Was not aware of the Synology situation. Thanks for sharing this info. I honestly didn't even remember setting up that quick connect and I've never used it. No reason to have that enabled.
Very good advice. I have a Synology - the most basic model - I set up a long time ago. No major complaints. Need to go back and revisit the settings. I think I enabled Quick Connect as a temporary convenience. Don't need it. I later installed its VPN app, which actually seems to work very well. Since this is the most basic (i.e. cheapest) model (that I got as an experiment), its RAM is soldered in so I can't upgrade and am limited to the number of apps I can install. I also was able to set up a NAS on a Raspberry Pi which works, but its throughput somehow is painfully slow compared to the Synology. Haven't had the time to investigate. I do not put any information that is intensely personal accessible via the internet. Like bank accounts, passwords, etc. Those outfits who call themselves "VPN" I think are misleading the public. "Proxy server" is the more honest term. And I NEVER trust the "cloud." Google, Amazon, MS and the rest. I want to hold my data in my own grubby little hands. I have had TOO MANY bad experiences where cloud services have flaked out on me. They are ok for backup, if encrypted, but that's it.
I have a 3-year-old Synology as my primary NAS. About once a month I back it up to my old 1st gen Drobo. I also back up the NAS to an external hard drive and store that hard drive at work. QuickConnect is turned off on my Synology.
My suggested solution to ransomware prevention: 0. HAVE A FULL OFFLINE BACKUP that is only connected when backing up and safely ejected ⚠️AND DISCONNECT⚠️ NOTE: If the hacker manages to get in and restart your NAS device the drive will show up so PHYSICALLY UNPLUG IT 1. Unique Password with 11 characters or more 2. Limit the number of login attempts
I’ve had a QNAP for eight years just replaced drives in 2019 they were still ok but no need to push it , just a simple one terabyte , now two terabytes of RAID ONE . Yes I did work as a SAN administrator amongst other things so firmware upgrades etc were not an issue plus I use freeware ROCKSTOR NAS in my garage as a backup for QNAP so no issues . I think you’re correct these things are sold like toasters to the general public who is not ready or aware of all the hand feeding required for a NAS . Good overview for the general public thanks . P S my old Alma Matter gives me a one terrabyte cloud storage allotment for free go figure I keep waiting for them to cancel it .😳😉🤔
I've been thinking about converting my original Nas to local backup device that's powered only when needed and going in for something like Google or Microsoft online storage. I'd still keep my nuc on for fast local file access. Anyway everyone should always keep in mind that NAS is not a good backup device. Critical backups should always be done on device that's used only for that moment and it should be stored somewhere else. For instance none of the backups made use if they're stored at same location and something like fire or thunder or something like that would be able to damage everything beyond repair. This is why online cloud services could be very good solution for many people. Though even then I'd highly recommend to get ie. big USB storage to do something like quarter early backups.
I have been thinking bout the cost benefit of owning a NAS recently myself. It really comes down to your view on privacy. For people who are not technical minded or interested in technology it is hard to recommend a NAS over cloud storage (Assuming they have reasonable data storage requirements). I have been considering using mine to host services as well, but then you have to factor in redundancy of the NAS. People also forget to factor in cost of UPS. You pay a lot for Synology NAS for the software essentially, if you not going to use the software it is expensive.
Great video! Same is valid for the router, do not allow connecting to the router's web interface outside your local network, if you don't use this option this is just a security risk you don't have to take. Use 2FA if it is available.
Lon, as always thanks for the info. You should re-link you video where you talk about properly setting up a NAS. I see people attempting to log into my Synology NAS all the time. They try the "admin" login which doesn't exist. I us my NAS to share out a lot of large files and need it accessible via the internet. Just lock it all down intelligently and properly and all will be hunky dory. ;-)
Great bit of info. I have clients setup with Synology Drives with upnp on routers disabled and VPN only access but will be double checking if Quickconnect has been disabled as well. I know you mentioned a few of the cloud storage options but was surprised that Microsoft 365 Family up to 6 users with 1tb cloud storage per user was not mentioned. I use this with my Synology setup at home backing up each user in the households OneDrive account daily plus an external drive backup as well. Have one way sync just in case stuff gets deleted on the OneDrive account. Thanks for the update.
Thanks- a few people commented on 365 - I didn’t include it because they really don’t have a good photo app on par with the ones I listed. I agree the storage cost is a good deal!
The other youtuber TFI problem was not having a second nas backing up the first one (raid is not a backup and use RAID6 or SHR2) had at least 3 other youtubers get mad at nas devices when they failed to setup backups when they fail and lost data ideally not from same company like qnap main, Synology backup and the backup nas should pull the data from main nas (never push if the main nas can write to backup nas it can encrypt or delete the backup) and all shares should be disabled on the backup nas (or at least readonly share) password for backup nas should be unique and Not saved on any computers locally (if a computer gets compromised with saved passwords they might format the backup nas)
Had a sustained attempt to crack my QNAP NAS a few weeks ago, ended up turning off all of the external services. Shame that I can't watch PLEX outside the home but better than waking up to a data crisis.
Lon, I’ve been silly the past few weeks by commenting on your weekly wrist snap without having much more than basic knowledge of most things you talk about I just want to say you, from a learning aspect, you do a great job on informing average IT people on knowledge like this. This is why I’ve been following your channel for years now. I remember the popped collar 🤣🤣🤣
Hey Lon, ERRATA, just wanted to say that Synology quick connect does NOT require punching holes in your router firewall. Your NAS dials OUT to the Synology cloud over https and maintains a connection for you to connect to. So a scan of your router would not have any open ports.
