× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Is my NAS Secure?

michaelcdbarnes
Aspirant

Is my NAS Secure?

Hello, I am Michael Barnes and have A ReadyNas Duo V2. I have just read the attached http://www.bbc.co.uk/news/technology-28707117 article about security. I am not that technical but want to make sure that my NAS is secure. Please can someone confirm how to do this? I have a password to log on, but in order to get access to my data I have had to allow anonymous access; is this secure?
Message 1 of 10
mdgm-ntgr
NETGEAR Employee Retired

Re: Is my NAS Secure?

Hi Michael, welcome to the forum!

Thanks for asking this question.

What firmware version are you running on your NAS?

Do you port forward ports to your NAS? You shouldn't forward ports unless absolutely necessary.

Have you made sure to change the admin password away from the default? If you have installed EnableRootSSH also check to make sure the root password is not the default one.

Do you have Wi-Fi at home or just ethernet?

If you have Wi-Fi have you taken steps to properly secure it?

Do you use Photos II? If not, turn it off.

Do you use ReadyNAS Remote or ReadyNAS Replicate? If not, disable/uninstall those (if they are installed) as well. They are secure, but if you don't use them then it is better to turn them off.

Whatever steps you take no solution is perfect, so you need to understand that backups are still important. Don't store important data on just the one device.
Message 2 of 10
xeltros
Apprentice

Re: Is my NAS Secure?

Security is a subject of its own and the answer to this question is very complicated.
How do you define secure ? if that's perfectly hacker proof, I can tell you that you are not, nobody is and nobody will ever be. If you mean protected from common attacks, if you have the good settings, yes you are.
Data security is based on three principles, availability, confidentiality and integrity. So there are more concerns than just repelling attackers. Backup is one example.

To secure the NAS, I would agree with MDGM that basic steps are stopping unnecessary things, set strong passwords and use up to date versions of the software. The main rule that IT admins follow is the rule of the least privilege, if it doesn't need it, then don't give it. That's valid for user rights, for port redirections, for services running on the NAS... If you respect that rule, update your passwords regularly with strong ones and do your updates, you are as close as safe as you can be for a home user. Enterprises and IT admins can get a step further with advanced network filtering capabilities but this has a cost (in price, time and skills to configure).
So unless you have very confidential data, I guess that your are good to go. Just have a good backup. Odds are in your favour with an incredible number of connected devices, a hacker picking yours explicitly would be really bad luck.
Message 3 of 10
StephenB
Guru

Re: Is my NAS Secure?

Just wanted to add that it is easy and free to register for the Shodan search engine in the original article (http://www.shodanhq.com/)

You can then search on your external IP address and see what it finds. In my case it identified the FTP connections I forward (even though they were on non-standard ports), but was not able to log in. Browsing around, I saw some ReadyNAS with anonymous FTP enabled - which of course might have been intentional.
Message 4 of 10
michaelcdbarnes
Aspirant

Re: Is my NAS Secure?

Hi There,

I am not that IT technical but here we go -
mdgm wrote:
Hi Michael, welcome to the forum!

Thanks for asking this question.

What firmware version are you running on your NAS? RAIDiator 5.3.10

Do you port forward ports to your NAS? You shouldn't forward ports unless absolutely necessary. - I do not know what this means?

Have you made sure to change the admin password away from the default? Yes If you have installed EnableRootSSH also check to make sure the root password is not the default one. I do not know what this is?

Do you have Wi-Fi at home or just ethernet? Wi Fi and ethernet

If you have Wi-Fi have you taken steps to properly secure it? I think so with passwords.

Do you use Photos II? If not, turn it off. I have turned off

Do you use ReadyNAS Remote or ReadyNAS Replicate? If not, disable/uninstall those (if they are installed) as well. They are secure, but if you don't use them then it is better to turn them off. I have turned off.

Whatever steps you take no solution is perfect, so you need to understand that backups are still important. Don't store important data on just the one device.


Also, what does "allow anonymous access mean" in the share access of the main area? Finally, what sharing protocols should be ticked?
Sorry for so many questions.
Message 5 of 10
xeltros
Apprentice

Re: Is my NAS Secure?

allow everyone, means allow everyone that has an account. Allow anonymous means allow anyone even if they don't have an account.

Your wifi should use a WPA2 key that is not a word or a combination of words, because main types of attack on this protocol use "dictionaries".

Port forwarding is a technique that a router use to provide remote access. Basically it means "if something comes on this port, you send it to this computer/NAS".

