Synology Security Guide: Protect Your NAS from Hackers and Ransomware

Your Synology NAS likely contains your most valuable data—family photos, financial documents, business files. Unfortunately, NAS devices are prime targets for ransomware and hackers because they’re often connected to the internet with weak security. The good news: Synology provides excellent security tools, and following this guide will make your NAS virtually impenetrable to common attacks.

This comprehensive guide covers every aspect of NAS security, from basic hardening to advanced threat protection. Whether you’re a home user or managing a business NAS, these practices will protect your data.

Understanding NAS Security Threats

Common Attack Vectors

Why Synology Has Better Security Than QNAP

As discussed in our Synology vs QNAP comparison, Synology has a significantly stronger security track record. QNAP devices have been targeted by multiple high-profile ransomware campaigns (Qlocker, Deadbolt, eCh0raix), while Synology has had far fewer incidents. This doesn’t mean Synology is immune—it means their security-first approach reduces risk.

Security Priority Checklist

Complete these steps in order of priority:

Step 1: Never Expose Your NAS Directly to Internet

This is the single most important security measure. Most NAS attacks happen because users forward ports directly to their NAS, making it visible to the entire internet.

What NOT to Do

• ❌ Don’t forward port 5000/5001 (DSM) to your NAS
• ❌ Don’t forward port 22 (SSH) to your NAS
• ❌ Don’t enable UPnP for automatic port forwarding
• ❌ Don’t use DDNS without VPN

Safe Remote Access Options

Option 1: VPN (Recommended)

Set up a VPN server and connect securely from anywhere:

1. Install VPN Server from Package Center
2. Configure OpenVPN or L2TP/IPSec
3. Export configuration file
4. Import to OpenVPN client on phone/laptop
5. Forward only VPN port (1194 for OpenVPN) on router
6. Connect via VPN, then access NAS using local IP

Option 2: QuickConnect (Convenient but Less Secure)

QuickConnect routes through Synology’s relay servers, avoiding direct exposure:

1. Go to Control Panel → External Access → QuickConnect
2. Enable and sign in with Synology Account
3. Choose a QuickConnect ID
4. Access via yourID.quickconnect.to

QuickConnect is safer than port forwarding but still has risks. Always combine with 2FA.

Option 3: Tailscale/ZeroTier (Easy VPN Alternative)

These services create encrypted tunnels without complex VPN setup:

1. Create account at tailscale.com or zerotier.com
2. Install client on NAS via Docker or Package Center (Tailscale)
3. Install client on devices
4. Access NAS via private Tailscale/ZeroTier IP

Step 2: Enable Two-Factor Authentication (2FA)

2FA protects against stolen passwords—even if someone has your password, they can’t log in without the second factor.

Enable 2FA for Admin Account

1. Log into DSM
2. Click your profile icon → Personal → Account
3. Under Sign-in Method, click 2-Factor Authentication
4. Choose method: Authenticator app (recommended), hardware key, or Synology Secure SignIn
5. Scan QR code with authenticator app (Google Authenticator, Authy, etc.)
6. Enter verification code to confirm
7. Save backup codes securely (password manager)

Enforce 2FA for All Users

1. Go to Control Panel → Security → Account
2. Enable Enforce 2-factor authentication for the following users
3. Select All users or specific groups
4. Click Apply

Step 3: Keep DSM Updated

Security patches fix vulnerabilities that attackers exploit. Never delay updates.

Enable Automatic Updates

1. Go to Control Panel → Update & Restore
2. Click Update Settings
3. Enable Install new updates automatically or Notify me and let me decide
4. Set update time to off-peak hours
5. Enable Automatically update installed packages

Check for Updates Manually

1. Go to Control Panel → Update & Restore
2. Click Check for Updates
3. Review release notes for security fixes
4. Install immediately if security-related

Step 4: Configure Strong Password Policy

Set Password Requirements

1. Go to Control Panel → User & Group → Advanced
2. Under Password Settings, configure:

• Minimum length: 12+ characters
• Mixed case letters: Required
• Numeric characters: Required
• Special characters: Required
• Exclude username: Enabled
• Password history: Remember last 5 passwords

3. Enable Force users to change password after reset
4. Click Apply

Use a Password Manager

Strong passwords are impossible to remember. Use a password manager like Bitwarden, 1Password, or KeePass to generate and store unique passwords for each account.