That is one use case and is slightly more secure. However by default it will use UPnP if the router has it enabled (which unfortunately is the default in many cases). And from my perspective having the NAS available to the outside - even relayed - without some form of authentication to reach it is a bit too risky.
Synology does NOT use port forwarding like Qnap was. Synology does NOT punch holes through the router. They use the Synology account and their services to broker a connection from your Synology NAS to your mobile device when you are not home. Qnap should be doing the same. Also UPNP is evil and everyone should be disabling it in their routers. The problem is game consoles are almost impossible to get working without UPNP so many people give up and turn it back on - but it's pretty stupid and the industry as a whole needs a lot better solutions for this stuff :p Also a NAS is NOT a backup solution. It can be a component in it, but you really do need have your own backups of it. Backblaze B2 is pretty inexpensive and there are many agents that will run on Qnap or Synology NASes allowing you to have an effective (and most importantly, automatic) off-site backup.
That was so nice of you to pick 2x2TB drives to make Cloud service look competitive. How about current mainstream 8-10TB and larger HDDs? Which Cloud offers so much storage and how much does it cost?
@@LonSeidman The point is that you can't even buy new 2TB drives these days, even basic USB drives are starting from 4-5TB, so comparing home storage that was mainstream 5-7 years ago with current cloud offerings is a little bit misleading.
Great video, I'm just about to buy a Synology and maybe for a future video show maybe how to setup a new NAS with the security in mind and show how to reliable get Plex running on the NAS and still have the NAS protected the best we can. Not sure if any security steps have changed since this video.
The primary reason I purchased my WD NAS is because I am sick of paying MS for cloud service. I understand there are threats, but then again, there are ALWAYS hackers out there… be it emails, messenger, accessing the internet webpages, or any smart device, even your cloud account can be hacked. We are ALWAYS under attach. The last thing I am going to do is to live in fear of hackers. BUT, I also do keep a close eye on my NAS and change my password consistently. I DO like the name change from “admin”. That is something I am going to do today.
I know you're backed up on video requests and content but the getting a router based VPN set up to specifically to access a NAS device would be great cause i don't think there are many good videos on youtube about that at the moment.
Thank you so much for this video. I bought my Synology NAS a couple of years ago because of your videos. It's been the best $400 I ever spent. I must stress that if anyone running a NAS, please, please, PLEASE BACK UP YOUR DATA! Even if your NAS is your main backup, BACK UP THE BACKUP. Never have single copies of files on the NAS only cus anything can happen. In my case, I sync everything on my NAS to Backblaze and run daily local network backups of my NAS to an external drive connected to my main computer. If you can't afford or dont want to pay for something like Backblaze or S3 or don't have an extra backup drive lying around, use something like Google Drive as a "backup" backup which Synology supports. Do whatever you can to protect your data.
I wonder if these different services offer cheap photo storage because they use the photos to train AI models. Essentially your photos are a revenue source. Apple being the likely outlier, as they're business model doesn't include mining user data.
Synology’s handling of this is unacceptable. I was considering if I should build a TrueNAS based server or buy a Synology. If Synology does not revert this and make clear they won’t lock customers out of their data again, Synology is out of the question.
with the advances in subscription based services I suspect everyone within the NAS space will end within the ransomware space which locks you out of the consoles in general, my guess NAS providers don't want that secret getting out even knowing it is an exploit from a 3rd party which most likely becomes a feature in the next firmware/software update down the track.. Whilst i love the idea of remote access from far away places there isn't really a secure option these days when and where you can access.. cloud servicings sounds fine on paper however from a security and paywall perspective don't pay a fee loose access to either link or hardware.. long term feasibility of pc and console gaming and to lessor extent to content creation we have been at a storage medium games in the home nas or server space for over 20 years given this context of streaming on multiple platforms is kinda the normal these days I would suggest you no low ball specifications as you know most are likely heading to the route of 5-10 between 12-18TB from a server perspective most likely the highest standard per TB in ssds as caching 1/2 to 3/4's of what ever the final tally in hdd's within the 16-18TB space, it may be cheaper deploying 1.8 patabyte solution with a 100TB 1.2 petabyte ssd solution as a cache christ know's what type of ram will be a need within the interface
Hey Lon, I know this wasn't the main focus of this video but I highly recommend you check out Microsoft's OneDrive and see if you'd recommend that to people. You get 1TB of OneDrive storage with an Office365 account (up to 5 accounts with the family plan with 1TB each) and in addition to it being native to Windows 10 it can do real-time backups as files change and if it detect a lot of file changes (i.e. ransomware) you'll get an e-mail warning you about a lot of file changes and ask if you want to restore from the previous version (held up to 30 days of the change). I'll stick with my Synology solution for my own devices, but for my kid's PC I find OneDrive in addition to nightly images via Synology to be really helpful.
@@LonSeidman They do but it's very basic, not nearly as good as Google Photos or Amazon Photos. It's basically just a folder of all of your photos/videos in your OneDrive organized by date and you can create your own albums but nothing fancy like facial recognition.
Always encrypt ALL your data so that no matter whose hands the data eventually gets into it won't be readable. Also, if no need to remotely access data on NAS, simple solution is to not assign device a default gateway so it simply won't know how to get out to the internet.
First I don’t use quick connect access features for any devices, never use UPnP, have several layers of security, I ‘ALWAYS’ setup 2FA for all accounts, also have more than two copies of data and a lot of other things.
