Internet

Is it dangerous for my NAS to have remote access from the Internet?

Dangers of my NAS having remote access

Normally the NAS servers are accessible through the Internet to be able to access all the services and resources that we need, for example, the most normal thing is that from the Internet we can access the administration web of the NAS server, we can access the files via FTP internal, and we can even activate remote management via SSH by opening the corresponding port on our router. However, exposing our NAS server to the Internet carries a series of risks that we must avoid as much as possible, therefore, we should take a series of precautions if we decide to expose our NAS server and have it accessed from the outside.

In our homes we all use a router with NAT and UPnP, the NAS servers support UPnP to open ports on the router dynamically and automatically, however, this carries a security risk because it is possible that they open ports that you do not want to expose , therefore, you should carefully check the UPnP configuration of your NAS server so that this does not happen. However, the best thing you can do is disable the UPnP protocol on the NAS server and even on your router, so that you have to open ports (Port-Forwarding) in a specific way, knowing well which ports you are opening to which device.

A router that does not have any port open in the NAT to the NAS server, means that the NAS server is not exposed to the Internet, therefore, remote access would only be possible through the reverse connections that manufacturers such as QNAP currently provide. Synology or ASUSTOR, in this way, by logging into the Cloud platform, the NAS server will connect directly with the manufacturer’s own servers so that the user can connect remotely without having to open any port. We must remember that the ports in the NAT from the «internal NAT» to the «external NAT» are automatically opened when required by any device, but if the connection is started from the Internet this does not happen, and we would need an open port in the router if you want to reach the final service.

Is this way of connecting to the NAS server secure? In principle, yes, because it is the manufacturers of the NAS servers that are responsible for the security of their platform. If your platform is compromised, all NAS servers with this functionality enabled would be compromised and access could be attempted after authenticating via web.

In the event that you have opened a port on the router (Port-Forwarding) to the NAS server (HTTP web, HTTPS web, FTP, FTPES, SSH etc) you could be attacked by cybercriminals to access the NAS server, it is very important that just open the ports to the services you need, and don’t open more ports than you need in order to have the least possible attack surface.

Attempts to crack user credentials

One of the attacks that could be made to us is through attempts to crack our user credentials, either through the web menu to access the administration, the FTP server if we have it exposed, and even the SSH server if it is. we have the corresponding port open on our router. There are totally free programs that allow us to automate attacks on different hosts, for example, the popular Nmap will allow us to perform a port scan to check which TCP and UDP ports we have open in the router to a certain service, and later find out what type of service we have in a certain port, what version of that service we have in operation and more information.

Password filtering

Knowing the service and even the version of the service, a cybercriminal could use programs like Nmap NSE to try to crack the password using dictionary or brute force, in this way, they will try thousands of user / password combinations to enter.

Illegitimate system access

In the event that the previous attack was successful, and depending on the permissions of the user whose password has been cracked, it could access the system illegitimately, that is, it could enter the NAS administration, in the FTP server or via SSH to make all the changes you want, steal information, encrypt the stolen information to later ask for a ransom and even compromise the local network where the NAS server is configured.

For this reason it is very important to see the warnings and logs of the NAS server, to know at all times if at any time someone has logged into the NAS server and it is not us, in this way, we can activate quickly and efficiently by cutting access to the NAS server until we check the logs and find out what happened. It is critical that, if we detect an access to our system, we cut it as soon as possible and study what this cybercriminal has done on our NAS server.

Exploitation of vulnerabilities in the NAS

With programs like Nmap you can find out which version of the web server, FTP or SSH server is being used on a specific NAS server. If the operating system of the NAS server uses a service in which a vulnerability has been discovered and is already known, a cybercriminal could exploit this vulnerability to take full control of the NAS server and infect it. It is very important to update the operating system of the NAS servers and also the software embedded within them to prevent them from exploiting a known vulnerability.

