Offsite NAS - How to secure it?

[copenhagen69]

So I am thinking of building a little more redundancy into my files on the NAS. I was thinking of setting up a NAS at my moms house for me to basically duplicate my files there and then she could use it as well for her stuff.

My main question is security, as I am not monitoring her network and know whats going on. We all know how older people love to click things....

Anything special I need to read up on or be aware of? It will be a Synology NAS

Thoughts?

 

[Solaris17]

Hm,l it depends on use case really.

If you are using the network and not sharing it with her PC then a different strong usn and pass for the admin CP and share will likely be enough.

If it is shared, withher Pc you could make two diff shares and 3 sets of USNs and passwords.

I probably wouldnt expose this to the internet, but if so I would see if you can close everything and use SSH with a key. and the use like filezilla to xfer.


You could also simply get a nas and host it at your own place and get like backblaze or amazon B2/S3 account and have the NAS sync to it.


I think some even let you do cross NAS synincg, so that may also be an option.

Tons of ways to skin this cat.

 

[silkstone]

I use Resilio sync for offsite backup. It has an option for encrypted backup so that the 2nd computer can't actually do anything with the files.

 

[Bill_Bright]

We all know how older people love to click things....

Who you calling old?

And sorry, but all humans like to click things, flip switches, and turn knobs. It sounds like you need to remind mom to not be "click-happy". Now is a particularly applicable time to do this too as I just heard, less than 30 minutes ago on HLN, that COVID-19 email scams are on the rise and ALL people need to be reminded to avoid any email (or phone call) that claims to have a cure, or reports a problem with your stimulus or relief check, or your bank account, or insurance, etc. etc. Remind her to just delete the emails and never, as in NEVER EVER give that information via a reply (or over the phone) unless she initiated the contact. In other words, remind her to treat every and all "unsolicited" requests for information or actions (like "click-here") as malicious and just delete it - and then call you if still worried.

Now, to your NAS, I personally think you are being very wise to consider an off site storage location. A NAS at home is nice, but what happens if your house burns down or is blown away by a hurricane or tornado, or gets flooded, or a bad guy breaks into your home and physically steals all your computer and networking gear for drug money? So multiple layers to our backup plans are essential and they should include at least one backup that is maintained off-site.

Unless a badguy is targeting you directly, that is, he or she actually knows you and knows you have valuable information, it is very unlikely you will come under attack. But still, common sense precautions are just plain common sense. In addition to the advice given by Solaris, limit sharing to specific folders. Limit access to 1 or 2 simultaneous connections. And I agree with silkstone and you should consider using encryption - but not so the 2nd computer can't do anything with the files, but so a bad guy can't. I suspect your mom is not going to use ransomware to extort money from you.

 

[copenhagen69]

Hm,l it depends on use case really.

If you are using the network and not sharing it with her PC then a different strong usn and pass for the admin CP and share will likely be enough.

If it is shared, withher Pc you could make two diff shares and 3 sets of USNs and passwords.

I probably wouldnt expose this to the internet, but if so I would see if you can close everything and use SSH with a key. and the use like filezilla to xfer.


You could also simply get a nas and host it at your own place and get like backblaze or amazon B2/S3 account and have the NAS sync to it.


I think some even let you do cross NAS synincg, so that may also be an option.

Tons of ways to skin this cat.

So the overall use case for this is redundancy in my backups. I have iCloud for phone pics, I also download them off the phone and load them to the NAS, I also have important files, like taxes and other family stuff etc stored there as well for safe keeping, this NAS is in my house not exposed to internet ... so looking for another location for safety from fire/floods whatever crazy thing taking out my home one, or vise versa.

I dont mind sharing with her PC, if she wanted to have a little sliver of the NAS in her home ... I guess I could always back up her stuff to my NAS as well and share.

so you are thinking:
1) for me pushing files over to her NAS, you think it would be best for something like an FTP setup?
2) for her, should would go through a shared folder on the network to save her stuff?

Not sure I want extremely personal stuff out on the cloud though ... I will look into the NAS to NAS syncing as well and see if that would be an option somehow.

Now if I had non-personal stuff, sure I wouldnt mind a cloud option where I wouldnt care if it was compromised, but for the most part, everything on my NAS is stuff I wouldnt want just freely floating out there.

