Ask HN: How can a content creator (not “IT saavy”)set up a NAS safely/correctly?

3 points by delgaudm ↗ HN
I make long form video and audio as a sole proprietor working from home. I have many terabytes of data, stored on a QNAP NAS. How can I figure out if my configuration / set up keeps my data safe, secured, protected, etc. Are there checklists or best practices a layperson can follow to ensure my data is safe and my device doesn't become compromised?

Challenges: Firewalls, networking, routers are largely blackboxes to me, so I don't have a ton of knowledge of concepts / terminology.

6 comments

[ 3.3 ms ] story [ 22.0 ms ] thread
I have used mostly Synology in the past, so I have no hands-on experience with QNAP, but I am also pretty sure they are very similar types of Linux based with tons of features boxes.

QNAS does have a guide:

https://www.qnap.com/en/how-to/faq/article/what-is-the-best-...

However, I want to stress the following points:

0. Do not use a NAS as your only backup, and definitely back up data only on the NAS to another location (cloud?). 1. Do you need to access the NAS from elsewhere? Do you REALLY need it? If yes, consider setting up a VPN, but no matter what you do, do not expose the NAS directly to the Internet through your firewall or a cloud service. 2. Enable automatic updates - there are enough vulnerabilities in these boxes that it is worth patching first and asking questions later. 3. Depending on the data you store, consider encryption. For example, if you only use a NAS to do Time Machine backups, encrypt your backups. Most NAS boxes also support encrypting entire drives, which is very practical if someone steals the box away from you physically, but will not add protection to attacks once it is powered on.

I'm really grateful for your input.

I ONLY need access from the local network (mostly one PC) -- I want to ensure it is specifically NOT accessible from the outside. I patch every time the box tells me a patch is available.

This article[0] says "QNAP told users to immediately yank their internet-exposed NAS devices off the internet". That made me realize that I'm not knowledgeable enough to know beyond a doubt that my device is not "on the internet" if it's downloading and applying updates.

I sometimes feel like the only way I can do it is wrong: that without a deep understanding of what could happen, that I can't know I've done it right.

[0]https://threatpost.com/most-qnap-nas-devices-affected-by-dir...

Rather than fretting about if your configuration is correct, spend that time creating an offline back up. That way you’re covered for a multitude of disasters.
Thanks, I've been working through getting Backblaze to make a backup of it, apparently it's separate from my regular Backblaze backup.

That's not confusing at all.

I appreciate your help!

No matter how good the setup is, the most obvious vulnerability are always unattended unlocked devices with access to the NAS. Even better if there is some remote session, that isn't properly signed out.

Some very basic discipline will protect you a long way.

Beyond that comes the realm of the dark wizards of HN.

If you like to learn about firewalls try this sword

https://wiki.ipfire.org/what-is-ipfire

but be warned, it is enchanted with paranoia.