Step 5: Enable and Configure Firewall

Enable Built-in Firewall

1. Go to Control Panel → Security → Firewall
2. Check Enable firewall
3. Select Firewall Profile → Edit Rules

Recommended Firewall Rules

Create rules to allow only necessary traffic:

Enable Geo-Blocking

Block connections from countries you’ll never access your NAS from:

1. In Firewall, create a new rule
2. Source IP → Location
3. Select countries to block (common attack sources: Russia, China, North Korea)
4. Action: Deny

Step 6: Configure Auto-Block

Auto-block automatically bans IP addresses that fail too many login attempts.

1. Go to Control Panel → Security → Protection
2. Enable Enable auto block
3. Configure:

• Login attempts: 5
• Within (minutes): 5
• Block expiration: Never (or 30 days)

4. Enable Enable block expiration if you want temporary blocks
5. Add your home IP to Allow/Block List to prevent lockout

Step 7: Disable Default Admin Account

The “admin” account is the first target for attackers. Disable it and use a custom admin account.

1. Create a new administrator account with a unique name
2. Log in with the new account
3. Go to Control Panel → User & Group
4. Select the “admin” account → Edit
5. Check Disable this account
6. Click OK

Step 8: Disable Unused Services

Every enabled service is a potential attack vector. Disable what you don’t use.

Services to Disable If Not Used

• SSH: Control Panel → Terminal & SNMP → Disable if not needed
• Telnet: Should always be disabled
• FTP: Control Panel → File Services → FTP → Disable
• SMB 1.0: Control Panel → File Services → SMB → Advanced → Disable SMB1
• NFS: Disable if not using Linux clients
• SNMP: Control Panel → Terminal & SNMP → Disable

Uninstall Unused Packages

1. Open Package Center
2. Go to Installed
3. Remove packages you don’t use

Step 9: Run Security Advisor

Synology’s Security Advisor scans for common security issues.

1. Open Security Advisor from main menu
2. Click Scan
3. Review results and fix issues:

• Critical: Fix immediately
• Warning: Fix soon
• Information: Consider fixing

4. Schedule regular scans: Settings → Schedule

Step 10: Implement 3-2-1 Backup Strategy

Even with perfect security, disasters happen. Backups are your last line of defense against ransomware.

• 3 copies of data (original + 2 backups)
• 2 different media (NAS + USB + cloud)
• 1 offsite (cloud or physically separate location)

See our Hyper Backup guide for complete backup setup instructions.

Immutable Backups (Ransomware Protection)

For ultimate ransomware protection, use backup destinations that support immutability (backups that can’t be modified or deleted):

• Backblaze B2: Object Lock feature
• AWS S3: Object Lock/Glacier Vault Lock
• Synology C2: Immutable backup options

Advanced Security Measures

Enable HTTPS Only

1. Go to Control Panel → Login Portal → DSM
2. Enable Automatically redirect HTTP connections to HTTPS
3. Install Let’s Encrypt certificate: Control Panel → Security → Certificate

Encrypt Shared Folders

Encryption protects data if drives are physically stolen:

1. Go to Control Panel → Shared Folder
2. Create or edit folder
3. Check Encrypt this shared folder
4. Set encryption password
5. Configure auto-mount on boot (or manual mount for highest security)

Enable Account Protection

1. Go to Control Panel → Security → Account
2. Enable Enable account protection
3. Configure untrusted client settings

Recommended Hardware for Security

Frequently Asked Questions

Conclusion

Securing your Synology NAS doesn’t require expert knowledge—just following these best practices. The most critical steps are: never expose your NAS directly to the internet, enable 2FA, keep DSM updated, and maintain proper backups. These alone prevent the vast majority of attacks.

Remember: security is not a one-time setup but an ongoing practice. Run Security Advisor regularly, stay informed about new threats, and keep your backup strategy current. Combined with Synology’s already-strong security reputation (see our Synology vs QNAP comparison), these measures make your NAS extremely secure.

Related Resources

• Synology Hyper Backup Guide
• Synology Active Backup Guide
• Synology vs QNAP Comparison
• Synology Drive Setup Guide
• Best Synology NAS 2026
• Synology DS923+ Review
• Synology DS224+ Review

Last Updated: January 2026