Secure Your QNAP NAS - Best Security Settings To Keep Your Data Secure

With more and more vulnerabilities being found all the time, it's time to lock down

your

nas devices and protect

your

data

and network. Today we will cover all the things you should consider when trying to protect your

qnap

device if you haven't already. Once this is done, hit the subscribe button and click on notifications to receive notifications of any new content. If you follow

security

news, you may have heard that they recently found two more vulnerabilities within

qnap

drives. The first was found on the web server and the second was found on the dlne server, both using the default port

settings

, but this video today is not really about these two vulnerabilities in particular, but rather how to configure your device for

best

practices.

Vulnerabilities and problems will constantly arise. Regardless of whether you're running a qnap, a synology, a windows server, whatever it is, you're always going to have some threats of vulnerabilities, so the intent today is simply to establish, at least from a qnap perspective,

best

practices and the things that should be disabled and what is really necessary for the device to do what it needs to do, there may be things that we disable during this video that you may need to have because of the applications you are running and that's okay at least understand what they are , what the threats are and hopefully you can change the default poor configuration to minimize the threat surface, so before we start I want to leave you with a couple of thoughts, first of all, never point your nas drive at the public.

Internet don't take you out of dmz, don't do any kind of setup like that where your nas device is actually exposed. The idea of ​​a nas drive is to

keep

it really hidden,

secure

ly protecting your

data

and doing what you need to do internally just because you can do something doesn't necessarily mean it's always a good idea to do it and most importantly access your device when you're out and about, which a lot of us want to do, that's part of the inherent thing. The benefits of having a NAS is being able to access your files, always use a VPN.

If you stick around towards the end of this video, I'll show you how to quickly set up the VPN within the qnap unit so that you can access your device when you're away from home, whether it's through a laptop or a mobile device, so Let's start with what sections and what

settings

you really need to do to strengthen your

security

and exposure on your Qnap, so let's get into the control panel. I'm going to start with the general settings, so on this first screen in the system administration screen yours should look a lot like mine. The only thing you need to do is make sure you don't allow embedding of qts in iframes, make sure you have enabled https and then also make sure you have the highest level of tls enabled and that's pretty much all you need on the screen.

Much of this is already predetermined, so we're not going to spend too much time on this. They will go to safety. section there are a couple of things that um and I've covered this in previous videos, but I'll go over it real quick anyway. If you really want to go to the extreme you can really take control of who and what has access to your nas, the easiest or one of the easiest way is to restrict who can access which IP addresses on your device and you can do this by allowing the connection and then selecting or typing the IP address or address range into this to limit Ie IP addresses on your particular network, that can be a big problem, but it is a very good way to lock your nas unit.

Let's talk about the IP protection and account access protection tabs, they are essentially very similar. the only difference between them is what is being filtered, for example in IP protection you are looking at IP addresses that have too many failed attempts, whether IP addresses in account protection you are looking at protocols, so that if someone tries to log in via telnet for example and they have a lot of failed attempts then it will block them so in essence they are the same but they are different categories so again I would make sure they are both on so I shouldn't have done it.

Anyone trying to access your server too often anyway, so I would really turn this all on and limit it. You can change the lockout period so that the default is five minutes, which is a little short in my opinion, but it works at least. Note that someone has tried more than five times, but I think under the circumstances I would probably block them longer, meaning if someone gets legitimately blocked, you'll have to go and delete them, but last. This particular page I want to cover is essentially making your password as

secure

as possible. The tougher the password requirements, the more secure your device will be.

This is not enough, but it is a place to start. I usually need digits and special characters. I have been conservative in my minimum length for other reasons. Sometimes I set something up temporarily and I don't want to get too complicated because I'll delete it in an hour, but none of my actual user passwords. are close to being that short, usually it's 9 or more or 10 or more, if you know, depending on who has access to your device, I suggest you probably increase that a little bit, if not, at least do a little more. complex password the next place we want to go is in network file services we're going to go to windows mac nfs and here we want to do a couple of things so first of all there are three types of basic files or file services which you can link to and basically you can choose if you are in a network environment or if you are in a predominantly Windows home environment then of course you will want to use Windows networking if you have a mix of Windows and Mac you can also enable afp or Apple's file protocol and nfs, which is more of a Linux thing.

I don't normally use these two, so mine is simply set to Microsoft Networks in advanced options here, although you probably will. I want to take a look at a couple of things here, mainly these settings here, now you may run into some issues depending on whether you configure these high versions of smb for file access or folder access, there may be some older devices on your network that may have problems. with it, but I would start by setting them as tight as possible. Now what I've done here or what we're going to do here is the highest is three, so I can go ahead and enable three and the lowest I want to put. a 2.1 so I don't want anything lower than that and if something goes wrong then I will deal with the problem.

