This post will explain all about Synology NAS security — you’ll know when to worry and when not to — and walk you through the steps of securing your server’s data against hacking attempts and accidental or malicious deletion/alteration.
At the gist of it, this is a matter of getting yourself a Synology NAS server, keeping the (admin) user account safe, and having the option to turn files or folders back to a previous state.
If you’re thinking, “Big whoop! I already have backups!” well, first of all, good for you! Keep doing that backup practice. But also know that regular backups might not be enough. This is especially true in a ransomware attack where connected backups are also compromised.
(If you don’t know what ransomware is, you’re both lucky and reckless at the same time — it’s evil. Take my word for it.)
When you’re through, you’ll have that sense of certainty in data security, (almost) no matter what situation you’ll get yourself in.
Dong’s note: I first published this post on July 26, 2019, on server security and upgraded it on August 11, 2021, to add ransomware protection and other relevant information available in DSM 7. Also, this is not a sponsored post.
(Data) security: It’s a matter of degrees, not absolutes
Before we continue, though, let’s get on the same page on the security concept as a whole. This is always a matter of degrees.
For example, generally, we are safe once we’re inside our little home and lock the doors. But if you’re a VIP — like the late president of Haiti or those working for the U.S. Congress on January 6 — even the tight security details might not be enough.
That said, what I’ll mention in this post will keep general users’ data safe, both at home and office — I can almost promise that.
But if you have super important information that’s so valuable to powerful parties, count this out. You need to seek professional data security consultation elsewhere.
Now you catch my drift.
With the idea of absolute security out of the way, let’s find out what we can do to keep our data secure.
Data, security, and why Synology NAS servers
There are two things about keeping your data safe: You need to keep the server itself secure and the data it stores intact.
And in this case, I mean a Synology NAS server. That’s because, after almost two decades of trying out virtually all NAS brands, my conclusion is no one beats Synology on this front.
Nothing is perfect, but a Synology NAS server is an excellent tool to handle home or small business data security. Within reasonable costs and needs, it’s as good as can be. So invest in one if you haven’t.
Understanding server and security: How to keep your NAS safe
On August 4, 2021, Synology put out a bulletin about its investigation on its servers being targeted for ransomware attacks to keep users informed. This was almost a matter of routine since it happens once in a while.
Still, almost immediately after, the Internet was flooded with “security articles” full of dire language — there are always those in the media waiting to cash in on the public’s attention. And we tend to give a lot of attention when we’re scared.
So don’t be! Most of them are just sensationalization. I’ll explain.
First of all, it would be best to assume that when a device is hooked to the Internet, it’s under constant threats — some parties are always trying to hack into it.
This is even more true for servers since they are designed to stay on, at the same place, and connected at all times.
And you want your NAS server to be on and connected at all times. Sure, you can turn it off, but that’d defeat many of its purposes.
That said, all servers are targeted at all times. At least it would be best if you always assumed that’s the case. It’s just a matter of intensity which doesn’t necessarily mean they are more vulnerable to being hacked.
So what’s hacking anyway?
That is when an unauthorized party (or parties) manages to take control of your server, fully or partially, to do bad deeds: steal your information, destroying it, mess around to make life miserable for you, or what’s not.
In the case of ransomware, the purpose is clear: they want to extract money from you.
However, just because one or many parties want to hack your device doesn’t mean they can. The majority of the time, these attempts fail. No harm is done.
You can think of your server as your house — there’s no hiding it from the surface of the earth, and you can’t stop folks from coming to its front, looking at it from afar, or even walking around it to check for unlocked doors, and so on.
Or you can think of your server as your car parked on the street. You can’t prevent somebody from approaching, looking inside, and even pulling the door handle to see if it’s locked.
(Real-world experience: on a good day, my servers got their ports scanned — a practice similar to having your car’s door handle pulled to see if it’s unlocked — thousands of times.)
In fact, we assume all of the above, which is why we have locks on doors in the first place. The concept of doors and locks has been there for ages, which says a lot about us as a species.
So these “target hacking attempts” are like having people looking or checking on your doors. If your doors are locked securely, and there are no holes on the walls, your house is safe no matter how many people are doing this and how intense they are at it.