@@TheKingOfInappropriateComments I edit the account profile of admin under users and check "disable this account". You need to be logged in as another account who has access to do this
@@MarkDell Thanks for your reply. Even when I log in under the different user (With control panel access and full permissions) the checkbox to disable admin is greyed out. I seem to remember having this conversation with tech support over this issue and was left believing that you could create a new user but you can't get rid of admin. I can change the file permissions to deny for admin but I can't disable admin.
@@TheKingOfInappropriateComments Make sure the account you're logging into is added to the "administrators" user group. I've done this on several QNAP devices so I'm sure this is possible
Found thousands of attempts to log on as admin on my QNAP box. The Admin account had been disabled and had a VERY long password in any case. Godlike account took care of admin on the box. The next step? Since the ONLY users are on the local net, I simply removed the default gateway and gave the nas a static IP address. When the management software (on a pc) told me there was an update available, just move the ethernet cable to port 2 from port 1.. get a dynamic address with a gateway, and good things happen. After updating, move the ethernet back to the port 1 with no DG. The problem with
I went for cloud 5 years ago, cost wise is was the best solution. 100 euro a year for 2TB and that was enough for me. And important not a US or UK company.
I use Synology’s “Quick Connect” but it works without using my router’s UPNP functions, which I would never turn on. I only open the NAS (and restrict access) for the Moments photos app. I also have taken the other recommended security steps (disabled admin account, random generated passwords, 2FA on accounts, auto updates, etc). Using Quick Connect in this way seems safer than opening ports in my router and port forwarding traffic to my NAS. Let me know if I’m wrong. I know nothing exposed to the internet is safe.
@@wolfie3098 Lon replied to my other comment saying Quick Connect gives the option to use UPNP (possibly as default) when setting it up to bypass their relay. It’s been a long time since I did that so I can’t remember, but I bet he’s right. I know UPNP is an option with Synology (Linus Tech Tips surprisingly showed a tutorial using UPNP and HyperBackup Vault to an offsite NAS) so offering that as the default just seems wrong to me.
I definitely agree on 2FA I should have mentioned it in the tips section. I would recommend it especially for people who are exposing their NAS to the outside.
Me too also add to that automatic block for 3 failed login attempts and you are golden. Remember to have a 2nd backup account in case you main one gets blocked
Note the latest version of Synology software now prevent you from loading the pool if using btrfs on an "unsupported" nas if you update the OS (doesn't even bloody warn you and its a minor update) this apply's to j/play and maybe plus models (+ is fine,, plus is not same as +) You have to ssh and re enable btrfs into a Config file
I already had a VPN set up years ago when I noticed the brute force attacks on the admin account from China and Russia. Ever since I did that, those attempts never appeared again. In a way, just setting up your own VPN is way easier than forwarding the dozens of ports the NAS needs to get all features working, and it also serves well to hide your traffic when you are sitting on public WiFi. Honestly, PiVPN + PiHole should be standard equipment on all home networks. I wouldn't trust a cloud service. At least the ransomware criminals are upfront about what data they steal from you.
I was wondering about Plex remote access on a NAS. I have my Plex media server set up for my daughter to watch her shows while away at college. Is this a possible security risk like quickconnect? Thanks for the video. Very helpful.
There's always some risk in having anything exposed to the Net although there aren't any known exploits for a Plex server. My advice would be to ensure that the Plex user on your NAS does not have access to your more sensitive file shares. Plex recently enabled a secure feature for self-hosted Plex servers that might be worth looking at. support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
I always have UPnP and port forwarding disabled on my router. But I enabled quickconnect. My understanding is that in this case the NAS maintains connection with Synology server and all traffic is routed through their server. It is slow to access externally, but comes handy when I need small files from the NAS. Is this also dangerous? Should I completely disable external accessing?
If it’s relaying you might be a little safer and less likely to pop up on a random IP scan, but if somebody stumbles across the quickconnect address you’re still exposed to the public Internet.
I made a separate comment on this, but I think you’re right. I believe quick connect works like a VPN (relay) but we have to trust Synology’s implementation. On our end we need to make sure we have a good password, 2FA enabled, and the admin account disabled (along with the other recommended Synology security steps -plenty of UA-cam vids on this topic). Nothing exposed to the net is completely safe, but assuming Synology keeps their relay service safe and you keep your credentials safe, then this is better than poking holes (opening ports) in your router firewall - IMO. That’s a risk I’m willing to take, but I also use HyperBackup to the cloud if it fails. I will never trust UPNP or anyone who suggests using it!
@@notreallyme425 In looking at the documentation it appears as though it'll attempt a UPnP to the router when setting up QuickConnect -- if that fails it'll revert to the relay server. I'd feel more comfortable if they gave the user a choice. But you are correct in that the relay server is definitely safer provided you have strong passwords/2FA AND synology has their act together on keeping the relay servers secure.
@@LonSeidman I know WD My Clouds aren't technically NAS's, but do the same vulnerability rules apply? Should you not use the app to access remotely? Thanks!
The whole "snapshot could reverse damages by ransomwares" is largely invalid since the Qlocker-gate. The snapshots are not even files; they are not supposed to be accessible except by Qnap... Snapshots are pointless now. The only safe way for average consumers I can see is M-Disc. However, development of this tech seems stopped for years so that it has no terabytes class discs. Sony's optical archive solution seems great except for the pricing.
