QNAP NAS - Making Your NAS as Secure As Possible

Hello and welcome back and today I want to talk about

qnap

nas and how to perform a network security setup. This video will be more about how to make sure all of

your

security settings are as good as

possible

and while we are going to cover a lot of information in today's video, it has to be said that this is still not all, there are many things you can do with a network attached storage device, not just

qnap

but any brand, to make things with triple lock ridiculously

secure

. they just won't be in this video maybe because they involve

your

client devices and again we are talking about your Windows system, your Mac system and the security settings that you can do there or maybe the security settings that you can do with the router and the switch managed in your network environment, this video is about how to take care of all the internal security, data security, network security, access and more within the qnap nas, this is not about the broader environment of your home or office and Don't think about this video. covers everything it just can't, there are too many variables, there are too many different types of user case environments and also most of today's video is not just on this nas but also on this laptop and although we will be touching external connectivity a little bit, most of today's video is about how to take care of things inside the qnap system without external connectivity because in light of everything that happened recently with q locker, I know that several of you have disconnected your nas of external connectivity with the broader Internet or you had no intention of connecting to the Internet anyway,

making

sure that nas was something you never use the cloud with, so in today's video, 90 of the things we're going to look at are things so that users can continue. want to use their nas without connecting to the internet or they want to reconnect their nas to the internet but are worried about doing so until all the security settings are in place, so keep that in mind throughout today's video and if you follow each of I pass them and you do everything I say in today's video.

I'm not going to say you're bulletproof, no one really is, but what I will say is that you'll have one of the safest Nazis out there at your expense, maybe all of them. A moment after you've done this, you suddenly realize how freely and relaxed you were accessing your nas in the first place, but without further ado, let's head over to the qnap nas and check out all the security settings we can. and each of our settings that we recommend to make sure that this device is as

secure

as

possible

, let's go to the screen directly so many of you will probably notice right away at the top of this video that the microphone is very much closer to me today and there is a lot to do with what we are doing with this screen recording, although in the environment I am recording in today there is a lot of background ambient noise, I am having a real problem.

I've been trying to remove it for a while, so I apologize in advance if you can hear all that. Now today's video will mainly cover about seven or eight points, we will go through the user login settings and then continue. to firmware and security, what qnap was attacking after the q locker ransomware thing, which I think is not entirely real here, let's be honest, uh two, we will go to the notification center and analyze how exactly nas can inform you when there are irregularities as quickly as possible, then we'll check for app updates and from there we'll work our way to online services, like taking advantage of the firewall and taking advantage of a little more.

Let's take a look at my qnap cloud and how to get a working SSL certificate there, but let's get right into the task of connecting and accessing it now, once you're logged into your nas. I have installed a lot of applications here. It's worth noting that several people are not very aware that if you go up to the top here and select the options tab from here, you can change a number of key login sessions. Now I am using the administrator account and a. One of the first things you can choose to do is not use the administrator account freely.

If you want to create a new account, go to the control panel like you see here on the screen, go to the users and you can create a sub user that has a decent amount of control this is a user that has a lot of access but none of the main harmful access this is a user who can be said to have access to certain folders certain applications and only have certain privileges within your system and if there are areas of your data that you don't want them to have access to, such as a user who has access to settings but not to data or vice versa, this is something you can configure here, so even though I am using the administrator account, that is technically not the case. something you should do will make things a lot easier to show you many settings and things to change with this account, just keep in mind that after you have done all these things, head to the control panel and create a new account that you use more daily and you don't have the power of the administrator account unless you really need it, but the options here that I want you to see more of are, first of all, the password settings where you can not only have a password change if you need it, but you can also set your password to be changed on a rotating basis.

I'm sure several of you already want to jump into the comments and say, "Oh, what happened to the cue locker? That's nothing." What to do with this and I agree that it doesn't, but this video is about covering all the aspects that most people will be able to understand about how to change the security on your system and keep it as bulletproof as possible, so the I will cover all. be patient, so not only can you change the password here, but you can also configure many login and logout rules and probably most important of all, enable two-step verification, use an authenticator app like google authenticator app and create yourself a two step authentication portal here is when you can't log in to the nas unless your phone authenticates you for those who don't know, use google to authenticate your app, configure the app, scan this 3D barcode here and then you can set it up. that no one can access the nas with that account unless they also authenticate you on your phone.