I'm going to go ahead and hit apply and as we see here, you've actually changed the settings, it takes about a minute to make the changes, so be patient when you click apply, so next we're going to move on to telnet ssh. My recommendation here is that all of these are disabled unless you have a particular need and there are always exceptions. It is these rules that I am telling you. These are basic settings. They are what I do with my devices. They're not necessarily going to work 100% because you may need access. You may need to have something that tells you that. you have to have this and that enabled right now.

Basically what I consider to be a secure configuration out of the box has worked in every situation I've used it in, but everyone is a little different, so I've disabled everything on this page, next we're going to go to snmp again, I have it disabled and the next one I want to go to is ftp which is another one I completely disable so it's not me, you don't need to do that. an ftp to my box now, if again your settings may vary, I may have to do it for a specific task, but I don't use ftp so I disabled the service.

Any service you disable simply reduces your footprint for security breaches and issues. That might be fine with you, so moving on to the apps, there are a couple here that we probably want to disable for good. The first one we're going to talk about is actually the dlna server. Now the dlna server was the one that was attacked recently, but that Again, I think it's already patched so it's not a huge concern, but again, unless you're using dlna on your network and I certainly am not, I would just disable it because it's a streaming protocol, so it's actually out there talking to your network, so if you don't need it, turn it off, if you find that you need it, then go ahead and obviously you're going to use it.

One of the things that may come up is multimedia services there. There are several services that actually require dlna to be enabled, in which case you know to go ahead and enable it again. I recommend that you first find out if you need it, turn it off and see if any of your applications are forcing it. the dlna server requirement i have never had a problem with it and i don't use it but again this is my setup this is the big one the web server i know for a fact there are a couple of applications that use this. don't use those apps and I really refuse to turn on the web server.

The web server was also the second application that actually had some major vulnerabilities recently and again I think they were patched unless you have a particular need, there usually aren't many. You may want to enable a web server unless it is required by a specific application and then you will have to decide how important that application is, but again, if you use this change, the default ports do not use port 80, they do not use 8081. Go ahead and change it to something else so you can at least take control of it so any generic streaming scan can't know or can't find your particular device, but again this web server is a bit tricky because it's a site Web.

The server again doesn't necessarily mean you want to put this directly in front of the internet, there's not enough protection for that, don't put it in a dmz zone on your router and have it broadcast directly, that's not a good idea for the web server can be limited to internal, so if you don't allow your nas to broadcast by not allowing any port forwarding or upnp or anything like that, then you can at least restrict it to internal, but again I would recommend it. turn it off if you don't need it that's my recommendation ldap same thing if you don't need it turn it off sql is another one absolutely turn it off if you don't need it this also applies to Radius server and tftp All these services are there, but again, just because you have something and there's something there doesn't mean you have to use it, you don't need it, turn them off.

We want to

keep

these things as lean and tight as possible and just minimize the entire threat surface, so let's get into something a little more controversial and that's my qnap cloud app. Now, to be short and to the point, my recommendation is not to use this, there are just a lot of things about this that I don't like, obviously. The intent of the convenience factor of being able to quickly access your device when you're out and about is tempting, but I would think Seriously whether you really want to use it or not, it's not the best app I've seen. the way it's set up, the fact that they are actually pushing the automatic configuration of the router, which is the upnp, sure it can be disabled, but the setup process is not the best I've seen, so it really doesn't inspires many.

Trust, so for me I wouldn't use it. My preference. The way I want to connect to my device when I'm away from home is to use openvpn and we'll talk about that a little bit because I think it's a much more secure way. To do so, yes, you have to get a, you have to go in and take a little extra step in terms of being able to connect, but at the end of the day, if you funnel everything through one, your threat surface is much better and it's not. You need to go through an unknown third-party cloud app to connect to your home device, so again my recommendation is not to use this unless you absolutely have to or you can't find another way.

Use openvpn. A couple of quick things before we continue. For the VPN service there are a couple of apps that, for reasons I'm not quite sure about, are not installed by default that you should really install, and that is the malware remover and security advisor. These are not required but malware removal application. It actually scans your system much like an antivirus and looks for any threats, at least the threats that have been launched through your application. Security Advisor also does something similar, except it doesn't look for threats, it actually looks for things in your system settings. which you may have configured incorrectly or maybe you need to disable it, so it's a quick way to just scan your system and see if everything is configured correctly, so I would really recommend installing both apps.

Both can be set to run automatically just to make sure nothing has changed or and in the case of themalware remover just to make sure it's scanning your system on a regular basis so I'm not going to go too deep into these apps. There are some videos out there that are kind of digging. I'll dig a little deeper and if there's interest I'll dig a little deeper into the security advisor app, but I would recommend that you go ahead and load it up and give it a try and lastly let's get into the VPN itself because I think there are some you know you're probably a little scared about setting up one of these and how hard it is to use so we'll quickly look at how to set it up and then I'll show you how to set it up on a mobile app so I'll go into the qvpn server now there's a lot of protocols which you can use here.