(Cleary, you can take this server-as-your-home-or-your-car analogy only so far — folks can literally break into your property in real life. On the Internet, there’s no way for any party to smash the actual server hardware remotely — it’s a different type of “break-in.”)
I don’t mean to downplay the severity of online threats. But we need to know what can be and cannot be done to our server. And then how to keep it from being compromised.
The point is that just because there are many threats doesn’t mean they are all credible. And you should keep your server secure, no matter there are threats or not.
Synology NAS Security: How to keep your server safe
There are two ways a third party can hack your server, either via a security vulnerability (called an exploit) or via an existing legit user account.
(The former is like a hole on your house wall, and the latter is like getting access through the door via a duplicate key or a leaked lock combo.)
We have to deal with each differently.
How to secure a server that has a known vulnerablity
Unfortunately, there’s not much you can do when a server has a known vulnerability other than making sure you install the latest security update that fixes it.
With a Synology server, you can set the update to happen automatically on a schedule.
If there’s a known vulnerability and there’s no security patch, then you need to do the following:
- Turn your server off or take it off offline — don’t connect it to the Internet — until the security patch is available. Sometimes there are also other things you can do like turning off certain services, similar to the recent case of Print Spooler in Windows. Or
- Get a new server.
(By the way, this happened recently with WD My Book Live. This is when getting a new server is a must — again, go with a Synology!)
Secure a server by keeping user accounts safe
With no known vulnerabilities, you can totally keep your server safe via proper user account management.
Generally, in this case, hackers can only gain access to a server via brute force attacks — they keep guessing the usernames and passwords until they got a combination that works.
(Obviously, this is with the assumption that you don’t give out your account’s information — don’t! Always keep your username and password secure and private. Hint: Don’t hang your house key on the doorknob!)
So brute force attacks are like trying many keys on a lock, one by one, until one fits.
Unlike lock picking, though, hackers can use software to try hundreds, if not thousands, of combinations per second. They can quickly run through an entire dictionary during an attack.
The good news is it’s relatively easy to fight against this type of break-in attempt. You only need to have a good user account policy and an effective mechanism to auto-block the “guessing.”
Synology NAS security: Creating secure user accounts
Here are what you should do with the user accounts:
- Disabled the default admin account. This is because it’s a known account — hackers already know the username, which is “admin” or “administrator”, they just need to figure out the password. Disabling this account literally makes it at least twice as hard to make the right guesses.
- Use multiple (random) words for a username. For example, instead of “Dong” use “Dong Ngo”, or “Dong Knows”. Basically, you want to avoid known, popular names, like “Dick” or “John”.
- Use a hard-to-guess password. You don’t need to use an overly complex one you can’t remember yourself. For example, “MyName1sD0ng” (note the “1” and “0”) is a tough password to guess, yet, quite easy to remember.
- Use 2-factor authentication (2FA), which is available in Synology DSM 7. If you don’t want to bother, then apply 2FA to the server’s admin accounts.
(By the way, the 2FA implemented by Synology is quite convenient to use. You can handle that via a single tap on the phone and save a device to a safe list so that you won’t need to use the phone subsequently.)
With a strong password and 2FA enabled, you can be certain that the account is safe. But there’s more you can do.
Synology NAS security: Detering hacking attempts
Auto-blocking is an excellent way to fight against brute force attacks. It stops the guessing after a certain number of tries.
You can choose to block an IP address or disable an account when the login party reaches a pre-determined max number of guesses.
How to enable Auto IP blocking on a Synology NAS server
- Log in to the server’s interface, open Control Panel
- Go to Security and then Protection tab
- Under Auto Block, check the box that reads Enable auto block
- Specify the parameters. Generally, fewer login attempts within a more extended period mean better protection. For example, the settings of 10 attempts within 5 minutes are more than enough to block any brute-force attack. But 5 attemps with in 10 minutes will make it many times safer.
- Check the Enable Block expiration and give it a value if need be. If you don’t, the IP will be blocked until you manually unblock it. Generally you should allow the expiration if you have remote parties that use the server.
How to enable Auto Account Protection on a Synology NAS server
Account Protection will automatically temporarily lock out an account if the username is used with a wrong password for a specified number of times.
By the way, this is why you shouldn’t use an easy-to-guess username as mentioned above — your account might get locked out constantly.