Now if you want to do a little bit more about password control, go back to the control panel, in my case go to the admin scenes, you can change the Password is strong, but what you can also do is change a lot of the rules behind passwords. You can go ahead and set them up so that when it comes to passwords, that password has to have certain rules regarding characters, special characters, how often. rotated and more, these are all things you can change, we'll come back to the control panel later, but after looking at the user login and options menu, the next thing we need to look at is this tool, security advisor, now security.

Interestingly, advisor is not an app that is available by default on all nozzes, it is comparatively a fairly demanding little app, but it is available to download directly from the qnap website here. The security advisor allows you to have a portal view of your NAS and as you add some of the key protection applications on the NAS, they all appear here. I installed them manually, but all three here, the antivirus malware remover and the q firewall, need to be installed manually, although I will add that the antivirus requires a license to get the most out of it, which again is a bit embarrassing, but within the security advisor These are the things you can do, so first go to the security policy, this is where you can decide how strict the NAS is about certain security and whether you allow certain things to happen and if you are worried about reconnecting your nas to the Internet or have general access to the nas externally, you can change several of these policies here or you can go to a custom policy that covers everything and Again, it could address all of this, like what happens if a password is entered wrongly multiple times, what happens If a connection comes from a certain source or more, the intermediate security policy, for example, does not allow a user accessing the Internet to take advantage of my qnap cloud without verifying itself every time, something I will show you later and the same goes for the scans and more, the security notice, you can set it to notify you of new security notices with qts, but again, it's not proactive enough. in my opinion but that's a slightly different story now we go back to the security check if you run the check here so I'm going to run a scan as you can see now I'm going to run a scan of my nas. my policy that I created here and just to see how many of these rules here the nas complies with will show up right now.

It has already been noticed that different things already need changes, so for example it is being highlighted according to my security policy. I have not yet enabled that the password must be changed every 180 days and that the ssh port has a default value, so one of the first mentions and again I will continue to refer to the article about the computer that beeps. Check it. they talk a lot about one of the remedies that qnet recommended is to change the ports for a lot of external access tools, again, media streaming media console, that kind of thing and again this is where you can change a lot of those values ​​and enable it so that you're not using the port that everyone would use, which could potentially be a problem in the future with the antivirus.

You can see many of these. If we want to see this in full screen a little bit, we can see it along with those. port connections issues, we can see that push notifications for firmware updates have not been enabled, something we will talk about later and the same goes for all of this now, many of these come down to two very preset values, one is The idea of ​​all ports being set to default now isn't a big surprise when several of these services are set up, they need to have a default value and a lot of times people don't change them because they don't really know what they're doing, but If you set a security policy that is particularly strict and can go higher, remember that there is another higher security level, this will allow you to go through this checkpoint and change many of these options and the ports that you can change. but you have to know what you're doing before you play with the ports and I don't think I'm going to advise you in this video to at least change those ports without understanding exactly what you're changing.

The same goes for push. Notifications Note that you will need to add the mobile app for these push apps or a relevant email address, something I'll show you in a moment in the notification center, but as you can see, it says everything else is OK and, Of course, what you do after this information appears in the notification center we will see later. In the antivirus, the antivirus is available to install for free, but it is worth highlighting a number of key features and again you can create a schedule here. Many of the key features require a McAfee license, but for now, if you're going to install it again, it will at least tell you if there's a virus.

It won't protect you the same way ransomware does. but you can set this schedule here sorry, I have a bit of a toad in my throat so yes, you can set a schedule personally. I usually set a time every day, usually in the middle of the night when everyone is asleep, so I'm going with 1 a.m. and then on top of that you can add filters which again are very customized depending on the size of the files if you want, or you can set it to only do certain things and if you want them to go into quarantine. or not, this is something that is quite interesting if a virus is reported or mcalphy finds a suspicious file, you can choose whether you just want to inform it to just move the file to quarantine or delete it completely, but keep in mind that you want to know for sure that It is a virus, so I would recommend the quarantine option.

