QNAP NAS Security Guide

This guide offers detailed insights into the security settings and protection mechanisms of QNAP NAS, helping you strengthen network defenses and protect your data.

Download Security Guide

Secure network architecture and settings

1. Connect NAS correctly

You should never directly connect the network port of the NAS to the Internet. Ensure that your NAS is connected to the router first, and then connect to the modem provided by your Internet Service Provider (ISP). With correct settings, the router can block malicious traffic from the Internet and reduce the risk of cyberattacks.

Correct connection - NAS connect to the router first

Wrong connection - NAS connect to Modem directly

2. Configure the router correctly

Log into the router or ask your ISP to help you check and disable the following settings:

Disable UPnP
Disable DMZ

(Demilitarized Zone)
Disable Port Forwarding

How to secure remote access to your NAS with Port Forwarding is disabled? QNAP provides QVPN and myQNAPcloud Link that enables secure remote access to your NAS.

Learn more:
Don’t connect NAS directly to the Internet without any protection >
How to set up myQNAPcloud to remotely access a QNAP NAS? >
How to set up a VPN server on QNAP NAS behind the router? >

How to check whether you are exposed to the Internet?
We recommend installing and using Security Center or IP address query tools to check whether your devices are exposed to the internet

4 methods to secure remote access to NAS

Connection Method	Advantages	Disadvantages	Suitable Users
Enable and configure the router DMZ/Port Forwarding of UPnP	Fastest connection	Vulnerable to cyber attacks No defense against 0-Day vulnerability attacks	Have a clear understanding of the associated risks Familiar with network settings Have created multiple backups for important data Have a disaster recovery plan
Enable VPN server on the router	Relatively simple to set up	No login failure notification, auto-blocking, and firewall function Fewer VPN protocols supported Performance limited by router hardware	Not familiar with network settings Not care about transmission speed
Enable VPN server function on QNAP NAS	Supports multiple VPN protocols Compatible with NAS firewall (QuFirewall) Supports login failure notification and autoblocking	Settings are slightly more complicated	Familiar with network settings Need to frequently access many files from the Internet
Use myQNAPcloud Link secure connection	Easiest to set up Support access control NAS does not need to be exposed to the Internet	Slower connection	Not familiar with network settings Infrequently access the NAS from the Internet Network environment where WAN IP address cannot be obtained
Use SD-WAN or Siteto-Site VPN products	Once set up, intranet users can use it without feeling any difference Also supports Client-toSite VPN	Additional equipment required	Requires multi-point access and remote backup Requires value-added applications

3. Enable automatic updates

QNAP frequent security updates firmware and software. Enabling automatic updates ensures that you have the latest features, bug fixes and vulnerabilities.

From the Inside Out: Multi-Layered Security

QNAP offers comprehensive NAS connection protection and disaster recovery plans, combined with system security assessments and internal network threat analysis, to create a layered cybersecurity management system.

Read the Blog: Building a multi-layered cybersecurity defense system for buesiness

Strengthen system account security

1. Disable the default administrator account "admin"

Hackers who use brute force password cracking generally target “admin” (the default administrator account). It is strongly recommended to deactivate “admin” and create a new administrator account.

Learn more: How to disable the admin user account

Models with built-in QTS 5.0.1 / QuTS hero h5.0.1 (or later), "admin" is deactivated by default.

2. Enable access protection (IP / Account)

"IP Access Protection" and "Account Access Protection" can assist in preventing passwords from being cracked by brute force. When a specific IP or account fails to log in too many times, it will trigger IP blocking or account deactivation, preventing attackers from repeatedly trying passwords.

3. Enable multi-factor authentication

It is strongly recommended to enable secure login methods such as passwordless login and 2-Step Verification for adding an extra layer of data security.

Learn more: Secured login and multi-factor authentication

4. Disable Telnet / SSH

Unless you are using them, it is strongly recommended to disable Telnet and SSH. These two functions are generally used by QNAP customer service or professional IT personnel to maintain the system. General users should not need them, so it is recommended to disable them

Enable scheduled snapshots

Snapshots can protect your important data by creating multi-version restore points. When ransomware strikes, your data can be recovered from a snapshot. It is strongly recommended to enable scheduled snapshots and set a snapshot deletion policy to ensure adequate data security and storage utilization.

Learn more: What are Snapshots ?, Snapshot Replica – backup your snapshots, Real-time SnapSync (*Only available in QuTS hero )

Open "Storage & Snapshots", click "Volume", and open "Snapshot Manager" in the menu.

