This month signifies the Cybersecurity Awareness Month. Therefore, I will be discussing some security best practices and offering “Cybersecurity Tips to Secure Synology NAS against Ransomware”. Please see How to disable Ads in Windows 11, How to Backup MacOS to Synology NAS via Time Machine, and how to Turn Off Windows 11 Tips and Suggestions Notifications. Many organisations struggle to manage their cybersecurity effectively and the rapidly evolving cybercriminal tactics create significant challenges for business owners.
Without the technical knowledge needed for proper cybersecurity management, these threats can become overwhelming. Here is a similar guide here “DSM Security: How to Protect Synology DS923+ NAS“. This guide will cover these key areas.
- Replace default Admin Account
- Select a Strong Password
- Enable MFA
- Auto lock and account protection
- Limit user access
- Implement 3-2-1 backup
- Snapshop replication (I will also create a dedicated post for this)
- Enable HTTPs
- Enable DOS Protection
- Change Default Management Ports
- Implement Worm
- Enable Firewall
- Synology NAS Monitoring
Also, see how to “Create New Users and Join Synology NAS to Active Directory“, how to Backup MacOS to Synology NAS via Time Machine, and Microsoft 365 Backup: Why is it imperative to protect M365?
Emergence of Ransomeware
When ransomware made its first appearance in 1989, the threat was relatively minor. This new form of virus was distributed via floppy disks, targeted personal computers, required payment to be physically sent to a PO box, and the encryption key was quickly found and distributed to those affected.
The IT managers tasked with responding to this poorly-conceived scam could not have known how dangerous ransomware attacks would one day become.
Since data is the cornerstone of modern business infrastructure. From massive CRM databases to essential company documentation, few organizations can bear a major loss of company data without severe repercussions.
Ransomware attacks exploit this vulnerability. Locking down systems that are essential to keep businesses running.
Then demanding extreme sums to release encrypted data or prevent sensitive information from being released to the public. To prevent ransomware infection, modern IT managers should spend significant time and resources ensuring that their systems are protected.
Tips for every Synology NAS user
Employees are taught to spot and respond to phishing attempts, comprehensive backups for PCs are carried out with strict regularity, and firewalls receive constant updates to keep ransomware at bay.
However, many IT managers neglect ransomware prevention on the most essential piece of their IT infrastructure.
Please see Backup Mac with Veeam Agent for Mac to Synology DS923+ NAS, and how to fix Synology NAS Quick Connect is not enabled issue. and “Synology NAS Domain Join: The Importance of DNS Configuration“.
These tips apply to all users and devices, from personal desktop storage to enterprise servers. Synology recommends this as the absolute minimum to protect your NAS against attack.
Replace your default admin account
A surprising number of NAS owners will continue using the default admin account and password for their NAS long after the device is in regular use. One of the most common methods attackers use to gain access to admin accounts is to simply use known credentials for existing NAS, granting easy and immediate access.
To prevent this from happening, set up a second admin account and disable the default admin account. as shown below. Please do not forget to set two factor authentication also for the user.
Select a strong password
Tech lovers and IT managers alike have to keep track of hundreds of passwords. This password complexity rules can feel pedantic and unnecessary. Many people fall into the trap of simplifying passwords for ease of recollection.
Or using the same password for multiple accounts. Below, you will find some password settings that are applicable to you.
However, it’s important to keep in mind that basic passwords with few characters and no variation are incredibly easy to break. The password is the first line of defense to prevent attackers from authenticating as an admin or valid user.
Use the password generator in DSM or your own manager to help you generate this password as shown below.
Note: If you have any reason to believe it has been compromised, change it immediately.
Please see Step-by-step guide on how to set up the Synology DS923+ NAS, how to Sync Data in Cloud Drives to Synology NAS, and how to Setup iSCSI Target and Storage LUN on Synology DS923+ for VBR.
Enable multi-factor authentication
Even the strongest attempts at breaking a password can be foiled by multi-factor authentication. Requiring that users and admins confirm a token at the time of login reduces the window with which an attacker can attempt to infiltrate a system.
Please see the image below for how to implement 2FA and protect your account(s).
Keep in mind that multi-factor authentication does not replace the use of a strong password as described above. Combining the two creates authentication much stronger than the sum of its parts.
