Security
General
Access security settings through the general interface.
Management
Through the buttons in the management tab, you can perform the following operations:
- Enable TOS automatic logout on timeout: The system will automatically log out if there's no activity within the specified time;
- Improve security with HTTP Content-Security-Policy (CSP) header: Enhance the system's security against cross-site scripting (XSS) attacks after selection;
- Improve the defense against cross-site forged request attacks: Strengthen the system's protection against cross-site scripting attacks after checking;
- Do not allow iFrame to embed TOS: Prevent other websites from embedding TOS via iFrame to avoid Cookie information leakage after checking;
Opt to remain logged in by selecting "Keep Me Logged In" on the login page. This allows the current user to stay logged in indefinitely unless logged out manually or browser cache is cleared.
Certificate
The certificate secures TNAS's SSL service, ensuring network communication's security and data integrity.
Management
Through the buttons in the management tab, you can perform the following operations:
- Add: Manually add certificates;
- Set: Select certificates for services or applications;
- Delete: Delete certificates;
- Download: Download certificates locally;
- Update: Update certificates and keys when they expire;
Supported certificate types: The current system only supports Base64 encoded SSL certificates, and the supported certificate formats include PEM format files (.cer, .crt, .pem) and corresponding private keys.
Due to TNAS's dynamic IP address, SSL certification cannot be applied. Accessing TNAS via HTTPS using its IP address may trigger a security warning, but this does not compromise communication security.
Firewall
Enable and configure firewall rules to control access permissions for IP addresses to network ports, preventing unauthorized access and controlling services.
Management
Through the buttons in the management tab, you can perform the following operations:
- Create: Create firewall rules;
- Edit: Edit existing firewall rules;
- Delete: Delete firewall rules;
- Disable: Disable firewall rules;
- More: Reorder firewall rules as needed;
Firewall Rule Description
- Default Policy: The firewall only creates allow rules by default. IPs or ports not specified in these rules remain accessible. To restrict access to specific IPs or ports, create corresponding deny rules explicitly.
- Rule Sorting: Firewall rules are ordered chronologically, with earlier rules listed first and later ones following.
- Priority Determination: Higher priority rules take precedence and are placed at the top of the firewall rule list.
- Freedom of Creation: Users have full control over creating firewall rules, including the ability to create rules that might inadvertently restrict their own access, such as blocking all IP and port access.
Create firewall rules
- Go to Desktop > Control Panel > General Settings > Security > Firewall.
- Click "Create".
- Read the firewall rule description and click "Next".
- Select the protocol and operation to allow/prohibit.
- In the Source IP Region, select one of the following:
• Apply the firewall rule to all IP addresses by selecting "All."
• Apply the firewall rules specifically to the entered single IP address.
• Apply the firewall rule to the subnet address by filling in the host address in the first input box and the subnet mask in the second input box (e.g., 192.168.8.1/255.255.255.0).
• Apply the firewall rules to the entered range of IP addresses by selecting the network address range. - In the "Port" section, choose one of the following options:
• Apply the firewall rule to all ports by selecting "All."
• Specify a custom port number under "Customize" to apply the firewall rule to that specific port.
• Enter a port range to apply the firewall rule to that specific range of ports. - Click "Apply".
- When creating firewall rules, verify all rules and ensure that the IP segment and HTTP/HTTPS ports where TNAS is located are accessible after they take effect. Failure to verify will result in access to the TNAS device being denied.
- Avoid relying solely on a single IP address or port for access control to reduce security risks due to changes in IP address or port. For greater flexibility and security, it is recommended to set broader access ranges or conditions.
- Incorrect rule order may prevent you from accessing your TNAS device. Proceed with caution and ensure that the IP network segment and HTTP/HTTPS port where TNAS is located are accessible after adjusting the order of the rules.
Example: Setting up firewall rules to restrict access to TANS for specific IP network segments.
To allow only the A network segment's IP access to TANS and deny access to all other network segments, follow these steps:
- Create an allow rule permitting IP access from the A network segment.
- Create a deny rule restricting access from all other network segments.
Note the critical order of these rules: First, allow access from the specific A network segment, then deny access from all other segments to ensure only IPs from the A network segment can pass through the firewall.
Account
Introduction
Enhance system security by blocking IP addresses after multiple login failures.
Management
Enable Automatic Block
- Specify values for "Number of attempts" and "Time in minutes". If the number of login failures within the specified time frame exceeds the set threshold, the IP address will be blocked, preventing further login attempts.
- Blocked IP addresses will automatically be unblocked after the designated blocking period ends.
Unblock
To unblock a blocked IP address, click the block list in the lower right corner, select the IP address to unblock, and click Delete.
SPC
Introduction
The primary goal of Security and Privacy Control (SPC) is to enhance system security and mitigate the risk of user data being compromised by hackers or ransomware. Once SPC protection is activated, unauthorized applications and executables are prevented from accessing the system's network resources and storage, thereby safeguarding user data.
Management
Enable Security and Privacy Control (SPC) protection
- Navigate to TOS Desktop > Control Panel > General Settings > Security > SPC.
- Enable Security and Privacy Control (SPC) Protection by checking the corresponding box and clicking Apply.
- Click OK in the pop-up prompt box.
- Authenticate by entering your account password and clicking OK.
- Wait for the system to restart; the SPC function will be successfully enabled.
SPC Authorization
Your app can be granted two types of permissions:
- Network Service: Apps without this permission cannot access network services.
- Storage: Apps without this permission cannot access storage space.
Applications can be authorized through several methods:
- During installation: After installing the application, the system will prompt to grant permissions. Check the permissions to authorize.
- Through the SPC interface: Navigate to Security > SPC, check the permissions for the application, and click Apply.
- Apps must have storage permissions granted to be enabled. Some apps require both network and storage permissions to function.
- To enable or disable the SPC function, you need to restart the system.
DoS
DoS (Denial of Service) protection can effectively protect your TNAS from malicious attacks from the internet.
Management
To enable DoS protection, please check "Enable DoS Protection" and click "Apply".
Security Isolation Mode
After enabling security isolation mode, TNAS will only access websites within the local network segment and will not accept external network access.
- After enabling security isolation mode, some functions and applications on your TNAS may become unavailable. To use these functions, disable security isolation mode.
- Enabling security isolation mode will disable custom firewall rules, preventing any modifications to firewall settings.