Click "Schedule Snapshot". It is recommended to schedule your snapshot by "Daily" or "Weekly".

You can set a snapshot retention policy to limit the number of snapshots and prevent snapshots from taking up too much space. It is recommended to set "Smart Versioning".

Ensure that "Storage Space" is a "Storage Pool" structure and that the "Storage Pool" has enough free space to take snapshots. QNAP recommends users activate smart snapshot space management and use thin volumes for snapshots to ensure there is enough storage space for the NAS to function properly.

Security Center - Your security portal for QNAP NAS

Security Center proactively analyzes and monitors NAS status, unusual file activity, potential security threats, and offers instant protective measures to safeguard your system and data. It also integrates anti-virus and anti-malware software to ensure the complete protection of your QNAP NAS.

Open “Security Center”, select security policy level that fits your needs, and click “Scan Now”.

If the scan results revel any security risks, you can click the "Suggested Settings Assistant" to help you adjust the settings.

"Scan Schedule" is recommended to be set to at least once a month, so the system can regularly check the settings and system status. If a risk is detected and the Notification Center is set up correctly, you will receive a notification so that it can be handled as soon as possible.

“Unusual File Activity Monitoring” allows you to easily track the average count of unusual and modified files on the NAS during a specific period.

QuFirewall: Built-in firewall for QNAP appliances

QuFirewall blocks packets that are suspected to be sent by Tor (an anonymous communication connection) to prevent your NAS from being attacked. It also detects suspicious onion routing and malicious bots, and dynamically updates the block list of malicious packets, ensuring the security of your QNAP devices.

If your network has no special needs, it is recommended to select "Basic Protection", and then click "Next" to continue.

Set a region according to your location. You can add more regions later.

Go to the QuFirewall Profiles page and you will see that "Basic protection" is enabled. Click "Basic protection" to expand and view the corresponding firewall rules. The rules are checked against the information in the incoming packets, which are allowed to pass or be blocked according to the firewall rules.

Malware Remover

Malware Remover regularly scans your NAS using the latest malware definitions. When detected, infected files will be immediately removed to ensure NAS data security. It receives regular cloud-based malware definition updates to strengthen your data security.

Open "Malware Remover", the status of the last scan is displayed, click "Settings" on the left.

"Scan Schedule" is recommended to be set to once a day, so that "Malware Remover" regularly checks the system status. Also make sure that the "Automatically update Malware Remover to the latest version" remains checked.

Set up system notifications

Notification Center centralizes all system notifications and can push notifications to devices based on your settings to keep you up to date with your NAS status.

Open "Notification Center", click "Service Account and Device Pairing" on the left side menu, select "Email", and then click "Add SMTP Service".

Select an email account, click "Add Account", follow the instructions to complete the verification process.

On the left side menu of "Notification Center", click "System Notification Rules", select "Alert Notifications", and click "Create Rule".

Modify the "Rule Name" according to your needs, check the two severity levels of "Warning" and "Error", and click "Next" to complete.

Subscribe QNAP eNews to receive the latest product security news

Subscribe now A Deep-Dive into Security Advisory Security Bounty Program

FAQ

Is it more secure to disconnect the NAS from the Internet?

No. NAS "disconnection" generally refers to cutting off NAS from the network so that it cannot initiate connections to the outside world. Although some malware requires an external connection to execute, there are still malware that can successfully perform malicious actions without an external connection. Therefore, not only will it fail to prevent hackers from performing illegal actions, it will also prevent some system functions from functioning properly, such as automatic software updates and notifications. The correct approach is to limit the traffic to the NAS, such as avoiding exposure to the Internet, to improve security.

My hard disk is configured with RAID, does it mean that I don't need backup?

No. RAID is not a backup method . RAID levels above 0 are only intended to provide redundancy against disk failure. RAID provides no protection against data deletion or encryption. Therefore, it is recommended to properly back up data according to the 3-2-1 backup principle.

I have already set up "snapshots", does it mean that I don't need backup?

No. Because "snapshots" are stored on the same set of hard drives as your data, data will still be lost if there is a RAID failure. In addition, if hackers can obtain sufficient privileges (such as successfully cracking the administrator account), the "snapshot" may also be deleted. Therefore, it is recommended to properly backup the snapshot files according to the 3-2-1 backup principle.

My NAS is not exposed to the Internet, does it mean that it is impossible to be attacked?