Synology Secure Sign-in combined with strong password rules makes authentication all but unbreakable.
Use Auto-Block and Account Protection
We have discussed account protection above. Fousing on Auto block and lmiting the number of failed login attempts per IP address can greatly reduce the amount of malicious traffic to a NAS.
Note: This number should not be set too low, as this risks locking out valid users and admins.
But even a very high limit on the number of allowed login attempts will prevent attackers from brute-forcing a password.
Limit User Access
Most users do not need admin-level access to a shared NAS. At a minimum, granting universal admin access dramatically increases the probability of severe damage through user error.
In more severe cases, granting too much power to multiple users gives attackers multiple avenues through which they can gain control of the NAS. For business NAS, there is also the possibility of intentional damage from disgruntled employees. Only give users access to the data and tools that they really need.
With Synology NAS, this can be managed directly through the DSM, or through an Active Directory that the NAS has joined as shown below.
Here are two ways to implement User Access Control on Synology. Please see how to Manage User Permission on Synology with Active Directory [Part 1], and How to Configure Synology DS923+ NAS for File Sharing [Part 2].
Implement 3-2-1 backup
There is no real substitution for having a backup of essential data. Maintaining 3 copies of data on at least 2 types of media. One (1) of which is off-site, is the minimum required to have a complete backup.
For home users dealing with relatively small volumes of data, this is easily achieved with a NAS, an external hard drive, and cloud storage such as C2 Storage.
For larger volumes of data such as a business file server, Synology has several different ways of handling this sort of data protection. In this article, I have implemented 3-2-1 rule using Synology NAS, OOTBI and Wasabi as shown below.
Please see “Achieve 3-2-1 rule with SOBR on Synology or OOTBI and Wasabi“. Also, see A Review of MiniTool Partition Wizard – Disk Utility Tool.
Snapshot Replication
Snapshot Replication is the easiest way to recover after most common forms of ransomware. This package is used to make copies of the data via snapshots, giving a “restore point” for the system. You can choose to replicate to a remote location as well as shown below.
Using Synology’s built-in ransomware protection features.
I am currently working on this article. Therefore, when it is complete, I will share the link here. Stay Tuned!!!
In a business setting, most users are not admins of the NAS. But they do have access to network shares on the NAS.
If ransomware is installed on their machine, it will reach out to existing network shares and encrypt all data that user has read/write access to. Since the attacker came into the NAS via a regular user account (and the admin has limited user access).
The attacker does not have universal access and the damage can easily be undone. The admin can simply roll the data on the NAS back to a previous snapshot, before the ransomware infection occurred.
Offsite backups
Offsite backups are also vitally important; disasters such as fires or floods can destroy local storage and backup devices, leaving off-site backups as the only way to restore lost data.
using Hybrid Share
This is particularly important for large businesses. As ransomware attackers are known to target businesses affected by major natural disasters.
Offsite backups can be stored on a NAS at a secondary location (as long as it is geographically distinct from the on-site storage). But cloud backups such as Synology C2 Storage are becoming increasingly popular for enterprise-level deployments.
Please take a look at this link for more information.
You could also leverage Wasabi, AWS, Azure or Google Cloud. Here is how to create a bucket on Wasabi.
Also ensure object lock and versioning is enabled.
7. Enable HTTPS
When HTTPS is enabled, connecting to DSM, Web Station, Photo Station, File Station, Audio Station, and Surveillance Station will be encrypted using SSL/TLS. This makes the connection to the Synology NAS secure.
To do this, navigate to Control Panel, Network, Connectivity, Check Enable HTTP/2 then click Apply.
For business users that are regularly accessing the NAS from outside the network via QuickConnect or DDNS, this is an important step to protect against attack.
You can also decide to enable “Spectre and Meltdown protection” and other setting settings as you wish as shown in the image below.
You may want to learn How to create a Tailscale VPN connection to Synology NAS, and how to How to integrate ObjectFirst OOTBI Appliance with VBR.
However, it is worth noting that this step does not increase the security of connections that originate within the network. Many browsers may show a warning when connecting to the NAS in this way.
8. Enable DoS protection
We have already added an image of this step above. Most NAS users are familiar with Denial of Service (DoS) as a method of attacking a website, in which the attacker floods a server with internet traffic to prevent users from accessing the site.
