7

I'm thinking about acquiring a NAS from Synology (or QNap), these are pretty cool NAS and do much more than just storing files. Some extras include:

  • ssh, ftp, telnet, mail servers
  • photo gallery (directly from the NAS!)
  • mysql/php (can even run a website from there)
  • and much more

On the specs side it looks awesome as a LAN server but it's possible to access those services also from the Internet. And now, I'm wondering how safe that is, considering you're actually putting multiple servers and, not to forget, all your personal files stored in that device, on the Internet.

I've done a bit a research and ssh access could be hardened using 2-step authentication, but not sure about the other services, unless they all have to go through ssh?

I would appreciate your view on this and other possible ways to make your home NAS secure.

fduff
  • 725
  • 1
  • 8
  • 17
  • At time of this post, QNAP was vulnerable to BASH Shellshock, but this is now patched: http://www.qnap.com/i/en/support/con_show.php?cid=61 – JBRWilkinson Dec 17 '14 at 17:11

4 Answers4

10

A NAS is a computer. It has a "smaller" CPU (usually an ARM in the 200 MHz range) but it still runs a "normal" operating system (often a Linux derivative) with all its normal software and assorted vulnerabilities. When a SSH server has a buffer overflow, it is vulnerable, even if the outer box does not "look like" a computer.

To be considered secure, a NAS, just like any other computer, must be managed, with prompt installation of security fixes. This is where the problem lies: contrary to what happens with full-fledge desktop computers, NAS vendors rarely distribute security patches on a daily basis. There is an inherent latency which means that when a vulnerability is found, attackers have a few weeks (or months !) of head start before the fix is packaged and installed in the majority of deployed devices. This is a rather big issue. It turns 0-day exploits into 0-month exploits.

My advice would be to refrain from putting such a device "on the Internet" unless you replace the OS with another one which you control, and offers low-latency security updates (and, of course, you do check them and install them with all due alacrity). For instance, you can install Debian on QNAP NAS.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

Don't put on the internet if you don't need it. If you do need it make all the other services only available locally and only allow ssh from the internet. You can then make a tunnel through ssh and access your other services through that tunnel.

Do mind that it is a HOME NAS so better keep it on your LAN.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • If the SSH service on the NAS is compromised, everything on it is at risk, as attacker could do `/bin/rm -rf /` via SSH. – JBRWilkinson Dec 17 '14 at 17:11
2

QNAP devices have a very limited ssh server installed as standard - you have to login as admin (i.e. root access), which is a risk in itself. You can replace with openssh - see instructions here: http://wiki.qnap.com/wiki/How_To_Replace_SSH_Daemon_With_OpenSSH

however be very careful to change the guest account password. I learnt this to my cost when I noticed multiple unwelcome external users logged in as guest!

You can also harden the openssh config to deny password access, and only permit access with public key exchange.

tuck1s
  • 121
  • 1
0

Do you intend to put your family photos, music library, ripped DVD collection and house documents onto the NAS?

If so, how much would it matter to you if:

  • They were all over the internet.
  • They were all erased.

If either of these matter to you, you'd be best not to poke a hole in your firewall exposing this NAS to the internet.

If these things just don't matter, can you isolate the NAS from the rest of your home devices, e.g. a 'home DMZ'? In that way, if the NAS is compromised, your internet access and other home devices are not at risk.

JBRWilkinson
  • 111
  • 2