How To Secure Synology NAS Over Web Headache Free
Synology NAS security should be a priority for every SOHO user. Hackers' techniques get more elaborated, ransomware spreads faster, and zero days become more common. And unfortunately, a VPN or an antivirus alone won’t work for defending your internet-facing NAS against remote exploitations, brute force attacks, or session hijacking.
In this blog, you’ll find the most effective tips and tricks to strengthen your Synology NAS security posture. We will cover both the basic and more advanced options with detailed descriptions. So, whether you are a beginner or a professional, you can find some helpful details. Additionally, we’ll share the one-click solution that can instantly protect your devices. Stay tuned!
And now, let’s dive straight into the industry's best practices for securing Synology NAS (aka security hardening).
Bare Minimum for Securing Synology NAS
To make sure you are doing everything possible to secure your network and, as a result, ensure your Synology NAS security, follow these basic security principles:
- Keep software updated.
- Make sure you keep antivirus software running on your computer and NAS device.
- Use strong passwords and change them regularly.
- Back up your data.
- Encrypt your backups.
Basic Principles of Synology NAS Security
I would recommend always ensuring that you have all the ‘bare minimum’ security tips in place, paying particular attention to regular backups. The least you could do is follow the 3-2-1 backup approach. However, of course, there are many more best practices for securing Synology NAS, and we’ll see them further.
Secure your router
The first line of defense against hackers is your home network. According to Cisco Systems, nearly half of the small businesses don't even bother securing their routers. This leaves open doors for attackers to gain access to sensitive data stored on those networks.
In 2020, security researcher Jacob ‘thescaryguy’ Holzschuh audited NAS devices from 10 different vendors, finding vulnerabilities in every one of them. He discovered that most of the devices he tested had default passwords set up during manufacture. If you're like me, you probably didn't change it. And we both should take more care securing Synology NAS. When I bought my Synology DS723+ NAS, I changed the password to something long and random. But if someone gets hold of the old router, they could easily reset the password to whatever they want.
That's the bad news. The good news is that you don't have to worry about this unless you give someone physical access to your equipment. To carry out these attacks, hackers have to have direct access. So if you've got a locked door and a deadbolt, you're safe.
If you use a home network, chances are you already know what your router looks like, but did you know there are some security risks associated with having one? Routers are often used as entry points into your home network, making them prime targets for hackers looking to access your personal data.
If you haven't changed your default router settings recently, now might be a good time to do so.
- Log in to your router to make changes.
- Change the default password: Once logged in, scroll down to the bottom of the screen and look for Password. This is where you'll see your current password. Click on the Change link next to it, type in a new password, and hit Save.
- Update firmware: Next, head over to the firmware update menu and check for an upgrade. Make sure you're running the latest version of your router software.
Enable SSL
When accessing your network-attached storage device over the internet, make sure HTTPS is turned on. This ensures that your data is secure while being transferred. HTTPS (also called SSL) is able to prevent hackers from viewing your password, hijacking your session, or intercepting your commands. HTTPS should be enabled by default.
You can find a detailed guide on how to enable HTTPS and create a certificate signing request here.
Configure password strength rules
You can use password strength rules to help keep your users safe from hackers. This feature allows you to configure how long it takes to display a warning message to users about weak passwords. If you choose to turn off the rule, the warning won't appear even if the password isn't strong enough.
To see what settings are available:
- Select one of the options under Show password strength messages.
- Click Save Changes.
- To view the current setting, open the same window again. If needed, change the setting.
- Click OK to close the window when you’re done.
Synology NAS also offers options for Passwordless Sign-In and 2-Factor Authentication. We’ve explained the differences and covered the setup process in our previous blog, so feel free to check it.
Additional Tips for Synology NAS Security
Congratulations! You’re done with the basics. Now let’s move to the additional practices for securing Synology NAS.
Configure DSM users' permission settings
Managing permissions for individual users and groups is one of the most important tasks you can perform to secure your network. It is also the basics of securing Synology NAS. In addition to managing permissions for specific files and folders, you should manage the permissions assigned to each user account and group. This allows you to control what actions are performed by those accounts.
Further, we explain how to configure user accounts and groups to manage privileges on a Synology NAS running DSM 7.0 or above.
- Go to Permissions.
- From there, select the user or group whose permissions you want to change.
- Then select Permissions from the left pane.
- Next, choose the action you want to assign to the selected user or group.
- Finally, select either Allow or Deny to apply the changes.
Alternatively, you can also use the following steps to make configuration changes:
- Select the user or group whose permission settings you want to modify.
- Choose Permission Settings from the menu bar.
- If necessary, enter the username or password of the user or group.
- Select the Action field and select either Allow or Deny.
- Click OK to save the changes.
Enable auto block and account protection
You can configure an IP address to be blocked after a certain number of failed logins. When you set up your security settings, you can choose to automatically block an IP address after three unsuccessful logins.
This feature allows you to protect your system against brute-force attacks. This way, if someone tries to brute-force your password, the IP address will be blocked.
Note: To prevent abuse of this setting, it is recommended to use a dynamic IP address.
Run Security Advisor
Security Advisor is a free app that checks your Synology NAS for common DSM configuration problems. It scans your NAS for common DSM issues, gives you recommendations for how to fix those issues, and provides tips for securing Synology NAS. To ensure your NAS stays up and running smoothly, perform Security Advisor checks regularly.
How to Secure Synology NAS from Ransomware
Synology NAS, like any device, isn’t protected from ransomware attacks. If you don't know much about ransomware, here's a quick overview. The ransomware infects a computer, server, or network device, usually via email attachments or malicious websites. Once it gets inside, it locks down access to data and prevents the victim from accessing their files unless they pay a ransom. But in most cases, even after paying the ransom, users don’t get access to their data;
The good news is that there are several things you can do to avoid becoming a victim of ransomware, such as:
- Back up your data regularly. The industry standard is a 3-2-1 backup strategy that suggests having 3 copies of your data in 2 different locations, one of them offsite.
- Always use multi-factor authentication (MFA). In this blog, we explained how to set 2FA on Synology NAS.
- Monitor your system to find any suspicious activity.
- Install updates and patches regularly.
- Act according to cybersecurity hygiene rules and educate your team on that.
- If you can, disable remote access. In case you require remote access, you could set up a VPN to limit access to your NAS.
One-Click Solution for Synology NAS Security
A solution that doesn’t only protect against all kinds of malware but also isolates your network and monitors suspicious activity. What does it mean?
When using Cyber First Aid by AP Lens, you basically, get the following benefits:
- Network isolation: Hackers can’t access your NAS device nor move within the network.
- Monitoring: The software also tracks all the connections that take place to block anything risky until they could damage your machine.
Click here to learn more about how this one-click response can protect your network from cyber-attacks while also strengthening your Synology NAS security.
Conclusion
Now, let’s sum up.
How to secure Synology NAS?
- Keep software updated
- Make sure you keep antivirus software running on your computer and NAS device
- Use strong passwords and change them regularly
- Back up your data
- Encrypt your backups
- Secure your router
- Enable SSL
- Configure password strength rules
- Configure DSM Users' Permission Settings
- Enable auto block and account protection
- Run Security Advisor
- Use Cyber First Aid to isolate the network and monitor suspicious activity