick Connect” then click apply.
If, however, you enabled port forwarding on your router to gain remote access, you will need to disable that port forwarding rule. To disable port forwarding, you should look up your router’s IP address and use it to log in.
Then consult your router’s manual to find the port forwarding page (every router model is different). If you don’t have your router manual, you can try a web search for your router model number and the word “manual.” The manual will show you where to look for exiting port forwarding rules. Turn off any port forwarding rules for the NAS unit.
Option 2: Use A VPN for Remote Access
We recommend just not exposing your Synology NAS to the Internet. But if you have to connect remotely, we recommend setting up a virtual private network (VPN). With a VPN server installed, you won’t access the NAS unit directly. Instead, you’ll be connecting to the router. The router, in turn, will treat you as though you were on the same network as the NAS (still at home, for instance).
You can download a VPN server on your Synology NAS from the Package Center. Just search for “vpn” and choose the install option under VPN Server. When you first open the VPN Server, you’ll see a choice of PPTP, L2TP/IPSec, and OpenVPN protocols. We recommend OpenVPN, as it’s the most secure option of the three.
You can stick with all the OpenVPN defaults, although if you want to access other devices on the network when connected through VPN, you’ll need to check “Allow clients to access server’s LAN” and then click “Apply.”
You will then need to set up port forwarding on your router to the port OpenVPN is using (by default 1194).
Option 3: Secure Remote Access as Much as Possible
If you need remote access and VPN isn’t a viable solution (perhaps due to slower internet speeds), then you should secure Remote Access as much as possible.
To secure remote access, you should log into the NAS, open Control Panel, then select Users. If the default admin is turned on, create a new admin user account (if you don’t already have one) and turn the default admin user off. The default admin account is the first account ransomware usually attacks. The Guest user is typically off by default, and you should leave it that way unless you have a specific need for it.
You should ensure that any users you created for the NAS have complicated passwords. We recommend using a password manager to help with that. If you share the NAS and allow other people to create user accounts, then be sure to enforce strong passwords.
You’ll find password settings in the Advanced tab of the User profiles in the Control Panel. You should check the include mixed case, include numeric characters, include special characters, and exclude common password options. For a stronger password, increase the minimum password length to at least eight characters, although longer is better.
To prevent dictionary attacks, a method where an attacker guesses as many passwords as quickly as possible, enable Auto-Block. This option automatically blocks IP addresses after they guess a certain number of passwords and fail in a short amount of time. Auto-block is on by default on newer Synology units, and you’ll find it in Control Panel > Security > Account. The default settings will block an IP address from making another login attempt after ten failures in five minutes.
Finally, consider turning on your Synology firewall. With a firewall enabled only services you specify as allowed in the firewall will be accessible from the internet. Just keep in mind that with the firewall on, you’ll need to make exceptions for some apps like Plex, and add port forwarding rules if you are using a VPN. You’ll find the firewall settings in Control Panel > Security Firewall.
Data loss and ransomware encryption is always a possibility with a NAS unit, even when you take precautions. Ultimately a NAS isn’t a backup system, and the best thing you can do is make offsite backups of the data. That way if the worst should happen (whether that’s ransomware or multiple hard drive failure), you can restore your data with minimal loss.