How To Secure Your QNAP NAS (Or Any Other NAS For That Matter)

Yesterday I posted a story asking who is to blame for QNAP’s security issues (Spoiler alert: Mostly everyone). But I got a couple of emails asking how they should secure their NAS. Now QNAP have put out their own recommendations here. But if I were you, I would go further. This is what I would suggest.

  • Download and install all updates for your NAS: By doing this, you increase the level of your security posture by ensuring that any known vulnerabilities are addressed. I say known vulnerabilities because threat actors are looking to exploit unknown ones for as long as they can. Thus this is not a perfect solution. But it does reduce your attack surface significantly which is a good thing.
  • If you must for whatever reason access your NAS remotely, disable the admin account: Having remote access on a NAS and a live admin account are completely incompatible. You should have one or the other and not both at the same time as having a live admin account on an Internet facing NAS is just asking for trouble.
  • Disable uPnP on your router: I suggest this because even if you don’t have your NAS exposed to the Internet, if you have uPnP enabled, you have it exposed to the Internet. And the security issues with uPnP make that a very obvious attack vector for hackers. I wrote about those risks here if you want to go down the rabbit hole. And even if you don’t have a QNAP NAS, you should turn off uPnP anyway to maintain your security posture.
  • Disable uPnP on your NAS: This is similar to what I said above. Because even if you have it disabled on your router, having it live on your NAS could potentially cause you to get pwned. Thus you should dig through your network settings and disable uPnP on your NAS.
  • Use strong passwords: In 2022 I really shouldn’t have to be saying this. But based on the number of times I have done a security assessment of a client and found the company name, the company phone number or even the word “password” as the password for some critical service or system, I guess I will have to say this one more time. Use strong passwords to may the threat actor’s job harder than trying to brute force their way into something via a dictionary attack or just outright taking a few guesses. Microsoft has tips on how to do that here.
  • Disable SSH and Telnet: If you don’t know what SSH and Telnet are, and you don’t have a real use case for running them, you shouldn’t be running them as having a NAS exposed to the Internet with SSH and Telnet enabled is like asking to be pwned. And the scary thing is that both Telnet and SSH are often enabled by default. Thus disable them ASAP to improve your security posture.
  • Back up your NAS: If your NAS is not backed up, then anything from a hard drive failure to ransomware will cost you your data. Use an external hard drive, back up to a cloud service. Whatever you do, please back up your data. That way if the worst happens, you still have your data.

These tips are not only for QNAP NAS users, but all NAS users. Because with threats like DeadBolt out there, you need to do everything possible to protect yourself. Do you have any other tips that you’d like to share? If so, post them in the comments below.

Leave a Reply