Well, just yesterday midnight my QNAP was ENCRYPTED (not 7 zipped), the file names and structures are intact, only .zip, .pdf, .txt , .jpg and other common files have an additional .encrypted extension - e.g. text.txt.encrypted. This seems to be a new version of some ransomware (updated Qlocker? Who knows...) and there is no solution avaialable so far. Fortunately I had no critial data there, and all my FLAC files were left unencrypted. So take care guys.
UPnP is dangerous. .-. The could stuff should use asymmetrical encryption to establish hole punched sessions with keys that are never sent over the WAN. But that's too complicated isn't it? .-. Edit: Also asymmetrical connection to the matchmaking server so your junk isn't just opening a port.
I think the time is right to roll my own NAS. I certainly have the hardware lying around. EDIT: MS Office 365 family plan is $99/year for 5 TB. That's the best deal going IMO. Just make sure you encrypt everything.
Unless you write all the code from the bootloader on up, AND test it more than all open source and commercial, rolling your own will not get you any real word advantage.
Depending on who your employer is, check to see if they partner with Microsoft for their "Home Use Program". Sometimes you can snag a decent discount off the one year sub price for Office 365. I think normally my employer offers it at a 20% discount off the full year price, I was able recently to snag a year for half off with the auto renew clocking in with the regular discount after that.
My original iteration of my Windows 2019 NAS/server got hit with a ransomware attack really bad and I could not figure out how. I lost the last 15 years of my life, all my MP3s and photos and Tutbotax (although I store my Turbotax on their website now). I had remote desktop and remote FTP/SMB enabled on it. Now, I still have it enabled but I have AV setup. I have some stuff calculating away on it that I need the storage space. I have yet to get any ransomware since. I will probably back up this thing eventually once it gets more full.
Well in my opinion there's nothing to be ashamed. Networking isn't something easy to do and remember getting all the vulnerabilities out of the system. It's actually very hard and even tech savvy people can fail in some settings. I hardly think anyone is doing purposely some critical settings for just ease of access if they're even slightly aware of the dangers it can create. One thing is that there's easy to find guides that can result in devastating results. I really don't consider myself to be anywhere near networking specialist, but still I've stumbled into couple ie. very alarming feeling NextCloud tutorials.
I don't get why people don't have an other name for their admin accounts. Every time when I set up a device I change that for a more personalized one. My username is "password" and my password is "admin". JK.
Build a PC, put some drives in it, install Linux, create an array however you like: ZFS, Btrfs, MD, or hell, even hardware if you wanna go that route, control it all yourself :P There's even distros that provide a GUI to do all this. Don't use unraid though, I promise one day we'll see they have the same issue. They went almost a year without a single patch which is asinine, not to mention they basically run everything as root because they consider themselves an "appliance", as if that even matters.
DO NOT DISABLE QUICKCONNECT! Sorry, normally I love your videos, but this time you have no clue what happened! It is same like saying disable your phone SIM card! Access it only at Granma's house or while calling a landline. Silly. Synology users were hacked because people used ADMIN account with a password ="password" or cats name and so on. Same like having a 0000 passcode on a smartphone. Qnap case was an actual backdoor open via HBS application. This was bad, but again NOTHING to do with their CloudLink / QuickConnect. Disabling this is silly. But I do like your other suggestions: -Disable uPNP / Port forwarding (don't need this) -enable automatic updates -disable/change names for Admin accounts. And use it only for Admin/managing things not for regular access. (also keep it safe/ enable two step auth. and brute force auto lock) I would not yet move to the cloud- too expensive, and no clue who is looking at your data/ pictures. They have admins (human factor).
By default quick connect uses upnp - average consumers just leave that function on their router enabled. Bad practice. I prefer to leave my nas invisible to the outside world which is why I think disabling it completely is the safest option.
The UPNP and security issues are very important - good job, thanks.
Was not aware of the Synology situation. Thanks for sharing this info. I honestly didn't even remember setting up that quick connect and I've never used it. No reason to have that enabled.
It's more a user problem with Synology (using admin and simple password) but I still won't enable quick connect thought
Very good advice. I have a Synology - the most basic model - I set up a long time ago. No major complaints. Need to go back and revisit the settings. I think I enabled Quick Connect as a temporary convenience. Don't need it. I later installed its VPN app, which actually seems to work very well. Since this is the most basic (i.e. cheapest) model (that I got as an experiment), its RAM is soldered in so I can't upgrade and am limited to the number of apps I can install.
I also was able to set up a NAS on a Raspberry Pi which works, but its throughput somehow is painfully slow compared to the Synology. Haven't had the time to investigate.
I do not put any information that is intensely personal accessible via the internet. Like bank accounts, passwords, etc.
Those outfits who call themselves "VPN" I think are misleading the public. "Proxy server" is the more honest term.
And I NEVER trust the "cloud." Google, Amazon, MS and the rest. I want to hold my data in my own grubby little hands. I have had TOO MANY bad experiences where cloud services have flaked out on me. They are ok for backup, if encrypted, but that's it.
I have a 3-year-old Synology as my primary NAS. About once a month I back it up to my old 1st gen Drobo. I also back up the NAS to an external hard drive and store that hard drive at work. QuickConnect is turned off on my Synology.