A very important aspect is that, we should never expose the web administration of our NAS server, either by HTTP or HTTPS. Web servers are very prone to XSS vulnerabilities, a cybercriminal could exploit an XSS vulnerability that he himself has discovered, and manage to infect all NAS servers that do not have this security flaw patched. The safest thing is to never expose the NAS administration web, if you need to access it is better in other ways as we will teach you below.

Exploitation of security flaw and ransomware attack

There have already been cases in which, by exploiting a known security flaw in certain software on a NAS, the cybercriminal has not only compromised the user’s NAS server, but has also fully encrypted it with a ransomware attack, subsequently requesting a ransom to be able to recover the files. We must bear in mind that we normally use a NAS server as our private cloud and even for backup copies, therefore, this type of attack is one of the worst that can happen to us. Although operating systems have the functionalities of “Snapshots” or “Snapshots”, if the cybercriminal has managed to gain access as a system administrator, surely they have deleted these snapshots and you cannot recover the information unless you had an external backup .

Once we have seen all the dangers of having a NAS server exposed to the Internet, we are going to explain to you in what ways we could access it from the Internet if we have no choice.

How to Access the NAS from the Internet Safely

Although NAS servers can be used perfectly in local network and do not have Internet access, it is very convenient to be able to access all NAS server resources remotely. If we need to access our NAS server remotely to exchange files and folders, to manage it for any reason, or to use any of its services, the recommendation is clear: do it through the VPN server of the NAS server whenever possible.

All NAS server operating systems have a VPN server, they usually have OpenVPN and also L2TP / IPsec, however, it is also possible that they incorporate proprietary VPN protocols and even the popular WireGuard VPN. In the case of having a VPN server, what we have to do is open in the router only the TCP or UDP port that this VPN server needs to accept incoming connections. Once we are inside the VPN, you can access the rest of the resources safely (SMB, FTP, FTPES, SSH etc). In this way, we will only be opening one port on our router, which has a VPN service behind it that will need digital certificates for authentication.

In the event that you need to open other ports to access different services, such as the FTP or SSH server, our recommendations are as follows:

  • Open the ports to the services you need, no more ports.
  • Protects services from multiple login attempts. All NAS incorporate a “fail2ban” tool to ban multiple failed access attempts from an IP, banning you for a certain time.
  • Activate the firewall and block by region. If we are going to connect from Spain, a good policy is to only allow IP addresses from Spain to connect, and block the rest of the world. NAS servers already incorporate a firewall with geoIP to protect us.

Remember that it is not a good idea to expose the access port to the administration via the web, regardless of whether you use HTTP or HTTPS, because usually web servers are prone to XSS vulnerabilities that can lead to a security problem and illegitimate access to the NAS server.

Finally, if you need to provide web services to the Internet, access to different services such as an internal password manager, a Nextcloud to synchronize files and folders, internal access to management via the web and other services where it is necessary to expose a web port (80 for HTTP and / or 443 for HTTPS), a very good idea is to install a reverse proxy like Traefik.

Most NAS servers allow lightweight virtualization with containers like Docker. Traefik is a free and really complete reverse proxy with very advanced configuration options, this reverse proxy will allow us to expose only the HTTP and / or HTTPS ports to the Internet to access all the internal resources of the NAS server, without the need to open in our router multiple ports. The redirection to the different services can be done through subdomains (nextcloud.redeszone.net, for example) or also in the following way: redeszone.net/nextcloud. The good thing about Traefik is that we have middlewares to increase the security of the system, we can establish additional authentication to the different services with a username and password, we can implement an OAuth authentication service with Google, and even a two-step authentication, all this before being able to access the final service that could have its normal authentication.

Another strong point of Traefik is that we can install different extensions, for example, a fail2ban in all or in certain services that we provide, we could also configure a GeoIP to allow only the IP addresses of one country and block the rest, and much more.

As you have seen, there are many dangers if we expose our NAS server to the Internet, but if we do it well and following our recommendations, we are sure that you will be able to access it remotely without any problem, however, you should know that security when 100% does not exist, especially if vulnerabilities are discovered that are not patched in time and we make a targeted or global attack on all clients of a certain brand of NAS servers.

Related Articles