The root SSH is a function that lets you configure the NAS via command line.

The sharing protocols ticked is your choice, personally I use AFP for myself and have SMB for other people. That said, the choice was made because time machine uses AFP and that SMB is the common protocol for windows machines. If you run a non-OS X network then SMB should be enough for local sharing. After that, you have to know how you backup to see if anything else is required like rsync for example.
Message 6 of 10
Javik
Aspirant

Re: Is my NAS Secure?

(I don't know how this forum feels about necroposting.. this is about a month old, not to terribly old yet.)

I've complained about IPv6 in the past, and this is just another way that IPv6 is going to bite nontechnical people.

NAT has turned out to be a really good solution to IPv4 address space exhaustion, and NAT offers benefits for people that have no idea what they're doing. Firewall setup is not too critical with NAT, because if ports are not forwarded, then your devices cannot be reached externally.

It's as simple as that. No firewall needed, your devices on your home LAN can't be accessed externally unless they specifically initiate the connection, and usually only the router is the only exposed device unless people explicitly choose to expose their private devices via NAT port forwarding or 1:1 forwarding.


With IPv6, hoo boy what a mess. The concept of NAT does not exist and is not implemented. Any IPv6 device can reach any other if it is not firewalled. This means you REALLY need to know how to set up a proper firewall with IPv6, because otherwise for tech novices, all your home devices could be exposed to hacking and snooping on the public Internet, and you wouldn't even know it.

Most nontechnical people simply will not have a clue here, so the problem of unintentionally exposed "private" devices is just going to accelerate as IPv6 gets implemented further and further.
Message 7 of 10
StephenB
Guru

Re: Is my NAS Secure?

NAT delayed address space exhaustion, but didn't prevent it. IANA delivered its last blocks of addresses to the regional internet registries in February 2011. There are just a a few addresses still unassigned by the RIRs. The North American registry (ARIN) is currently 99.4% allocated. So the IPv4 addresses are essentially all gone.

IPv6 isn't really less secure than IPv4, both depend on the edge router to maintain security. In the case of IPv6, it requires stateful inspection of inbound traffic - but most routers are doing this with IPv4 NAT (at least to some degree).

For instance, NAT with no port forwarding allows two-way traffic to an internet device as long as the NAS initiated the connection (outbound). There is no technical barrier to implementing the same policy with IPv6.

The alternative to IPv6 is carrier-deployed NAT which will create a lot of connectivity issues. IPv6 is a better solution IMO.
Message 8 of 10
Javik
Aspirant

Re: Is my NAS Secure?

IPv4 exhaustion is mostly a result of extremely sloppy address space design and implementation. There's only 256 Class A's (16,777,216 addresses per class A) in the entire IPv4 address space.

Yet in the beginning of the Internet, corporations grabbed entire class A's for themselves:
https://en.wikipedia.org/wiki/List_of_a ... ess_blocks

http://xkcd.com/195/

Even now as the space is exhausting, these companies are not giving up these huge blocks they don't need anymore, due to the revolution of private address reuse that NAT brought.

I find it impossible to believe that General Electric, IBM, Xerox, Hewlett Packard, Ford, Apple, Halliburton, Eli Lily, Prudential, Merck, and DuPont have any justifiable reason to still each be claiming 1/256 of the entire IPv4 address space for each of them.

They claimed these massive chunks of addresses at a time when no one knew what might become of this Internet thing, and now they should be forced to give them up and move to far smaller ranges like everyone else.

Also related to this is the just dumb assignment of an entire block of 16.7 million addresses to mean "loopback", when all that is actually needed is a single address (127.0.0.1). There is no rational reason to ever use "127.251.221.231" for loopback, but since the entire block has been used that way for so long, reclaimation for actual addressing is likely impossible due to it being used that way in so many ancient IP stacks.
Message 9 of 10
StephenB
Guru

Re: Is my NAS Secure?

There already was reclamation of several large address blocks, including the 5.x.x.x ones hijacked by Remote. The address space (in hindsight) could have been better designed.

But it doesn't matter. IPv4 addresses are 32 bits, so there's a limit of 4 billion addresses. There are almost 2 billion smartphones already, all with an ipv4 address for their cellular data. This is expected to grow to 6 billion by 2020, with another 3 billion or so other mobile devices needing IP addresses. And that's just part of the address space. So either it goes ipv6 or carrier NAT. There's no other option.
Message 10 of 10
Top Contributors
Discussion stats
  • 9 replies
  • 4742 views
  • 0 kudos
  • 5 in conversation
Announcements