- Log in to the server’s interface, open Control Panel
- Go to Security and then Account tab
- Under Account Protection, check the box that reads Enable Account Protection
- Specify the parameters simiar to the case of the IP blocking above.
- You defnitely want to specific a time to Cancel Account Protection in this case. If not, you might risk blocking your own account permanently.
You can set up different Account Protection settings for untrusted clients (any clients) or trusted clients (you have to specify these manually.) It’s OK to assume all clients to be the former.
On top of that, a Synology has more security settings you can try, though not necessary. You also run the Security Advisor app and follow its suggestions on High and Severe issues.
And that’s it. Your server is now safe. It’s good to keep a balance between security and usability. This is like if you board your house up, it sure is more secure, but then you can hardly enjoy it.
Again, security is a matter of degrees.
Understanding server and data: How to keep your information intact
Keeping your server itself safe from unauthorized access is great but not enough for your data integrity.
Sometimes, bad things come from parties that have legit access to the server’s data. For example, if a network computer has ransomware, shared folders on your server are susceptible, too.
(By the way, as a rule, you shouldn’t use an admin-level account for daily tasks. Use non-admin accounts for regular users. You should use the admin account only to manage the server itself.)
This part will help you address this scenario by having some contingency plans.
Managing data on a server
You can do a lot of things with a NAS server. But no matter what type of applications you use, there are generally two scenarios in terms of data storage:
- You’re accessing data stored directly on the server. This applies to shared folders, streaming content, databases, a website, and so on. This is when the live, or production, version of your data is on the server. Or:
- You store a copy of your data on the server. This applies to when you use the server to sync data between devices or as the backup destination. This is when you have the live or production version of data elsewhere.
Either case has pros and cons — and sometimes you must use one or the other — but both are susceptible to malicious and accidental data alteration and deletion.
Yes, apart from malicious cases, like ransomware, and accident happens, too.
For example, you might inadvertently edit a document and save the changes, then close it. Getting that document back to the previous state before you make the changes can be tough, if possible at all. This is especially when you access the document directly from the server.
And this brings us to a valuable feature of Synology NAS servers, the Snapshot.
Synology NAS security: How to use Snapshot to fight ransomware or accidental data alteration
Available in all Synology servers that support the Btrfs file system — most servers do –, Snapshot is part of an add-on package called Snapshot Replication.
The Replication part is useful — it replicates a shared folder to another volume or supported NAS server. However, Snapshot is by far the best tool to keep data safe.
Similar to Shadow Copy of Windows, Snapshot, when turned on, automatically create a snapshot (a version) of the shared folder as often as every five minutes. You retain up to 1024 snapshots.
(The more snapshots you want to keep and the more frequently, the more storage is required, but generally, the amount of space needed for each shot depends mostly on the number of changes you’ve made to the folder compared to a previous shot.
The app has a smart way to minimize the use of extra storage space, and you can also change the number of snapshots being kept to free up the storage space at any time.)
As a result, in an event when you need to go back to an older state of a file or an entire folder due to accidents or, well, ransomware, you can easily do so.
Here’s how to use Snapshot to protect a shared folder.
- Install the Snapshot Replication app from the Package Center.
- Run the app and choose Snapshots.
- Select a shared folder then click on Settings. The rest is self explantory.
Now you can enable a snapshot schedule, pick how to retain the snapshots, and choose to make snapshots visible (to users.) Each visible snapshot is stored in a folder call #snapshot within the protected shared folder.
Snapshots are always read-only, meaning the previous versions of your data are not susceptible to any changes, including during a ransomware attack. For this reason, it’s OK to keep them visible to the users. But you can also keep them hidden.
I’ve used Snapshot for years, and it has helped prevent disasters in at least three ransomware incidents in the past few months alone. It’s effective and proved to be the best way to deal with accidental and malicious data alteration.
There you go. Don’t buy into the dire warnings from those “security experts.” Chances are, your server is safer than they make you feel.
If you have a Synology, that’s almost always the case. Of course, you shouldn’t take data security and integrity lightly, either. So keep these in mind:
- At the minimum: Have good password policies, keep your server up-to-date, and have a tight Snapshot schedule for each important shared folder.
- On top of that, if you have serious data: Also consider real-time server-to-server backups, folder sync, or replication.
Once you’ve had those in place, rest assured you have little or nothing to worry about. I speak from experience.