I use Resilio sync for offsite backup. It has an option for encrypted backup so that the 2nd computer can't actually do anything with the files.

Will look into all the cloud options for the non-personal stuff and see how that works as well.

Who you calling old?

And sorry, but all humans like to click things, flip switches, and turn knobs. It sounds like you need to remind mom to not be "click-happy". Now is a particularly applicable time to do this too as I just heard, less than 30 minutes ago on HLN, that COVID-19 email scams are on the rise and ALL people need to be reminded to avoid any email (or phone call) that claims to have a cure, or reports a problem with your stimulus or relief check, or your bank account, or insurance, etc. etc. Remind her to just delete the emails and never, as in NEVER EVER give that information via a reply (or over the phone) unless she initiated the contact. In other words, remind her to treat every and all "unsolicited" requests for information or actions (like "click-here") as malicious and just delete it - and then call you if still worried.

Now, to your NAS, I personally think you are being very wise to consider an off site storage location. A NAS at home is nice, but what happens if your house burns down or is blown away by a hurricane or tornado, or gets flooded, or a bad guy breaks into your home and physically steals all your computer and networking gear for drug money? So multiple layers to our backup plans are essential and they should include at least one backup that is maintained off-site.

Unless a badguy is targeting you directly, that is, he or she actually knows you and knows you have valuable information, it is very unlikely you will come under attack. But still, common sense precautions are just plain common sense. In addition to the advice given by Solaris, limit sharing to specific folders. Limit access to 1 or 2 simultaneous connections. And I agree with silkstone and you should consider using encryption - but not so the 2nd computer can't do anything with the files, but so a bad guy can't. I suspect your mom is not going to use ransomware to extort money from you.

Haha, agree it is fun to click things ... I have at least gotten her to send me a picture of emails she wonders about. So at least that is a step in the right direction. So far seems to be working ok...

Ya the encryption part seems like a solid idea, I need to look around and see what offerings are there maybe out of the box from synology. If not, I will go look for something else ... The limited folders, is a good idea ... I guess I can just give her, her own and she wouldnt even realize there was more hanging out there.

 

[silkstone]

So the overall use case for this is redundancy in my backups. I have iCloud for phone pics, I also download them off the phone and load them to the NAS, I also have important files, like taxes and other family stuff etc stored there as well for safe keeping, this NAS is in my house not exposed to internet ... so looking for another location for safety from fire/floods whatever crazy thing taking out my home one, or vise versa.

I dont mind sharing with her PC, if she wanted to have a little sliver of the NAS in her home ... I guess I could always back up her stuff to my NAS as well and share.

so you are thinking:
1) for me pushing files over to her NAS, you think it would be best for something like an FTP setup?
2) for her, should would go through a shared folder on the network to save her stuff?

Not sure I want extremely personal stuff out on the cloud though ... I will look into the NAS to NAS syncing as well and see if that would be an option somehow.

Now if I had non-personal stuff, sure I wouldnt mind a cloud option where I wouldnt care if it was compromised, but for the most part, everything on my NAS is stuff I wouldnt want just freely floating out there.




Will look into all the cloud options for the non-personal stuff and see how that works as well.



Haha, agree it is fun to click things ... I have at least gotten her to send me a picture of emails she wonders about. So at least that is a step in the right direction. So far seems to be working ok...

Ya the encryption part seems like a solid idea, I need to look around and see what offerings are there maybe out of the box from synology. If not, I will go look for something else ... The limited folders, is a good idea ... I guess I can just give her, her own and she wouldnt even realize there was more hanging out there.

The cloud option for the personal stuff is also secure. It's a personal cloud essentially and will handle all of your NAS-NAS syncing. There are some Open source options available, but I found they weren't as good. That may have changed now.

I'd still recommend doing periodic backups to Amazon Glacier or some such service service, putting your stuff in an encrypted container, like AXCrypt, should make it secure enough.Either that, or just an external HDD in a safe. Remember the 1-2-3 rule for backups.

 

[Bill_Bright]

The cloud option for the personal stuff is also secure.

I don't have that kind of confidence. I am confident any data I store in the cloud will never get totally lost because I am sure there are more copies floating around than I can count. I just don't trust those administrators to keep those cloud storage locations secured from hackers - especially well funded state-sponsored hackers. It seems every other day we hear of another network breach and in most cases, it is due to failure on the part of the administrators to apply patches in a timely manner or some other human error that could have easily been avoided if the admins and chief security officers were doing their jobs.