My suggested solution to ransomware prevention:
0. HAVE A FULL OFFLINE BACKUP that is only connected when backing up and safely ejected
⚠️AND DISCONNECT⚠️
NOTE: If the hacker manages to get in and restart your NAS device the drive will show up so PHYSICALLY UNPLUG IT
1. Unique Password with 11 characters or more
2. Limit the number of login attempts
I’ve had a QNAP for eight years just replaced drives in 2019 they were still ok but no need to push it , just a simple one terabyte , now two terabytes of RAID ONE . Yes I did work as a SAN administrator amongst other things so firmware upgrades etc were not an issue plus I use freeware ROCKSTOR NAS in my garage as a backup for QNAP so no issues . I think you’re correct these things are sold like toasters to the general public who is not ready or aware of all the hand feeding required for a NAS . Good overview for the general public thanks .
P S my old Alma Matter gives me a one terrabyte cloud storage allotment for free go figure I keep waiting for them to cancel it .😳😉🤔
I've been thinking about converting my original Nas to local backup device that's powered only when needed and going in for something like Google or Microsoft online storage. I'd still keep my nuc on for fast local file access. Anyway everyone should always keep in mind that NAS is not a good backup device. Critical backups should always be done on device that's used only for that moment and it should be stored somewhere else. For instance none of the backups made use if they're stored at same location and something like fire or thunder or something like that would be able to damage everything beyond repair. This is why online cloud services could be very good solution for many people. Though even then I'd highly recommend to get ie. big USB storage to do something like quarter early backups.
I have been thinking bout the cost benefit of owning a NAS recently myself. It really comes down to your view on privacy. For people who are not technical minded or interested in technology it is hard to recommend a NAS over cloud storage (Assuming they have reasonable data storage requirements). I have been considering using mine to host services as well, but then you have to factor in redundancy of the NAS. People also forget to factor in cost of UPS. You pay a lot for Synology NAS for the software essentially, if you not going to use the software it is expensive.
Great video! Same is valid for the router, do not allow connecting to the router's web interface outside your local network, if you don't use this option this is just a security risk you don't have to take. Use 2FA if it is available.
Lon, as always thanks for the info. You should re-link you video where you talk about properly setting up a NAS. I see people attempting to log into my Synology NAS all the time. They try the "admin" login which doesn't exist. I us my NAS to share out a lot of large files and need it accessible via the internet. Just lock it all down intelligently and properly and all will be hunky dory. ;-)
Great bit of info. I have clients setup with Synology Drives with upnp on routers disabled and VPN only access but will be double checking if Quickconnect has been disabled as well. I know you mentioned a few of the cloud storage options but was surprised that Microsoft 365 Family up to 6 users with 1tb cloud storage per user was not mentioned. I use this with my Synology setup at home backing up each user in the households OneDrive account daily plus an external drive backup as well. Have one way sync just in case stuff gets deleted on the OneDrive account. Thanks for the update.
Thanks- a few people commented on 365 - I didn’t include it because they really don’t have a good photo app on par with the ones I listed. I agree the storage cost is a good deal!
Thank you for sharing Lon. Informative as always.
The other youtuber TFI problem was not having a second nas backing up the first one (raid is not a backup and use RAID6 or SHR2) had at least 3 other youtubers get mad at nas devices when they failed to setup backups when they fail and lost data
ideally not from same company like qnap main, Synology backup and the backup nas should pull the data from main nas (never push if the main nas can write to backup nas it can encrypt or delete the backup) and all shares should be disabled on the backup nas (or at least readonly share) password for backup nas should be unique and Not saved on any computers locally (if a computer gets compromised with saved passwords they might format the backup nas)
That Synology situation is pretty awful. It's like companies want to teach users never to install updates. Just awful from a security standpoint.
Had a sustained attempt to crack my QNAP NAS a few weeks ago, ended up turning off all of the external services. Shame that I can't watch PLEX outside the home but better than waking up to a data crisis.
Lon, I’ve been silly the past few weeks by commenting on your weekly wrist snap without having much more than basic knowledge of most things you talk about
I just want to say you, from a learning aspect, you do a great job on informing average IT people on knowledge like this. This is why I’ve been following your channel for years now.
I remember the popped collar 🤣🤣🤣
Hey Lon, ERRATA, just wanted to say that Synology quick connect does NOT require punching holes in your router firewall. Your NAS dials OUT to the Synology cloud over https and maintains a connection for you to connect to. So a scan of your router would not have any open ports.
That is one use case and is slightly more secure. However by default it will use UPnP if the router has it enabled (which unfortunately is the default in many cases). And from my perspective having the NAS available to the outside - even relayed - without some form of authentication to reach it is a bit too risky.
Synology does NOT use port forwarding like Qnap was. Synology does NOT punch holes through the router. They use the Synology account and their services to broker a connection from your Synology NAS to your mobile device when you are not home. Qnap should be doing the same.
Also UPNP is evil and everyone should be disabling it in their routers. The problem is game consoles are almost impossible to get working without UPNP so many people give up and turn it back on - but it's pretty stupid and the industry as a whole needs a lot better solutions for this stuff :p
Also a NAS is NOT a backup solution. It can be a component in it, but you really do need have your own backups of it. Backblaze B2 is pretty inexpensive and there are many agents that will run on Qnap or Synology NASes allowing you to have an effective (and most importantly, automatic) off-site backup.
That was so nice of you to pick 2x2TB drives to make Cloud service look competitive. How about current mainstream 8-10TB and larger HDDs? Which Cloud offers so much storage and how much does it cost?
Valid point. Some 4K selfhosted video's and one surpasses 4 Tb easily.
If you need that much storage you’re likely not an average consumer.
@@LonSeidman The point is that you can't even buy new 2TB drives these days, even basic USB drives are starting from 4-5TB, so comparing home storage that was mainstream 5-7 years ago with current cloud offerings is a little bit misleading.