However, any server that is connected to the internet can be targeted with this type of attack, not only those which are used to host a publicly-accessible website.
Enabling protection against this type of attack reduces the amount of traffic allowed to come to the NAS, leaving the NAS less vulnerable as shown below.
After enabling DoS protections, the Synology NAS will respond to only one ICMP ping packet per second. If the frequency is higher than once per second, the NAS will not respond to the echo request.
9. Change default management ports
Much like the default admin user, attackers know the default ports that Synology uses for its applications. Learning this information is as simple as opening the control panel for any new Synology NAS.
Note: Changing these ports reduces the number of attackers who may notice the NAS is set up for remote access.
To change the default HTTP/HTTPS ports at the following location. Navigate to the Control Panel > Login Portal > DSM.
10. Consider WORM (Write Once Read Many)
WORM (Write Once Read Many) is a catch-all term for types of storage that are written once, but can then be read many times. The most familiar example is a CD, which is “burned” once and then played many times.
Modern IT managers will also be familiar with the term “immutable” as it relates to storage and backups. Immutable data is data that cannot be deleted or altered, even by admins.
Synology offers two “modes” of WORM data.
- If a shared folder is set to “Enterprise” mode, individual files cannot be altered or deleted by users or admins. But it is possible for an admin to delete the entire folder.
- In “Compliance” mode, both users and admins are prohibited from altering or deleting the files or folder; the folder and files are permanent and immutable unless the admin established a retention period as part of creating the folder.
There are several reasons for offering two “tiers” of WORM storage. For data that is absolutely essential, which the NAS user cannot afford to lose, the true WORM offered by Compliance Mode is critical.
However, it must be stressed that data stored in Compliance Mode cannot be deleted, even by an admin, and even if it is causing problems with the system.
For this reason, Enterprise Mode is a good alternative when the data is less critical and the admin is very certain of the security of their own account. Please see this image below on how to enable WORM when creating a shared folder via the Control Panel.
Storage allocated to WORM data must be closely monitored to avoid accidentally running out of space in the system, particularly if the WORM data is set up to be generated and stored automatically (as in the case of scheduled immutable snapshots).
If this type of storage is improperly configured, it is possible to swiftly render a NAS unusable. With the only solutions being to either wait out the retention period or carry out a full wipe and reset on the device.
Enable Firewall
You can create Synology firewall rules on your DSM to allow or deny access to certain network ports through specific IP addresses. Thereby preventing unauthorized logins and controlling service access.
the corresponding buttons in the drop-down menu to create, delete, rename, or clone the selected profile.
Note: You can create firewall rules for different firewall profiles to easily and quickly switch to and apply the desired profile depending on different security requirements. To do this, navigate to Control Panel > Security > Firewall and enable and Turn on firewall.
Note: When creating firewall rules, you must sign in to your DSM via an IP address that you want the firewall rules to allow. Do not sign in via QuickConnect.
Synology NAS Monitoring
Performing Synology NAS monitoring is crucial for ensuring the security, performance, and reliability of your data storage system. Here are key reasons to actively monitor your Synology NAS.
Please see Docker Setup: Monitoring Synology with Prometheus and Grafana, and How to configure Synology Active Insights. Monitoring helps track CPU, memory, and storage usage to ensure optimal performance. If resources are being strained, you can scale accordingly. Below are some images on monitoring Synology resources.
Note: Use the Resource Monitor to monitor CPU, memory, disk and network throughput usage. You can monitor in real time or view recorded data.
You could leverage Synology Active Insight which is a cloud-based monitoring and management solution designed for Synology NAS devices. It provides real-time insights into the health, performance, and security of multiple NAS units, helping administrators manage and maintain their systems more effectively.
Lastly, educating users on phishing and suspicious links that could lead to ransomware. These tips can benefit any user of a Synology NAS. But may require more time and technical skill to implement the suggested cybersecurity tips to secure the Synology NAS against Ransomware.
I hope you found this article very useful on “Cybersecurity Tips to Secure Synology NAS against Ransomware”. Please feel free to leave a comment below.
The post Cybersecurity Tips to Secure Synology NAS against Ransomware appeared first on TechDirectArchive.