My access is openvpn, so I do what I normally do: I actually just go. I usually don't enable most of these and will downgrade to openvpn. enable I'm ready to go now there's not much to configure really this is just a couple of things you need to first decide your IP range if this is the default IP range it works 99 of the time if you have an IP conflict due to another device on your network you may have to change this to 10.9 or 10.10 or some other IP range that doesn't conflict with anything you have on your network again most of the time not a problem but There may be times when you may have a couple of devices that have VPN enabled, which may cause some conflicts.

The rest of this, encryption is always set to high. You can limit the maximum number of clients. You can also select the network interface. Now, in my case, I have several. interfaces on this particular device and only one of them is actually connected to a LAN that connects to the Internet in any way or connects to my router, so I've specified that adapter most of the time, not necessary, probably you only have one connected and then you want to use this connection as default gateway which means when a vpn connection comes in it will connect not only to the vpn but the traffic will also be routed through the vpn so everything will work out. from your house, unlike you, know Starbucks or whatever, you can now optionally enable the compressed vpn link, which is useful when you have a possibly slow connection on one side, you can experiment with that, you can try disabling it or enabling it to See which one gives you the best performance based on where you are, and in terms of setup, that's really all there is to it.

There are a couple of boxes here to download the configuration file, so if I click on download configuration file, I'll download a file that can Look here, it's an opvpn file that I'm going to import to one of many different devices, already be it a PC or an iOS or Android device or whatever. That is the openvpn file I am going to use. There is one last thing. I need to configure here and that's the privilege settings so if you have um you know depending on how many users you want you can add vpn users based on your nas settings so if you have users on your nas you can add them . to the VPN that will depend entirely on your particular configuration.

In my case I only have two users and because the VPN is for me, you know, in terms of getting external access, it's really limited to me, so I basically restrict who has access to the vpn and you can also decide what protocols have access so that's all you really need, it's nothing too complicated once you've done this, that's all you need to do in your cl on the server side except enter your router and forward a port and that port forwarding is done to port 1194. I can't tell you how to forward a port on your own router.

You will have to search for it but basically do port forwarding to your nas ip address and the port you are forwarding is 1194. So when openvpn connects it will know your ip address, connect to it, port forward to the nas unit and it will become the connected device and that is extremely secure openvpn has been vetted several times and is actually a pretty secure protocol so it is definitely much better than any intermediary cloud service you can use. That's it, for the actual network configuration or nas configuration, we will enter the client very quickly. just as some additional features just to show you how we take this VPN configuration and basically set it up on a client device so you can see how it works and then from there you can easily create a VPN service. so let's see how to configure openvpn.

I'm going to show you two different configurations. One way is to do it on your laptop or PC and the other is to do it on a mobile app. Let's start with the PC. We will include a link to download the openvpn client, but once you download it it is quite simple and installing it, it is quite simple, what you are going to do is go down here to the icon that says open vpn and in a new installation you will be I'm not going to have any profile, so I'm going to right click on it and click Import Profile and I'm going to go to where I downloaded my default downloads or where I copied the file.

Click on the open vpn file that we downloaded and it says import successful and that's pretty much all I have to do now when I go to the icon at the bottom I can connect to it so it actually loaded the configuration file. I click on connection type. in my username and password now just keep in mind that this only works on accounts that you have enabled and if you go back to the previous part of the video where you allowed us a specific user to have VPN access so you have to reuse those same credentials when connect when you stream the file and I'll show you this in the mobile app.

This file can be sent by email. It's obviously a little less secure, but the file itself doesn't contain any user credentials. Your username and password are not included in the file, they remain and reside on the server. Let's take a quick look at how to set up openvpn via an email you sent to yourself again, this is probably less secure and if you can copy directly to your device I would recommend doing it on iOS, it's a little more difficult, you need to do some extra twists to make that happen so this is an alternative method to install the profile again, the profile does not contain any username and password so you know we can probably get by with a slightly less secure transfer so once that's in your email, just tap on it, hit share, set it to openvpn and we'll click add profile, giving me a couple of profiles. because I've added the same profile a couple of different times so we're going to go ahead and choose the one we just entered and we're going to click on Add and we're going to put in the username and again I'm I'm putting in the admin but don't do that use the username user that you have defined on your nas and then up here in the right corner you will simply click add and you will be connected so now if I go back to the top right corner you can see that I have a VPN symbol on the top top right which tells me that I am connected to the VPN and again you will have to import once you don't have To do this every time and if you memorize your password with your profile then all you have to do is slide the slider on your device iOS or Android and you'll be connected instantly, so the difficulty threshold for connecting to your VPN is quite low, so again, this is a much safer way to connect to your device.

This gives me access to everything that particular user has on my network and then I can go from there if anyone is interested. You could do a deeper and more detailed analysis. dive into openvpn just post your requirements in the comments and if enough people are interested I'll be happy to do it, so anyway I think that's it for today's video. I appreciate you staying until the end and if you haven't. You already did, subscribe and click on that notification to receive notifications of any new content. Thanks for watching and I'll see you in the next video.