@Super Mario Are you feeling alright mate? Seek help, you definitely need it.
@@LonSeidman Maybe not. But if you are in the market for a NAS at all you probably are looking at more than 4 TB storage (or 2TB with redundancy).
Great video, I'm just about to buy a Synology and maybe for a future video show maybe how to setup a new NAS with the security in mind and show how to reliable get Plex running on the NAS and still have the NAS protected the best we can. Not sure if any security steps have changed since this video.
Follow up to this I use Apple Router don't see a UPnP option :(
The primary reason I purchased my WD NAS is because I am sick of paying MS for cloud service. I understand there are threats, but then again, there are ALWAYS hackers out there… be it emails, messenger, accessing the internet webpages, or any smart device, even your cloud account can be hacked. We are ALWAYS under attach. The last thing I am going to do is to live in fear of hackers. BUT, I also do keep a close eye on my NAS and change my password consistently.
I DO like the name change from “admin”. That is something I am going to do today.
I know you're backed up on video requests and content but the getting a router based VPN set up to specifically to access a NAS device would be great cause i don't think there are many good videos on youtube about that at the moment.
Thank you so much for this video. I bought my Synology NAS a couple of years ago because of your videos. It's been the best $400 I ever spent.
I must stress that if anyone running a NAS, please, please, PLEASE BACK UP YOUR DATA! Even if your NAS is your main backup, BACK UP THE BACKUP. Never have single copies of files on the NAS only cus anything can happen. In my case, I sync everything on my NAS to Backblaze and run daily local network backups of my NAS to an external drive connected to my main computer. If you can't afford or dont want to pay for something like Backblaze or S3 or don't have an extra backup drive lying around, use something like Google Drive as a "backup" backup which Synology supports. Do whatever you can to protect your data.
yes this! Offsite backup is super important!
My 918+ backs up to an offsite 918+. I also have a smaller external hard drive that i back up my most valuable things every few weeks.
Alsowaya have a standalone backup even if it's once a year just for photos that's locked up in a safe unplugged
Once a year? 🙄
I wonder if these different services offer cheap photo storage because they use the photos to train AI models. Essentially your photos are a revenue source. Apple being the likely outlier, as they're business model doesn't include mining user data.
Synology’s handling of this is unacceptable. I was considering if I should build a TrueNAS based server or buy a Synology. If Synology does not revert this and make clear they won’t lock customers out of their data again, Synology is out of the question.
with the advances in subscription based services I suspect everyone within the NAS space will end within the ransomware space which locks you out of the consoles in general, my guess NAS providers don't want that secret getting out even knowing it is an exploit from a 3rd party which most likely becomes a feature in the next firmware/software update down the track..
Whilst i love the idea of remote access from far away places there isn't really a secure option these days when and where you can access..
cloud servicings sounds fine on paper however from a security and paywall perspective don't pay a fee loose access to either link or hardware..
long term feasibility of pc and console gaming and to lessor extent to content creation we have been at a storage medium games in the home nas or server space for over 20 years given this context of streaming on multiple platforms is kinda the normal these days
I would suggest you no low ball specifications as you know most are likely heading to the route of 5-10 between 12-18TB from a server perspective most likely the highest standard per TB in ssds as caching 1/2 to 3/4's of what ever the final tally in hdd's within the 16-18TB space, it may be cheaper deploying 1.8 patabyte solution with a 100TB 1.2 petabyte ssd solution as a cache christ know's what type of ram will be a need within the interface
Hey Lon, I know this wasn't the main focus of this video but I highly recommend you check out Microsoft's OneDrive and see if you'd recommend that to people. You get 1TB of OneDrive storage with an Office365 account (up to 5 accounts with the family plan with 1TB each) and in addition to it being native to Windows 10 it can do real-time backups as files change and if it detect a lot of file changes (i.e. ransomware) you'll get an e-mail warning you about a lot of file changes and ask if you want to restore from the previous version (held up to 30 days of the change). I'll stick with my Synology solution for my own devices, but for my kid's PC I find OneDrive in addition to nightly images via Synology to be really helpful.
Do they have a photo organizer / app?
@@LonSeidman They do but it's very basic, not nearly as good as Google Photos or Amazon Photos. It's basically just a folder of all of your photos/videos in your OneDrive organized by date and you can create your own albums but nothing fancy like facial recognition.
Always encrypt ALL your data so that no matter whose hands the data eventually gets into it won't be readable. Also, if no need to remotely access data on NAS, simple solution is to not assign device a default gateway so it simply won't know how to get out to the internet.
Ransomware doesn’t care about your data, it just wants to destroy it. Encrypting your data will NOT prevent it from being encrypted again.
First I don’t use quick connect access features for any devices, never use UPnP, have several layers of security, I ‘ALWAYS’ setup 2FA for all accounts, also have more than two copies of data and a lot of other things.
My QNAP gets absolutely pounded with admin logins, but fortunately I got the account disabled. I really need to take the time to set up that VPN
how do you disable the admin? Mine wont let me.
@@TheKingOfInappropriateComments I edit the account profile of admin under users and check "disable this account". You need to be logged in as another account who has access to do this
@@MarkDell Thanks for your reply. Even when I log in under the different user (With control panel access and full permissions) the checkbox to disable admin is greyed out. I seem to remember having this conversation with tech support over this issue and was left believing that you could create a new user but you can't get rid of admin. I can change the file permissions to deny for admin but I can't disable admin.
