Best Way to Secure a QNAP TS-239 Pro II?

[luddy]

What is the best way to secure a NAS device behind a router when I want to be able to access it via the Internet? Share pictures/albums, access files, etc?

NAS does supports SSH. Would I use SSH and provide accounts to people I want to have access and control what they can get to? I also have some personal data on the NAS I'd like to keep from prying eyes/bots/hackers, etc.

 

[[OC]Pik4chu]

What kind of firewall/router do you have and is there any other server in your network you may be able to use? While SSH will encrypt the traffic between you and the NAS it wont provide for security on its own. I would recommend looking into setting up a VPN to your firewall or server in your network. depending on the firewall you can have very granular control over the vpn access, including even MAC filtering and such. If you have a server you can use the windows VPN, and if its a domian you can merge user accounts to the NAS so you dont have to enter multiple credentials. Just make sure you use strong passwords with whatever you do.

 

[luddy]

I just have my QNAP behind my Dlink DIR-655 router and all my PCs are on the same network. This is a home office setup and each PC is running a desktop OS (Win7, XP and Vista machines). No servers are running anywhere and all machines are in a workgroup. Shares are set up on the NAS for each user.

Each desktop is running NIS2010

 

[thiggins]

The QNAP has web services for the functions you want. Just enable HTTPS access, use strong passwords and monitor your logs faithfully. You'll need to forward SSH ports to the NAS.

I would not put data that you don't want to put at risk on the NAS. You are exposing this NAS to the Internet and there are plenty of people who love a hacking challenge.

 

[Sebastienbo]

You can now use this free firewall on your qnap:
http://www.forum-nas.fr/viewtopic.php?f=21&t=2301

 

[sfx2000]

Keep in mind that QNAP's SSH implementation only allows for Admin to log in, not any other users... there are ways to get around it, check QNAP's sponsored forums for more details on the how/why QNAP did it this way.

I would not put any NAS on the public internet - I use other tools, like Dropbox, to facilitate this...

 

[sfx2000]

The short of it with QNAP's SSH implementation is that it's the path of last chance where if things go terribly wrong, one can be admin and login _from_your_lan_ to do corrective action.

 

[Sebastienbo]

With a whitelist you can avoid a lot of misery like exploits in services or apps by only allowing hosts that you know, the anoying part about a whitelist is that you already need to know the ip adresses from where you would like to connect)

But with this new firewall qwhitelist app : ttp://www.forum-nas.fr/viewtopic.php?f=21&t=2301 you also can whitelist hostnames, dyndns clients (for ex. your phone/laptop) or you can whitelist by having a two-factor authentication (that means that whoever wants to connect to your nas, also has to authenticate first to your external server)

 

[sfx2000]

The risk that one runs going deep into QTS is that once there, QNAP can't help you dig your way back out without a full reset/reinit of the firmware...

 

[sfx2000]

The QNAP has web services for the functions you want. Just enable HTTPS access, use strong passwords and monitor your logs faithfully. You'll need to forward SSH ports to the NAS.

HTTPS ports you mean?

The WebServices (FileStation, photostation, etc) are generally secure...

 

[Sebastienbo]

The risk that one runs going deep into QTS is that once there, QNAP can't help you dig your way back out without a full reset/reinit of the firmware...

What do you mean?

Locking yourself out by using whitelists?

With the qwhitelist app this is not possible (it always puts the nas private IP adress subnet in the list automaticly)

And even if it would block you out, you can do a soft reset on a qnap (pressing 3 seconds the reset button) -> This will only reset the passwords and whitelist security (but it will not touch your configuration,apps or files

Be carefull -> if you keep the same reset button for 10 seconds, then it will reset you nas configuration + apps + users (but even here your files stay safe)

 

[sfx2000]

What do you mean?

What I mean - don't go messing around inside the gubbins of QTS... most users should never go there.

Start changing config files and adding things there and one can get into trouble fairly quick if one is not an experienced Linux user...

Understand that many here are not - there are a few who are... granted.

 

[Sebastienbo]

You don't need to go into the config

This is just a QPKG package that you install

 

[sfx2000]

You don't need to go into the config

This is just a QPKG package that you install

You're missing my point - SSH is admin only, so to open up SSH, one has to make changes to the /etc/ssh/sshd_config

See?

 

[Sebastienbo]

You're missing my point - SSH is admin only, so to open up SSH, one has to make changes to the /etc/ssh/sshd_config

See?

I understand your point, but I was reacting to the original subject/poster (Best Way to Secure a QNAP from the internet)
SSH was just a side track in he's first post, but he mainly wanted to know the best way to protect the NAS itself from the internet

 

[sfx2000]

I understand your point, but I was reacting to the original subject/poster (Best Way to Secure a QNAP from the internet)
SSH was just a side track in he's first post, but he mainly wanted to know the best way to protect the NAS itself from the internet

As long as it's in the QNAP "App Center", one is likely ok (the Firwall Whitelist app) as QNAP has vetted it - I looked, and didn't see it.

Otherwise, back into the gubbins of QTS, adding a couple of QPKG's, and running things on the command line, which again, probably is not wise for most QNAP customers/users...