Help setting up a QNAP NAS for simple fileserver duties

[burni]

A few years ago, due to an Amazon mixup, I ended up with a QNAP TS-251+ 2 disk NAS. I ordered the very basic model Synology but Amazon shipped me this much higher spec QNAP model (I believe I have the 8GB of RAM model).

I set it up and ran it as a Time Machine backup server and a fileserver for a couple of years in my home office. I even put some VM's on there and used that to test in IE when required for my work (frontend design & dev) but it was too slow to be very useful. However, the grinding of the HDDs REALLY annoyed me, I could sometimes hear it in the middle of the night, from my bedroom! And I was never confident I'd setup the security of it properly, especially as it was accessible via the internet (for when I was away from my office).

So I copied the files to some Samsung T5's, turned it off and put it in a drawer.

However, I miss the availability and experience of having a NAS, so I'm thinking of putting 2x Crucial 2TB SSD's in there to reduce the noise (not cheap, but I'm willing pay for no grinding!) and setting it up to just do the file serving and Time Machine stuff.

But I want to run it lean and secure. It'll be backing up to 2 Macs via Time Machine, and it will have my past work archive and some semi-frequently used files. So I'd like to delete things like the video and photos stuff, which I'll never use.

Mostly I want to ask if there's anything I should watch for when using SSD's instead of HDD's. And what is the best way to secure it, while still being able to get access from outside when I need it. I do have a static IP to my modem/router (which is a TP link model).

So if anyone can offer any advice or tips, it would be greatly appreciated.

 

[hobowankenobi]

A good question. I have not seen a QNAP in years, so I can't say specifically...But in general:

Should be no issue with SSD, other than size constraints. Always good to check the OEM's list of approved drives. Hopefully QNAP makes this info easily available.

As for securing the data...lots of methods or ways. In your shoes, I would start with these concepts:

Does your NAS supply/support a web interface? It may be possible to get access via a web interface without needing to open up other ports. Does it support other methods, such as DDNS or something like Synology's Quick Connect?

Since you have a static IP, the traditional method would be give that static, public/WAN IP to your router, and then use port forwarding and NAT on the router to be able to connect from outside your network, without exposing anything more than the single port needed (SMB typically)

If your router includes a VPN option, it would be wise to require a VPN connection to see the NAS, to greatly shield the connecting info, as well as the data in traffic. With a VPN, typically you would not have to port forward or otherwise expose any of the NAS to the internet; your VPN connection would allow you to connect to and interact with the NAS as though you were on your LAN.

Do consider that if you have your router (and/or your NAS) accessible via the web, it will get sniffed and attacked. Be very sure to use very strong passwords, and don't use default admin user names or PWs. Much harder to crack both user name and PW.

How to minimize attack vectors/surfaces?

Consider NOT allowing your router to be pingable, nor manageable from the WAN. Same for the NAS.

Consider NOT using the main NAS admin credentials for file sharing. create a sharing account that is not an admin account...so if it is somehow compromised, the attacker could see the shares (data) but could not manage the entire NAS.

Along those lines, if possible, never make sensitive data available via sharing to the aforementioned account: IF an attacker somehow sniffed or cracked your sharing (non-admin) credentials, they could only get access to your shared, non-sensitive data, not everything (stuff with SS numbers, bank accounts, account information, etc.). Any sensitive data should be walled off so that an attacker can not see it, nor get access to it by changing permissions, or using other admin tools, even if they manage to gain access to shared data.

----

Just a few things to get started. Without knowing exactly what methodology and what gear/options you have...it is hard to say what is easiest/most secure way to proceed.

 

[burni]

Thanks for the info @hobowankenobi, some great info in there. There is a QNAP web interface, which I used to use but it was via the admin account (not great...). I'll look into if other user accounts can be used with it.

But I'm definitely going to look into doing a VPN. It's not something I've used before. My router appears to offer the ability to setup 'Open VPN'. Would that be a good in this case? Or, as I'm new to it, would you recommend using a service (Express VPN for example)? Are there any good VPN primers you can recommend?

I suppose the most sensitive info on the NAS would be my Time Machine backups? My work archive doesn't contain anything sensitive. However, I don't think I can encrypt TM backups on network drives? Maybe the NAS can encrypt the directory somehow - something else for me to look into.

Thanks for the help on this.

 

[hobowankenobi]

My 2 cents:

I would pursue the web interface first, as it would be easiest and nothing else to secure (be sure to only use HTTPS), and it would allow you to use any device, including one you don't own without needing to install and config a VPN client every time, plus the ability (likely) to send links to friends to download if needed.

If you go VPN, I am more comfortable with the traditional model of running the host on the router, and a client app on the connecting device. Only devices configured can connect. Let's see if others recommend the stand-alone apps that use a server you don't control....my understanding is that most are geared more for privacy than for end-to-end VPN tunnel security.

The biggest hurdle may be setting up/configuring open VPN. I have always used vendor-specific tools, so no help there. Must be plenty of info out there as it is popular.

I think you are right about TM backups. If you don't share those via your new sharing account, they would still be PW protected and not visible from the shared account.

 

[satcomer]

Maybe go to YouTube and look at setup video like this one: