synology nfs_如何从勒索软件保护Synology NAS

synology nfs

Josh Hendrickson

乔什·亨德里克森(Josh Hendrickson)

Recently, some Synology owners discovered that all the files on their NAS system were encrypted. Unfortunately, some ransomware had infected the NAS and demanded payment to restore the data. Here’s what you can do to secure your NAS.

最近，一些Synology所有者发现NAS系统上的所有文件都已加密。 不幸的是，一些勒索软件感染了NAS，并要求付费以恢复数据。 这是确保NAS安全的方法。

如何避免勒索软件攻击 (How to Avoid the Ransomware Attack)

Synology is warning NAS owners of several ransomware attacks that hit some users recently. The attackers use brute-force methods to guess the default password—essentially, they try every password possible until they get a match. Once they find the right password and gain access to the network-attached storage device, the hackers encrypt all the files and demand a ransom.

Synology正在警告NAS所有者最近发生了几起攻击某些用户的勒索软件攻击。 攻击者使用暴力手段猜测默认密码-本质上，他们会尝试所有可能的密码，直到获得匹配为止。 一旦他们找到了正确的密码并访问了网络连接的存储设备，黑客就对所有文件进行加密并要求赎金。

You have several options to choose from to prevent attacks like this. You can disable remote access altogether, allowing only local connections. If you need remote access, you could set up a VPN to restrict access to your NAS. And if a VPN isn’t a good option (because of slow networks, for instance), you can harden your remote access options.

您可以选择几种选项来防止此类攻击。 您可以完全禁用远程访问，仅允许本地连接。 如果需要远程访问，则可以设置VPN以限制对NAS的访问。 而且，如果VPN不是一个不错的选择(例如，由于网络速度较慢)，您可以强化远程访问选项。

选项1：禁用远程访问 (Option 1: Disable Remote Access)

The most secure option you can choose is disabling remote connection features entirely. If you can’t access your NAS remotely, then neither can a hacker. You will lose some on-the-go convenience, but if you only work with your NAS at home—to watch movies, for instance—then you may not miss the remote features at all.

您可以选择的最安全的选项是完全禁用远程连接功能。 如果您不能远程访问NAS，那么黑客也不能。 您将失去一些旅途中的便利，但是，如果仅在家中使用NAS(例如看电影)，那么您可能根本不会错过任何远程功能。

Most recent Synology NAS units include a QuickConnect feature. QuickConnect takes care of the hard work for enabling remote features. With the feature turned on, you don’t have to set up router port forwarding.

最新的Synology NAS单元具有QuickConnect功能。 QuickConnect负责启用远程功能的艰苦工作。 启用该功能后，您无需设置路由器端口转发。

To remove remote access through QuickConnect log in to your NAS interface. Open the control panel and click on the “QuickConnect” option under Connectivity in the sidebar. Uncheck “Enable Quick Connect” then click apply.

要通过QuickConnect删除远程访问，请登录到NAS界面。 打开控制面板，然后单击侧边栏中“连接”下的“ QuickConnect”选项。 取消选中“启用快速连接”，然后单击“应用”。

If, however, you enabled port forwarding on your router to gain remote access, you will need to disable that port forwarding rule. To disable port forwarding, you should look up your router’s IP address and use it to log in.

但是，如果您在路由器上启用端口转发以获取远程访问，则需要禁用该端口转发规则。 要禁用端口转发，您应该查找路由器的IP地址并使用它登录。

Then consult your router’s manual to find the port forwarding page (every router model is different). If you don’t have your router manual, you can try a web search for your router model number and the word “manual.” The manual will show you where to look for exiting port forwarding rules. Turn off any port forwarding rules for the NAS unit.

然后，查阅路由器的手册以找到端口转发页面(每个路由器的型号都不同)。 如果您没有路由器手册，则可以尝试在网络上搜索路由器型号和单词“ manual”。 该手册将向您显示在哪里寻找退出端口转发规则。 关闭NAS单元的所有端口转发规则。

选项2：使用VPN进行远程访问 (Option 2: Use A VPN for Remote Access)

We recommend just not exposing your Synology NAS to the Internet. But if you have to connect remotely, we recommend setting up a virtual private network (VPN). With a VPN server installed, you won’t access the NAS unit directly. Instead, you’ll be connecting to the router. The router, in turn, will treat you as though you were on the same network as the NAS (still at home, for instance).

我们建议您不要将Synology NAS暴露在互联网上。 但是，如果您必须进行远程连接，我们建议您设置虚拟专用网络(VPN)。 安装了VPN服务器后，您将无法直接访问NAS单元。 相反，您将连接到路由器。 反过来，路由器将把您当作与NAS位于同一网络上(例如，仍在家中)。

You can download a VPN server on your Synology NAS from the Package Center. Just search for “vpn” and choose the install option under VPN Server. When you first open the VPN Server, you’ll see a choice of PPTP, L2TP/IPSec, and OpenVPN protocols. We recommend OpenVPN, as it’s the most secure option of the three.