@@TheKingOfInappropriateComments Make sure the account you're logging into is added to the "administrators" user group. I've done this on several QNAP devices so I'm sure this is possible
Mark Dell it is in the administrators group. What models have you done it in?
Found thousands of attempts to log on as admin on my QNAP box. The Admin account had been disabled and had a VERY long password in any case. Godlike account took care of admin on the box. The next step? Since the ONLY users are on the local net, I simply removed the default gateway and gave the nas a static IP address. When the management software (on a pc) told me there was an update available, just move the ethernet cable to port 2 from port 1.. get a dynamic address with a gateway, and good things happen. After updating, move the ethernet back to the port 1 with no DG. The problem with
I went for cloud 5 years ago, cost wise is was the best solution. 100 euro a year for 2TB and that was enough for me. And important not a US or UK company.
What cloud service do you use?
Keep up the great work
Thats why I got 2nd and 3rd back up options on top of my ds720+ nas server like my external hard drive and cloud sync to my Google Drive just in case
I use Synology’s “Quick Connect” but it works without using my router’s UPNP functions, which I would never turn on. I only open the NAS (and restrict access) for the Moments photos app. I also have taken the other recommended security steps (disabled admin account, random generated passwords, 2FA on accounts, auto updates, etc). Using Quick Connect in this way seems safer than opening ports in my router and port forwarding traffic to my NAS. Let me know if I’m wrong. I know nothing exposed to the internet is safe.
I prefer to have moments app sync up only when I'm home over WiFi.
You are not wrong. It’s more secure. He mixes up what quick connect does. But sure it’s still an attack vector just like any other cloud provider.
@@wolfie3098 Lon replied to my other comment saying Quick Connect gives the option to use UPNP (possibly as default) when setting it up to bypass their relay. It’s been a long time since I did that so I can’t remember, but I bet he’s right. I know UPNP is an option with Synology (Linus Tech Tips surprisingly showed a tutorial using UPNP and HyperBackup Vault to an offsite NAS) so offering that as the default just seems wrong to me.
I didn't see you state enabling 2FA, while not a complete protection. I do think it adds another obstacle for hackers.
I definitely agree on 2FA I should have mentioned it in the tips section. I would recommend it especially for people who are exposing their NAS to the outside.
I use 2FA with synology as well as snapshots and Backups
This
Me too also add to that automatic block for 3 failed login attempts and you are golden. Remember to have a 2nd backup account in case you main one gets blocked
I'm not surprised TFI got hacked, considering what he does for a living he really doesn't know CAD or computers very well
i have used flickr for14 years and have not had a problem with my photos
Great content! I'd be interested in an update video about this by in regards to WD Mycloud.
WD also has a remote access feature that I would definitely disable too :)
btrfs is also available on a NON-Intel device the DS218 (not DS218play) and DS418 which uses the realtek processor
Note the latest version of Synology software now prevent you from loading the pool if using btrfs on an "unsupported" nas if you update the OS (doesn't even bloody warn you and its a minor update) this apply's to j/play and maybe plus models (+ is fine,, plus is not same as +)
You have to ssh and re enable btrfs into a Config file
Lon, you are the best!!!
I already had a VPN set up years ago when I noticed the brute force attacks on the admin account from China and Russia. Ever since I did that, those attempts never appeared again.
In a way, just setting up your own VPN is way easier than forwarding the dozens of ports the NAS needs to get all features working, and it also serves well to hide your traffic when you are sitting on public WiFi. Honestly, PiVPN + PiHole should be standard equipment on all home networks.
I wouldn't trust a cloud service. At least the ransomware criminals are upfront about what data they steal from you.
I was wondering about Plex remote access on a NAS. I have my Plex media server set up for my daughter to watch her shows while away at college. Is this a possible security risk like quickconnect? Thanks for the video. Very helpful.
There's always some risk in having anything exposed to the Net although there aren't any known exploits for a Plex server. My advice would be to ensure that the Plex user on your NAS does not have access to your more sensitive file shares. Plex recently enabled a secure feature for self-hosted Plex servers that might be worth looking at. support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
My QNAP NAS was hacked over a year ago, and I was 95% sure at the time that they hacked through myqnapcloud.
I always have UPnP and port forwarding disabled on my router. But I enabled quickconnect. My understanding is that in this case the NAS maintains connection with Synology server and all traffic is routed through their server. It is slow to access externally, but comes handy when I need small files from the NAS. Is this also dangerous? Should I completely disable external accessing?
If it’s relaying you might be a little safer and less likely to pop up on a random IP scan, but if somebody stumbles across the quickconnect address you’re still exposed to the public Internet.
I made a separate comment on this, but I think you’re right. I believe quick connect works like a VPN (relay) but we have to trust Synology’s implementation. On our end we need to make sure we have a good password, 2FA enabled, and the admin account disabled (along with the other recommended Synology security steps -plenty of UA-cam vids on this topic). Nothing exposed to the net is completely safe, but assuming Synology keeps their relay service safe and you keep your credentials safe, then this is better than poking holes (opening ports) in your router firewall - IMO. That’s a risk I’m willing to take, but I also use HyperBackup to the cloud if it fails. I will never trust UPNP or anyone who suggests using it!
@@notreallyme425 In looking at the documentation it appears as though it'll attempt a UPnP to the router when setting up QuickConnect -- if that fails it'll revert to the relay server. I'd feel more comfortable if they gave the user a choice. But you are correct in that the relay server is definitely safer provided you have strong passwords/2FA AND synology has their act together on keeping the relay servers secure.