The same applies again as mentioned if you want it to be a full or partial scan, obviously the more data you have, the larger the storage array, the longer it will take, but I can say that you want it to be the entire system or just files or specific folders, so again, I've already run a scan as you've seen, but as things are reported, you can see your reports here and the quarantine, of course, as the files come in. The moved ones will be reported there and you can choose whether you want to reset or delete them, so again, it's all nice and simple, but keep in mind, as mentioned above, that with regards to mcafee you will need to have a fully licensed copy of which can go through qnap, which is good, but not great since you've already spent a lot ofmoney in your nas.

I'm sure you would agree, so that's the mcafee they are running in the background, we have it in the schedule the next malware remover, of course we can run a program in the malware remover and that will scan there. The malware remover has its own user interface, so if we select the malware removal tool there, we will be able to see it while it is being scanned there. the background we can configure the settings there again. I have set a schedule, you can set a schedule there. I go to 1 am again and again, you can have it check for updates for an updated database all the time and then you can choose if you want to send the malware results in uh qnap if it has internet connectivity or you can just make sure that in the log events in the log center q be notified, a lot of this will come down to the notification center which I'll show you in a moment. exit that, so exiting the malware remover, we can take a look at the baseline firewall, we'll look at the key firewall a little later, but the firewall is effectively the tool for managing the gateway between Internet connectivity and su nas, as I say, we'll get into this in a little more detail later, but the security advisor will allow you to add this to your security policy so that when the security checks are done on a schedule.

You can see what needs to change regarding the firewall in the future, so we have the schedule there and we'll add the security schedule there again. 1 am. 1 am. right now I have three scans running simultaneously, so you can get out of there close, so the next thing we need to look at, which I've already alluded to several times, is the notification center in the notification center, not only is this where They find practically all the details that each of them is doing. day are reported, as you can see, all the issues, everything that comes under the security policy heading um that I've selected will appear there, so we'll go out of that and from here everything from wrong IPs that I don't know about, like here when I tried to use a dodgy certificate to display additionally as when scans are done these all come under the heading of different alerts and depending on your security they will be displayed slightly differently so As you can see here when We were doing a test for a video coming soon, I will show how to set up the nas without using the internet, several of the apps I was using were trying to update even though the nas did not have internet access at the time it listed them as errors , but at least you can see that it recognizes those areas, but what good are all these errors if you don't know things are going wrong and this is where this bar appears?

At the top you will see, for example, an event notification that allows you to create rules, such as certain things that happen, such as virus scans, if something goes right or wrong, if you want to know if backup restore things have happened effectively, informing you at the event. that something is going right or wrong, what you listen for, so if you want to know if the system is being accessed using an IP you don't know, if you want to know that a backup routine has failed, if you want to know if you have been infected with malware.

I found or removed all of these things regarding access regarding the internal latrine, whatever you look at with your nas, an alert can be created, you can even set a master rule to cover them all or deselect all of them only. for the ones you're most interested in, then you can say if you want it to be general information, an error, or a warning, you can say what level you want it to happen at, and then you can say if you want it to have a message. included or excluded that way, if you are dealing with a third party or internal or just need more information, everything can be added to this specific rule and of course you can make sure this only happens at certain times a day or it will happen when and when from here you can add different alert methods, like email and then SMS, but you will need to add a phone operator as well as instant messaging using uh myqnapcloud and social services or the push service. with the mobile app again, I'll talk a little bit more about this in a moment, but as you can see, it's nice and simple, you can add everyone that's there, it's very user and service specific, but then you can have it like that. sent from there, if you are using an email client you will need to add the email client provider to the nas, but again if you use push notifications it is less problematic, you can opt for the automatic service there and then it will just be sent by a cubot on the nas directly to the recipient, which again you can use any of them there to be able to create those custom alerts and the same goes for alert notifications, not just events and again the same thing, but more personalized problems along the way and Of course, with device pairing here, if we go back to the overview, this allows you to show how to add, for example, email accounts so you can receive those email alerts, SMS alerts by adding the phone number , but again it will.