您可以从Package Center在Synology NAS上下载VPN服务器。 只需搜索“ vpn”，然后在VPN Server下选择安装选项。 首次打开VPN服务器时，您会看到PPTP，L2TP / IPSec和OpenVPN协议的选择。 我们建议您使用OpenVPN ，因为它是三个中最安全的选择。

You can stick with all the OpenVPN defaults, although if you want to access other devices on the network when connected through VPN, you’ll need to check “Allow clients to access server’s LAN” and then click “Apply.”

您可以保留所有OpenVPN的默认设置，尽管如果要在通过VPN连接时访问网络上的其他设备，则需要选中“允许客户端访问服务器的LAN”，然后单击“应用”。

You will then need to set up port forwarding on your router to the port OpenVPN is using (by default 1194).

然后，您将需要在路由器上设置端口转发到OpenVPN使用的端口(默认为1194)。

If you’re using OpenVPN for your VPN, you’ll need a compatible VPN Client to access it. We suggest OpenVPN Connect, which is available for Windows, macOS, iOS, Android, and even Linux.

如果您将OpenVPN用于VPN，则需要兼容的VPN客户端才能访问它。 我们建议使用OpenVPN Connect ，它可用于Windows ， macOS ， iOS ， Android甚至Linux 。

选项3：尽可能保护远程访问 (Option 3: Secure Remote Access as Much as Possible)

If you need remote access and VPN isn’t a viable solution (perhaps due to slower internet speeds), then you should secure Remote Access as much as possible.

如果您需要远程访问，而VPN不是可行的解决方案(可能是由于Internet速度较慢)，则应尽可能确保远程访问的安全。

To secure remote access, you should log into the NAS, open Control Panel, then select Users. If the default admin is turned on, create a new admin user account (if you don’t already have one) and turn the default admin user off. The default admin account is the first account ransomware usually attacks. The Guest user is typically off by default, and you should leave it that way unless you have a specific need for it.

为了保护远程访问，您应该登录NAS，打开“控制面板”，然后选择“用户”。 如果默认管理员已打开，请创建一个新的管理员用户帐户(如果您还没有一个)并关闭默认管理员用户。 默认的管理员帐户是通常会攻击的第一个帐户勒索软件。 来宾用户通常默认情况下处于关闭状态，除非您有特定需要，否则应以这种方式保留它。

You should ensure that any users you created for the NAS have complicated passwords. We recommend using a password manager to help with that. If you share the NAS and allow other people to create user accounts, then be sure to enforce strong passwords.

您应确保为NAS创建的所有用户都具有复杂的密码。 我们建议使用密码管理器来帮助您。 如果共享NAS并允许其他人创建用户帐户，请确保强制使用强密码。

You’ll find password settings in the Advanced tab of the User profiles in the Control Panel. You should check the include mixed case, include numeric characters, include special characters, and exclude common password options. For a stronger password, increase the minimum password length to at least eight characters, although longer is better.

您可以在“控制面板”中“用户”配置文件的“高级”选项卡中找到密码设置。 您应该检查包括混合大小写，包括数字字符，包括特殊字符以及排除常用密码选项。 对于更强的密码，可以将最小密码长度至少增加到八个字符，尽管更长的时间更好。

To prevent dictionary attacks, a method where an attacker guesses as many passwords as quickly as possible, enable Auto-Block. This option automatically blocks IP addresses after they guess a certain number of passwords and fail in a short amount of time. Auto-block is on by default on newer Synology units, and you’ll find it in Control Panel > Security > Account. The default settings will block an IP address from making another login attempt after ten failures in five minutes.

为了防止字典攻击，一种使攻击者尽可能快地猜测尽可能多的密码的方法，请启用“自动阻止”。 当IP地址猜到一定数量的密码并在短时间内失败后，此选项将自动阻止IP地址。 默认情况下，新版Synology设备上的自动阻止功能处于启用状态，您可以在控制面板>安全>帐户中找到该功能。 默认设置将阻止IP地址在五分钟内十次失败后再次尝试登录。

Finally, consider turning on your Synology firewall. With a firewall enabled only services you specify as allowed in the firewall will be accessible from the internet. Just keep in mind that with the firewall on, you’ll need to make exceptions for some apps like Plex, and add port forwarding rules if you are using a VPN. You’ll find the firewall settings in Control Panel > Security Firewall.

最后，考虑打开Synology防火墙。 启用防火墙后，只能从Internet访问您指定为防火墙允许的服务。 请记住，启用防火墙后，您需要为某些应用程序(例如Plex)设置例外，如果使用VPN，则需要添加端口转发规则。 您可以在控制面板>安全防火墙中找到防火墙设置。

Data loss and ransomware encryption is always a possibility with a NAS unit, even when you take precautions. Ultimately a NAS isn’t a backup system, and the best thing you can do is make offsite backups of the data. That way if the worst should happen (whether that’s ransomware or multiple hard drive failure), you can restore your data with minimal loss.

即使在采取预防措施的情况下，NAS单元也始终可能发生数据丢失和勒索软件加密。 归根结底，NAS并非备份系统，而您能做的最好的事情就是对数据进行异地备份。 这样，如果发生最坏的情况(无论是勒索软件还是多个硬盘驱动器故障)，则可以以最小的损失还原数据。

翻译自: https://www.howtogeek.com/435452/how-to-secure-your-synology-nas-from-ransomware/

synology nfs