海康威视nas安全
Your NAS is probably one of the most important devices on your home network, but are you giving it the attention it deserves when it comes to security?
NAS可能是家庭网络上最重要的设备之一,但是在安全性方面,您是否给予它应有的关注?
The last thing you want is for your NAS to get hacked and/or invaded by malware, like the SynoLocker ransomware that crawled its way onto Synology NAS boxes a couple of years ago. The good news is that there are ways to stay protected from future attacks and prevent your NAS box from getting cracked into.
您想要做的最后一件事是让您的NAS被恶意软件入侵和/或入侵,例如几年前SynoLocker勒索软件爬到Synology NAS盒上。 好消息是,有多种方法可以保护您免受日后的攻击,并防止您的NAS盒被盗。
Note: Most of the steps and images below are based on my Synology NAS, but you can do these things on most other NAS boxes, as well.
注意:以下大多数步骤和图像均基于我的Synology NAS,但是您也可以在其他大多数NAS盒上执行这些操作。
勤于更新 (Be Diligent About Updates)
Perhaps the easiest thing you can do to help secure your NAS is keep the software up to date. Synology NAS boxes run DiskStation Manager, and there’s usually a new update every couple of weeks.
要确保NAS安全,最简单的方法就是使软件保持最新。 Synology NAS盒运行DiskStation Manager,通常每两周进行一次新更新。
The reason you want to keep on top of updates isn’t just for the cool new features, but also for bug fixes and security patches that keep your NAS safe and secure.
您想要保持最新状态的原因不仅在于出色的新功能,还在于可以使NAS安全可靠的错误修复和安全补丁。
Take the SynoLocker ransomware as an example. Newer versions of DiskStation Manager are safe from this, but if you haven’t updated in several years, you might be vulnerable. Plus, newer exploits are always being released—another reason to keep up with updates.
以SynoLocker勒索软件为例。 较新版本的DiskStation Manager可以避免这种情况,但是如果您几年没有更新,则可能会受到攻击。 另外,总是会发布较新的漏洞利用程序–这是跟上更新的另一个原因。
禁用默认管理员帐户 (Disable the Default Admin Account)
Your NAS comes with a default admin account, and the username is most likely “admin” (real creative, huh?). The problem is that you usually can’t change the username of this default account. We recommend disabling the default admin account and creating a new admin account with a custom username.
您的NAS带有默认的管理员帐户,用户名很可能是“ admin”(是真正的广告素材,对吗?)。 问题在于您通常无法更改该默认帐户的用户名。 我们建议禁用默认管理员帐户,并使用自定义用户名创建一个新的管理员帐户。
The reason for this is to give hackers yet another layer they have to break through. With a default account, they can use “admin” as the username and just focus on cracking the password. It’s similar to how people never change the login credentials of their router—by default the username is usually “admin” and the password is “password,” making it super easy to break in.
这样做的原因是给黑客提供了他们必须突破的另一层。 使用默认帐户,他们可以使用“ admin”作为用户名,而只专注于破解密码。 这类似于人们永远不会更改路由器的登录凭据的方式-默认情况下,用户名通常为“ admin”,密码为“ password”,从而非常容易破解。
By creating an admin account with a username like “BeefWellington” and then using a strong password, you severely decrease the chances of your account credentials getting cracked by a lazy script kiddy.
通过使用诸如“ BeefWellington”之类的用户名创建一个管理员帐户,然后使用一个强密码,可以大大减少您的帐户凭据被懒惰的脚本小子破解的机会。
启用两因素身份验证 (Enable Two-Factor Authentication)
If you aren’t using two-factor authentication already for your various online accounts, then you should be. Your NAS likely has the capability for this, too, so take advantage of it.
如果您尚未为各种在线帐户使用两因素身份验证, 则应该使用 。 您的NAS也可能具有此功能,因此请充分利用它。
Two-Factor Authentication is great because not only do you need the username and password to login, but you also need another device you own (like a smartphone) to confirm the login. This makes it near impossible for a hacker to break into your account (although, never say never).