@@LonSeidman I know WD My Clouds aren't technically NAS's, but do the same vulnerability rules apply? Should you not use the app to access remotely? Thanks!
The whole "snapshot could reverse damages by ransomwares" is largely invalid since the Qlocker-gate. The snapshots are not even files; they are not supposed to be accessible except by Qnap... Snapshots are pointless now. The only safe way for average consumers I can see is M-Disc. However, development of this tech seems stopped for years so that it has no terabytes class discs. Sony's optical archive solution seems great except for the pricing.
Well, just yesterday midnight my QNAP was ENCRYPTED (not 7 zipped), the file names and
structures are intact, only .zip, .pdf, .txt , .jpg and other common
files have an additional .encrypted extension - e.g. text.txt.encrypted.
This seems to be a new version of some ransomware (updated Qlocker? Who
knows...) and there is no solution avaialable so far. Fortunately I had no
critial data there, and all my FLAC files were left unencrypted. So
take care guys.
UPnP is dangerous. .-.
The could stuff should use asymmetrical encryption to establish hole punched sessions with keys that are never sent over the WAN.
But that's too complicated isn't it? .-.
Edit:
Also asymmetrical connection to the matchmaking server so your junk isn't just opening a port.
Thanks Lon!
One easy secret always but devices that you can change the port on the device and app 😉 then use a port nothing else uses.
Cloud should be your 2nd or 3rd copy, not your primary.
I think the time is right to roll my own NAS. I certainly have the hardware lying around.
EDIT: MS Office 365 family plan is $99/year for 5 TB. That's the best deal going IMO. Just make sure you encrypt everything.
Unless you write all the code from the bootloader on up, AND test it more than all open source and commercial, rolling your own will not get you any real word advantage.
Depending on who your employer is, check to see if they partner with Microsoft for their "Home Use Program". Sometimes you can snag a decent discount off the one year sub price for Office 365. I think normally my employer offers it at a 20% discount off the full year price, I was able recently to snag a year for half off with the auto renew clocking in with the regular discount after that.
My netgear readynas 102 from 2014 have btrfs also.
My synology warned me before I had a brute force attack and I made another account.
My synology router had temporary disable or block ip from default with bad log in. Turned that to ban long ago for peace of mind
so ADMIN and 12345 is not secure?
Good thing I only have my Synology on for 1 day out of the week!
QNAP wont let me disable the admin user. I can add new users but can't get rid of admin or really change much about it.
I disabled mine two years ago, I was under attack for hours trying to figure out my password.
My original iteration of my Windows 2019 NAS/server got hit with a ransomware attack really bad and I could not figure out how. I lost the last 15 years of my life, all my MP3s and photos and Tutbotax (although I store my Turbotax on their website now). I had remote desktop and remote FTP/SMB enabled on it. Now, I still have it enabled but I have AV setup. I have some stuff calculating away on it that I need the storage space. I have yet to get any ransomware since. I will probably back up this thing eventually once it gets more full.
NAT is not a firewall
🤦🏽♂️🤦🏽♂️🤦🏽♂️ to everyone leaving open holes in their firewall for “convenience”.
Well in my opinion there's nothing to be ashamed. Networking isn't something easy to do and remember getting all the vulnerabilities out of the system. It's actually very hard and even tech savvy people can fail in some settings. I hardly think anyone is doing purposely some critical settings for just ease of access if they're even slightly aware of the dangers it can create. One thing is that there's easy to find guides that can result in devastating results. I really don't consider myself to be anywhere near networking specialist, but still I've stumbled into couple ie. very alarming feeling NextCloud tutorials.
One reason to use a DAS instead of a NAS.
Turn of UPNP, easy as that
No they are never worth it. Build your own using OpenMediaVault.
I don't get why people don't have an other name for their admin accounts. Every time when I set up a device I change that for a more personalized one.
My username is "password" and my password is "admin". JK.
Build a PC, put some drives in it, install Linux, create an array however you like: ZFS, Btrfs, MD, or hell, even hardware if you wanna go that route, control it all yourself :P There's even distros that provide a GUI to do all this. Don't use unraid though, I promise one day we'll see they have the same issue. They went almost a year without a single patch which is asinine, not to mention they basically run everything as root because they consider themselves an "appliance", as if that even matters.
DO NOT DISABLE QUICKCONNECT! Sorry, normally I love your videos, but this time you have no clue what happened!
It is same like saying disable your phone SIM card! Access it only at Granma's house or while calling a landline. Silly.
Synology users were hacked because people used ADMIN account with a password ="password" or cats name and so on.
Same like having a 0000 passcode on a smartphone.
Qnap case was an actual backdoor open via HBS application. This was bad, but again NOTHING to do with their CloudLink / QuickConnect.
Disabling this is silly.
But I do like your other suggestions:
-Disable uPNP / Port forwarding (don't need this)
-enable automatic updates
-disable/change names for Admin accounts. And use it only for Admin/managing things not for regular access. (also keep it safe/ enable two step auth. and brute force auto lock)
I would not yet move to the cloud- too expensive, and no clue who is looking at your data/ pictures. They have admins (human factor).
By default quick connect uses upnp - average consumers just leave that function on their router enabled. Bad practice. I prefer to leave my nas invisible to the outside world which is why I think disabling it completely is the safest option.
Aggravation? More like laziness… 😁
Synology is like a tyrant dictating what supports and what not
China
BTRFS is a child’s toy. Use ZFS