How secure are NAS devices?

I’m reading a lot of posts saying the NAS devices aremore vulnerable then the router itself. How can I secure my NAS? What do you do to protect your files?

redcore44 wrote:

I’m reading a lot of posts saying …

Can you provide some links to where you are reading this?

Here u go

Okay, so that wasn’t exactly “a lot” of posts…just one article. But fair enough - the article does detail your concern.

Here’s my thoughts on this:

  1. The article is a bit dated at this point (August 2014) - and EX2’s firmware has been updated a few times since then. However, there is a valid criticism applicable to EX2 - and that is the EX2 has not had a firmware update in over 6 months at this point. The other fair criticism of the EX2’s firmware is that I have noticed whenever WD releases a new firmware eventually, some of the crucial components of the firmware, like the web server used (currently Apache…and previously lighttpd), etc. are quite stale versions. The risk with stale versions of web servers or any other server software is that often bugs and or vulnerabilities are patched in newer versions but we don’t avail of those benefits of patched vulnerabilities.

  2. Having made some points against EX2’s firmware, here’s why they are mostly academic considerations. Even your linked article states, “A router is more likely to be accessible from the Internet than a NAS system…” - and that is important to understand. It’s not like anyone can waltz in from the Internet and get on your NAS server. For most part it is quite secure. Especially because most people won’t have a vector in to the NAS server’s shell…and without the ability to access the shell from outside, for most folks your NAS is fairly secure. But of course, the shell isn’t the only vector to a server…as mentioned in my point 1, known vulnerabilities in the web server or third party apps (should you choose to install any) like myPHPAdmin could also leave vulnerabilities open.

  3. Coming to your question of what you can do to make your NAS secure. Well, simply pick a hard to guess password for the administrator account that is at least 8 characters long, preferable 12 characters or even longer. You can also choose to disable cloud access, if you want to close the possibility of any outside network access. By default cloud access IS turned off…so you do not have to do anything. But with that you lose the ability to access your files from outside your home or office network. If however you do wish to enable cloud access, then you are agreeing to put your server out on the Internet and there is always the theoretical possibility, though extremely, extremely slim, that someone could get in.

  4. Brings me to my own example. I actually have opened my EX2’s shell to be accessible from outside for over a year. 99.9999% users won’t be doing this so this risk doesn’t apply to most folks but I just want to explain that even with me taking such a big risk, I have enabled logging on the SSH port (port 22) and for over the past 10 months I have observed hundreds, if not thousands attempts to break into my system E-V-E-R-Y-D-A-Y…with countless intrusions originating from China and Russia…and yet they still haven’t been able to brute-force their way into my EX2. I have also created an automated process where I sift through the ssh access logs everyday and add large blocks of IP ranges to my ISP router’s firewall. But they still keep trying :slight_smile:  My point is that most people won’t be exposing their EX2 to such risk (that is opening port 22 used for ssh access to the outside world) so they are going to be immune from these - and even I who did take that risk have not been compromised yet after a year and 4 months since I enabled SFTP access on my EX2.

Bottom line - read the manual, follow simple steps like using an uncommon and long password, and you will have secured your EX2 sufficiently to thwart most intrusions. Nothing extra needs to be done.

P.S. If you were curious - here is a post from me from last year giving a small taste of the daily intrusion attempts on the EX2 via SSH from outside that I mentionedaove ->

1 Like