Look at the Equifax breach. The software developers months prior to the breach discovered the vulnerability, developed and distributed the necessary patch to fix that vulnerability, but the administrators failed to apply it! Not only that, while some of our personal information was encrypted, much was not, including common-sense stuff like user's log-in credentials. How dumb is that?

So no thank you. I might temporarily put some family photos out there in "the cloud", but it is unlikely in what's left of my lifetime that I will ever put any of my personal files out there. For off-site backups of my boot drives, all my tax and other important docs, I keep copies on a couple drives in the safe-deposit box at my bank.

 

[AltCapwn]

1. First a good Firewall in front of the NAS is obligatory, else forget about that. I know some NAS can sync with dropbox or a cloud provider, so you can sync to cloud, then cloud to NAS. Usualy the cloud to NAS is managed from the NAS, so you don't have to open port in your firewall because the NAS initiate the connection.
2. An inbound policy from WAN to NAS to allow only the needed port with logs.
   1. if you can, configure a policy that opens the port only at certain time, like at the same time of your scheduled backup.
   2. For the BEST protection, if possible, allow only specific public IP to access the NAS.
3. Change all default password.
4. If your NAS can, you would want a NIC port for Client Access, and one for Admin access (for configuration). So 2 lan IP. 1 for File access, 1 for Management.
   1. Configure you WAN / NAT rules to only go to File Access interface. Bind services and ports of the NAS accordingly.
   2. This way, no one can have a admin access of your NAS remotely.
5. Create a user just for file access so that you have to authenticate to write to the NAS.
   1. if needed, to the same for a read user.
   2. DO NOT ALLOW READ or WRITE FOR EVERYONE/ANONYMOUS if you don't want your data to be stolen.
6. Update NAS OS / Firmware to latest version to make sure there's no exploit.

I think I don't forget anything.
Let me know your NAS model if you want more details and capability.

 

[silkstone]

I don't have that kind of confidence. I am confident any data I store in the cloud will never get totally lost because I am sure there are more copies floating around than I can count. I just don't trust those administrators to keep those cloud storage locations secured from hackers - especially well funded state-sponsored hackers. It seems every other day we hear of another network breach and in most cases, it is due to failure on the part of the administrators to apply patches in a timely manner or some other human error that could have easily been avoided if the admins and chief security officers were doing their jobs.

Look at the Equifax breach. The software developers months prior to the breach discovered the vulnerability, developed and distributed the necessary patch to fix that vulnerability, but the administrators failed to apply it! Not only that, while some of our personal information was encrypted, much was not, including common-sense stuff like user's log-in credentials. How dumb is that?

So no thank you. I might temporarily put some family photos out there in "the cloud", but it is unlikely in what's left of my lifetime that I will ever put any of my personal files out there. For off-site backups of my boot drives, all my tax and other important docs, I keep copies on a couple drives in the safe-deposit box at my bank.

Yes. I was talking about a personal cloud solution. You are the only administrator. I use Resilio Sync.

 

[Bill_Bright]

Yes. I was talking about a personal cloud solution.

Ah, okay. I understand. Thanks.

That said, "personal cloud solution" is just "marketing hype". There really is no such thing as a "personal cloud". It is just a privately owned file server on a private network that may, or may not, allow remote access. "Personal Cloud Solution" just sounds better!

 

[silkstone]

Ah, okay. I understand. Thanks.

That said, "personal cloud solution" is just "marketing hype". There really is no such thing as a "personal cloud". It is just a privately owned file server on a private network that may, or may not, allow remote access. "Personal Cloud Solution" just sounds better!

Well.. yeah. .. My personal cloud solution is hosted on my personal network with only myself having access via a VPN connection. There are some open ports for services I run on the network, but they are all pretty secure (most of my services are on a VM). The cloud system I run is actually torrent based, so other than finding a back-door/exploit into my network the only other way would be to obtain the 32-bit key, even then I still have to approve access before anyone can see the files.
It's actually pretty cool in that, I could theoretically host my files on unsecured computer/networks so long as I click the option to encrypt everything.