You need to add phone service, so it's not as simple as you'd like. Instant messaging, of course, is if you want to add an instant messaging account and there are quite a few to choose from, but again you can add others like Facebook and Skype. easily there and finally the push service is one that you can use with q manager on your mobile phone so that something happens with the nas and then you get an alert on your phone to make a buzz something is happening according to your security alerts um as we go over that in the security alerts in let's find out if I just scrolled to the security console again, this is very, very detailed, heavy and in no way am I considering that the things that I have shown you so far in this video could It doesn't even come close to being easy to use but at the same time there are a lot of configuration options, the real problem I find when something like ransomware happens when a hack happens and again it's not just a problem when it happens to any brand, a lot of it comes down to not find We discovered you, the end user, quickly enough and a lot of the things I talk about today are about you, the user, whether it's banning people from entering or improving the ways you can find out about these things that happen on your device, so you should move away from in the notification center now we can see the app updates.

One of the other important things that qnap went ahead with after this event took place is to say that some users did not update their firmware enough and I know a number. a lot of us feel like that's not really the whole story, that's not really the point, yes, your firmware needs to be up to date, but it's not really that simple to tell people that they need to make sure they have everything. running, yes, like here, you can go directly to the settings and yes, you can go to the update settings and make sure that it always automatically installs updates for individual apps.

You can set it up nice and easy and it will force these updates to happen. installed immediately on a daily schedule, as you can see there, so it will force those updates when you set it. I think my time is something like 1am again, so I can do it manually, but at the same time their system has an even higher time. responsibility regarding firmware updates in the control panel, if you go to firmware updates you can see that not only can you check for updates at any time but you can also go ahead and update automatically, this is when the updates will be applied automatically Yes He met his nas.

I know several users are not very interested in automatic installation of updates, as I mentioned in my q locker video, this is not just about qnap nas, many people do not want to install the latest update for anything, their iPhone, your Windows machine, look, how many of you have the maximum, are at the top, keep clicking, remember me later in an update so you can choose to install only stable versions. Now these are versions that have already been updated, so These are not their subversions or their betas. You can ensure that they are scanned and updated and will only be updated to stable qts versions.

It's still not foolproof for me and I think the latest firmware update wouldn't do it. would have been enough in this scenario, I think it would have been a huge help, but still a lot of the things we've talked about here certainly would have helped a number of people before their accounts unfortunately came under attack. Their Nazis were attacked by q. Locker and the encryption was done, so if we go back to that control panel and from here we click on the security panel, we can take a look at some of the other options here, so the IP access options now here indicate when the nas is accessed. remotely you can tell how many bad login attempts can result in a block, for example, within a minute right now, five login attempts means the IP is blocked for five minutes, but you can block it for long enough, you can tell if someone tries to do it. log in over a period of say 10 minutes with five failed attempts which can result in a one hour or one day ban and then you can configure that with the notification settings and security advisor to make sure you get alerts on your devices to alert you when that happens and that applies to several different network protocols.

The same thing applies to account access as well, but what's really cool is when you can take advantage of the um certificates that we're going to talk about in my cloud. section shortly, this will allow you to create a channeled and encrypted access point remotely with the nas, so again this allows blocking more lazy hacking attempts, we've already talked about password rotation, but if we work our way through now over to the firewall settings from here we can take a little look at the things that are trying to access the nas consistently through the firewall and block things before they have a chance to get through so right now I'm using basic protection here it lists all the individual ports and again I appreciate it.