No. Although most cyber attacks come from the Internet, the NAS is still at risk of being attacked on the intranet. For example, if another computer or device on your intranet is hacked or affected by malware, it may be used to attack and spread to other devices on the intranet. Installing antivirus software and deploying network security products on your computer can help you deal with related threats. For example, QNAP ADRA NDR can detect suspicious intranet activities and automatically isolate them. At the same time, it is also recommended to properly back up data according to the 3-2-1 backup principle.

My NAS has been in use for a long time, how do I check if there is malware installed?

If you notice that the processor load is abnormally high, experience software update failures, or if there are unknown apps in the App Center, it is possible that a malicious program has been installed. It is recommended to install and use the latest version of Malware Remover. If you still cannot solve the issue, contact the QNAP technical support team for assistance.

If it is necessary for me to open some services to the Internet, what should I do to ensure security?

Please make sure that the NAS has the latest version of firmware and apps installed. You can enable QuFirewall to provide basic firewall protection, and the "PSIRT" and "TOR" rules can help you block some hackers' connections. If you are a business or enterprise user, it is recommended to use a higher-level firewall solution. In addition, if storage pool space permits, you can create "snapshots" for basic data protection. It is also recommended to properly back up data according to the 3-2-1 backup principle to prepare for the worst-case scenario and prevent potential data loss.

My NAS is old and does not support the latest version of QTS, can it still be used safely?

Legacy and End of Life (EOL) models have limited support and should only be used for intranet/offline backup.

Why do I keep getting a NAS login failure warning?

If the IP address of the failed login comes from the Internet, it means that your NAS is under brute force password cracking attack. You should avoid exposing your NAS to the Internet, and follow this tutorial to strengthen your NAS. If the IP address of the failed login is from the intranet, please check whether the device with that IP address has malware installed.

Why do all my files have strange filenames?

This is a symptom of a ransomware infection. Check the NAS access logs to determine whether the encryption action is from another computer or the NAS itself. If your NAS has been affected by ransomware, then you should take adequate steps to stop the spread of the infection. If necessary, contact the QNAP technical support team for assistance.

What should I do if my NAS is infected with ransomware?

Most ransomware uses unbreakable encryption methods. If there is no correct key, the files cannot be unlocked, so the files can only be restored by backup or snapshot.
Modify the router settings according to this tutorial immediately to avoid exposing the NAS to the Internet and to prevent secondary attacks. Secondly, you should immediately suspend all synchronization tasks and set snapshots to be permanently retained to avoid losing backup files. If your data has backups or snapshots that you can restore, you can restore the files after updating the NAS firmware and apps and after completing the Malware Remover scan. If the data is not backed up, please back up the ransom note left by the ransomware and the method of paying the ransom, and then try to use methods such as data recovery to recover some data. If necessary, contact the QNAP technical support team for assistance.

I keep seeing media reports of QNAP patching product vulnerabilities. Does this mean that QNAP products are not secure?

There is no perfect software and hardware in the world. Whether it is proprietary software developed by various manufacturers or open-source software, or even hardware, vulnerabilities are always found and then patched by manufacturers. Like other major technology companies, QNAP continues to patch known vulnerabilities, and then releases update files for users to update as soon as possible to ensure the security of users' devices and data. QNAP PSIRT also issue cybersecurity notifications for external disclosure, so that users can act against issues that arise.
QNAP believes that dealing with vulnerabilities in an open and transparent manner can protect users' right to know and help improve product safety. Users are also invited to subscribe to the QNAP Security Advisories to obtain relevant, accurate and complete information before media reports.

What is the 3-2-1 backup principle?

The 3-2-1 backup principle is a well-known backup principle in the IT industry. It prepares for the worst-case scenario. It ensures that in the event of a disaster, there are backup files to restore data to avoid losses and ensure safety.
"3" in Backup 3-2-1 means at least three backup copies; "2" means at least two storage media; and "1" means at least one copy is an Offsite Backup. Based on the 3-2-1 backup principle, there will be backup files that can be restored regardless of accidental modification, deletion, hardware damage, virus infection, and disasters such as fires and floods.
To satisfy this principle, QNAP NAS includes Hybrid Backup Sync 3 (HBS3), Snapshot Replica, and SnapSync (supported by QuTS hero only) to back up data on the NAS to an offsite NAS, public cloud, external storage, other file servers, and/or other devices to ensure that nothing is lost.

Storage

Networking

Expansion Accessories

Surveillance

NAS