Doram So if the hackers didn’t guess the password - how did they get in
There is no certain answer to that, but there are several possibilities. It is certainly believed that the previous QNAP ramsomware attack was via a couple of issues with some QNAP software …. though I haven’t seen confirmation of that.
When all is said and done, there is NO WAY to completely protect a NAS from hacking, short of not having it connected to the internet, or to your LAN, if that is conected to the internet.
Short of that, there are things you can do to reduce risk. One is the VLAN scheme suggested above, but it is not a trivial thing for somewhat not comfortable with networking. The most obvious thing, as you’ve now realised, is to have a separate backup and to format the NAS and reload. Just be sure your backup is actually working first. Which is why, if the data matters, it’s best to have two or three copies in different places.
There are a couple of useful, practical steps. First, keep the NAS up to date. Keep an eye on the availability of OS/firmware updates in the NAS control panel. Keep it current. This is not a guarantee of success, but it cuts the odds down of them getting in.
Next, do a search on, say, Youtube, for QNAP and something like “securing your NAS”. There are a variety of configuration settings which, depending on how they’re set, make your box less or more secure. One example is turning off UPnP. Many hacks occur through an open ‘port’. UPnP is effectively like saying to the NAS, “hey, here’s all my keys, open whatever you like”. It is a convenient way of getting all sorts of things to work, but it is convenient at the cost of security. It’s like not botherig to lock your house’s doors or wondows, because it’s convenient for you to get in if you don’t. It’s convenient for burglars too.
Those videos will give you a list of settings to turn off, unless you really need them on. Do you, and do you absolutely have to, run a website on your NAS that people can access from outside? No? Make sure the Web Server is turned off. And so on. Lock all the NAS doors, unless you have a really good reason for leaving specific ones open.
Trouble is, unless you know what you’re doing, this is hard work, and confusing. There’s no way round that. It’s part of owning a NAS. It’s risk versus convenience. There is no easy answer. Some things can help, but require expertise. Some require time and effort (like those Youtube security videos). Others can help (better routers, firewalls, etc) but require money spent. Quite a bit of it.
One option is to have two NASs, but of different makes. Maybe one QNAP and one Synology. Odds are that ifa hacker gets into one, they won’t have a doorway into the other. Or one a home-brew TrueNAS built from an old PC. Back up one to another via RSync, and then back up one of those, to a USB disk. Or, back up to cloud services, though that is dependent on how much you have to back up. It can be very expensive (and slow) if daa volumes are high.
Backup always comes down to how much time, effort and money it is worth, to protect whatever data you are trying to protect.
Yes, using non-simple passwords, and restricting the admin account to a single local IP helps, as does (assuming your NAS supports it) setting up 2FA (two factor authentication). Also, turn on and configure notifications so you get alerted to some issues/attacks. If you haven’t already, run the QNAP Security Councellor app in the control panel. Try to decipher what it’s telling you.
But even all that won’t help if they get in via a buggy bit of software. Which is why you need to keep the OS, and all apps, patched and up to date.
Most of all, keep backups, and don’t have the drive(s) they’re on plugged in except when backing up. I’m a bit paranoid. When I’m going to do a major backup (how often depends on how fast your data changes, how important it is, etc) I physically turn my router off before plugging in the backup drive, and remove that drive after backing up, before turning the router back on.
And that helps, but still doesn’t guarantee I’m safe.
Why not? Consider this. A hacker gets in, plants some ransomware-type virus and sets a delay to activation. Weeks later, that bomb detonates, but by then, my external backup is corrupted too. It could happen. So keep the NAS antivirus up to date too, and run it.
I feel for you, pompeyexile. I really do. I’m pretty careful, and have a lifetime (first played with computers in, IIRC, 1967) in IT. I’m no networking or security expert, but I know enough to know I don’t know enough. I take precations and, as I said, am careful but have I missed something? Only time will tell.
Thankfully, now I’m retired, I don’t have any mission-critical data to protect. Getting clobbered would be a pain, but not a disaster. And, I take one more precaution. I have some “air-gapped” equipment. It isn’t EVER connected to a network that’s on an internet-connected network. There is no wifi on it, and no physical connection. But, I have the equipment to do it laying around anyway. Overkill for most people? Probably, yeah. But then, I do have two NASs, both with 4 or more 12TB drives. That’s a bleep-load of data to protect. ;)