Things are getting a little more tech heavy here, I would trust for now unless you know better, I would recommend trusting the profiles you have for example just subnets are effectively a much more closed system within subnetting and security restricted is Even more restrictive than that, these profiles will pretty much block anything that happens without very precise activity, that's why I chose basic protection that can still be configured, if you want, you can say about access to certain ports, you can talk about what can happen through what it can't, what protocol can happen, but this is where things get into a much more technical range, something that I think a lot of people who buy a nas go a little bit beyond people's expectations. by knowing what we're doing and with event capture and notification settings once again to let you know if when things happen based on those security settings, you can go ahead and make sure you get an alert again managed in time or not if The IP it doesn't recognize is a failed or successful login attempt, which brings us clearly to qnap's own security and external connectivity.

My qnap cloud now, for those who don't know, myqnapcloud is the means with which you can access your nas over the internet. without this your nas in theory, i mean obviously you can just disconnect it from the internet but this is the throttling point, this should be what's stopping someone from accessing your nas. Now setting up a my qnap cloud account is very, very easy, almost too. easy, one of my first complaints in my previous video where I talked about q locker and one of the many things that qnap could do to prevent people from breaking in had to do with services like playstation or xbox um or even many of On Android phones , you cannot access online services or some or all online services unless you update to the latest firmware.

Now, as restrictive as this may seem in the case of qnap, a lot of the problem, as they say, has to do with um. the firmware is not the latest version, which again many of us ponder and wonder, so they shouldn't allow people to keep external access without the latest firmware, that's not the only restriction and it's not the only thing you can change . for example the advanced auto router setup will allow the nas to communicate and set up upnp um access with port forwarding on your router easily for you so do it using my qnap cloud as a bounce point but again it's me , although I am enabling it is here by default, it is not enabled and I think some of you don'tyou're really going to need it, so if you use upnp port forwarding through my qnap cloud, know that this is where a lot of the problems with those nas ports arose. keep that in mind now, my ddns settings is where it talks about how to bounce from qnap cloud to access your nas.

One of the things that is quite interesting, of course, is the ssl certificate, which you can pay for a qnap certificate or obtain. a completely free one from let's encrypt, nice and simple, that means that when you try to access your nas remotely, like in the case of this nas, if we go into this here, we will access the nas remotely, so let's go into the general description. even from here we can see that this is our external connection that we have created with my qnap cloud. If I copy that, open a new tab and log in, the first thing it will ask me to do is verify who I am because as far as my security credentials are concerned, I am anonymous, I have not identified myself and it forces me to log in to the nas with my qnap cloud account here, which again doesn't completely solve the problem, but at least it does restrict it. access and forces them to use pre-designated routines e.g. send emails with password, login information instead of relying on a backdoor policy over and over again, a lot of this is about having as many layers as possible and as many unique layers as possible, and those ports are only You can see a small part of my qnap cloud, you can configure it with access to the credentials and as long as you have the two-step verification locally working along with the SSL certificate, which again everything What it does is allow.

Encrypted remote access does not act as a means to restrict access remotely, it is still better than nothing when it comes to allowing or if you have ever used a remote access connection to your NAS to ensure that much of the information security won't be captured along the way, but again, a lot of today's video has been about adding as many layers as possible to your security protocol. from this video that you guys need to watch right now is if you don't feel like your qnap nas is safe online, unplug it, get it working on the network, it works perfectly fine on the network on its own and when it is. ready to reconnect to the internet when you're ready to make all your settings as secure as you want, regardless of how heavy you want to make them, then at least you have the option to do it before you reconnect, but as I mentioned at the beginning of the video once you access everything with the highest security settings, know that you will encounter friction, you won't have the smooth access you once had, you can't have a hundred obstacles and 100 walls. between you and the outside world and then be surprised that logging in can be a real problem.

Thanks so much for looking. I hope we see more resolution in cue locker very very soon, this video will unfortunately be much more beneficial. For those of you who were not affected by this and just want to make sure you have increased your security. If you were a victim, talk about it in the comments. Maybe they had a solution. Maybe they have learned. Plus, it's always great to share this with other users along the way. Thank you very much for watching, enjoy it. I have another video coming soon where I'll look at snapshots of backup routines and more so you can increase your backup. routine in case something like this happens again, please like if you liked the video, subscribe to know more.

I'm going to take a drink of water before my throat closes up and I'll see you next time.