双重身份验证非常有用,因为不仅需要用户名和密码来登录,而且还需要拥有其他设备(例如智能手机)来确认登录。 这使得黑客几乎不可能侵入您的帐户(尽管永远不要说never )。
使用HTTPS (Use HTTPS)
When you’re accessing your NAS remotely, you’re probably doing so over HTTP if you haven’t messed around with any settings. This isn’t secure, and can leave your connection wide open for the taking. To fix this, you can force your NAS to use a HTTPS connection at all times.
当您远程访问NAS时,如果您没有弄乱任何设置,则可能是通过HTTP进行的。 这是不安全的,并且可能会使您的连接处于打开状态。 要解决此问题,您可以强制NAS始终使用HTTPS连接。
However, you need to install an SSL certificate on your NAS first, which can be quite the process. For starters, you need a domain name to link the SSL certificate to, and then link your NAS’s IP address to the domain name.
但是,您需要首先在NAS上安装SSL证书,这可能是个相当不错的过程 。 对于初学者,您需要一个域名以将SSL证书链接到,然后将NAS的IP地址链接到该域名。
You’ll also have to pay for an SSL certificate, but they’re usually not more than $10 per year from any reputable domain registrar. And Synology even has support for Let’s Encrypt SSL certificates for free if you want to go that route.
您还必须支付SSL证书的费用,但通常每年从任何信誉良好的域名注册商处获得的费用都不会超过10美元。 如果您要走这条路,Synology甚至免费支持“ 让我们加密SSL证书” 。
设置防火墙 (Set Up a Firewall)
A firewall is an overall good defense to have because it can automatically block any connection that your NAS doesn’t recognize. And you can usually customize the rules that it uses to keep certain connections open, while shutting all other connections out.
防火墙是总体上不错的防御措施,因为它可以自动阻止NAS无法识别的任何连接。 而且,您通常可以自定义用于保持某些连接打开同时关闭所有其他连接的规则。
By default, most firewalls on any device aren’t even enabled, which allows anyone and everyone through without inspection, and this is generally a bad idea. So be sure to check your firewall settings on your NAS and customize any rules to fit your needs.
默认情况下,甚至不启用任何设备上的大多数防火墙,这使任何人和所有人都无需检查即可通过,这通常是一个坏主意。 因此,请务必检查NAS上的防火墙设置,并自定义满足您需要的任何规则。
For example, you could have a rule that blocks all IP addresses from certain countries, or a rule that only allows certain ports from IP addresses in the US—the world is your oyster.
例如,您可能有一条规则可以阻止某些国家/地区的所有IP地址,也可以有一条规则仅允许来自美国IP地址的某些端口-世界就是您的牡蛎。
首先将其与互联网隔离 (Keep It Off the Internet In the First Place)
While all of the above steps are great things to do in order to keep your NAS secure, they’re not 100% safe by any means. The best thing you can do is to just keep your NAS disconnected from the outside world entirely.
尽管上述所有步骤对于确保NAS的安全都是很重要的事情,但无论如何它们都不是100%安全的。 您能做的最好的事情就是让您的NAS与外界完全断开。
Of course, this isn’t easy to do, especially if you have certain programs running on your NAS that benefit from being accessible remotely (like using your NAS as your own cloud storage service).
当然,这并非易事,尤其是当您的NAS上运行某些程序时,这些程序可以从远程访问中受益(例如,将NAS用作自己的云存储服务)。
But the important thing to note here is that you’re at least aware of the risks when exposing your NAS to the outside world, and that the above steps won’t keep your NAS 100% safe, necessarily. If you’re looking forthebest way to keep your NAS secure, it’s keeping it accessible to only your local network.
但是这里要注意的重要一点是,您至少要知道将NAS暴露于外界时的风险,并且上述步骤不一定会使NAS 100%安全。 如果您正在寻找确保NAS安全的最佳方法,那么它只能让您的本地网络访问。
翻译自: /350919/6-things-you-should-do-to-secure-your-nas/
海康威视nas安全
