Skip to main content
Version: TOS 7

Security

In the "Security" module, you can comprehensively protect the security of your TNAS device and data through multiple core functional components. It mainly includes Login Management, Digital Certificates, Firewall, User Account Control, SPC, DoS Protection, and Security Isolation Mode, supporting multi-layered protection from network, access, authentication to system levels.

Login

Management & Operations

  • Auto Logout on Timeout: Automatically logs out after a period of inactivity to enhance session security.
  • Enable CSP Header: Enhances protection against Cross-Site Scripting (XSS) attacks.
  • Enhance CSRF Protection: Prevents malicious websites from forging user requests to perform unauthorized operations.
  • Block iFrame Embedding: Prevents external websites from embedding TOS pages, safeguarding against clickjacking and Cookie leakage.
Note

After checking "Keep me logged in", the system will remember your login status via a persistent Cookie. During this period, you will not be restricted by the auto-logout timeout policy and remain logged in until you manually log out or clear TNAS-related Cookies and site data in the browser.

Certificates

Certificates are used to protect TNAS's encrypted communication services (such as HTTPS, FTPS, SMTPS, etc.). By enabling TLS/SSL protocols, they provide identity authentication, data encryption, and integrity protection for network transmission, preventing information from being eavesdropped or tampered with.

Management & Operations

  • Add: Import a new certificate and private key.
  • Configure: Bind a specific certificate to a service.
  • Delete: Remove unused certificates.
  • Download: Download the public key of the certificate to your local device.
  • Update: Renew expired certificates and private keys.

Firewall

The firewall can effectively block unauthorized network access and protect TNAS from external attacks. By enabling the firewall and configuring access rules, you can precisely control the access permissions of specific IP addresses or address segments to the device's network ports, implementing "Allow" or "Deny" policies to strengthen the system's network security boundary.

Management & Operations

  • Create: Add a new access control rule.
  • Edit: Modify the IP, port, or policy of an existing rule.
  • Delete: Permanently remove a rule.
  • Disable: Temporarily turn off a rule while retaining its configuration.
  • More: Adjust the order of selected rules to change their matching priority.
Note
  1. Default Policy: The firewall does not automatically generate deny rules. As long as allow rules are set, IPs or ports not included in the allow list can still access by default. To block access to specific IPs or ports, you must manually create corresponding deny rules.
  2. Rule Ordering: Firewall rules are sorted by creation time—rules created earlier are listed first, and those created later are listed afterward.
  3. Priority Determination: Among firewall rules, rules placed higher have higher priority and will take effect first during matching.
  4. Creation Flexibility: Users can create firewall rules without restrictions—even if a rule may prevent themselves from accessing the system (e.g., setting a rule to deny all IPs and ports), the system will not block its creation.

Create a Firewall Rule

  1. Go to Desktop > Control Panel > General Settings > Security > Firewall.
  2. Click "Create".
  3. Read the firewall rule description and click "Next".
  4. Select the protocol type and action (Allow/Deny).
  5. In the Source IP Range section, select one of the following options:
    • Select "All" to apply the firewall rule to all IP addresses.
    • Select "Single IP Address" to apply the rule to the entered IP address.
    • Select "Subnet Address" to apply the rule to the entered subnet address. Enter the host address in the first input box and the subnet mask in the second (e.g., 192.168.8.1/255.255.255.0).
    • Select "IP Address Range" to apply the rule to the entered range of IP addresses.
  6. In the Port section, select one of the following options:
    • Select "All" to apply the firewall rule to all ports.
    • Select "Custom" and enter the specified port number to apply the rule to that port.
    • Select "Port Range" to apply the rule to the specified port interval.
  7. Click "Apply". :::
Note
  1. When creating firewall rules, carefully check all rules to ensure that the IP segment where TNAS is located and the HTTP/HTTPS ports remain accessible after the rules take effect. Otherwise, you may be unable to access your TNAS device.
  2. Avoid relying solely on a single IP address or port for access control, as this may lead to access interruptions or security risks if the IP or port changes. To improve flexibility and security, it is recommended to configure more reasonable access scopes or combined conditions.
  3. Incorrect rule ordering may result in inability to access your TNAS device! Operate with caution, and after adjusting the rule order, confirm that the IP segment of TNAS and the HTTP/HTTPS ports are still accessible.

Example: How to Configure Firewall Rules to Allow Only Specific IP Segments to Access TNAS?

If you want to allow only IPs in Segment A to access TNAS while denying access from all other IP segments, follow these steps:

Configure Firewall Rules:

  1. Create an Allow rule to permit access from IPs in Segment A.
  2. Create a Deny rule to block access from all other IP segments.
Note

The order of rules is crucial. You must first set the rule to allow access from the specific Segment A, then add the rule to deny all other access. This ensures that only IPs in Segment A can pass through the firewall.

Accounts

Blocking addresses with excessive login failures can effectively prevent brute-force attacks and enhance system security.

Management & Operations

  • Auto Block: Enter values for "Attempts" and "Time (minutes)". If the number of login failures reaches the set value within the specified time, the login IP address will be automatically blocked and cannot continue logging in. The IP address will be automatically unblocked after the set block period expires.
  • Unblock: To manually unblock an IP address, click "Block List" in the lower right corner, select the target IP address, check it, and click "Delete" to unblock.

SPC

The core purpose of Security and Privacy Control (SPC) is to enhance overall system security and reduce the risk of user data being compromised by hacker attacks or ransomware. Once SPC protection is enabled, unauthorized applications and executable files will be unable to access the system's network resources and storage space, thereby effectively preventing illegal programs from endangering user data.

Management & Operations

Enable SPC Protection

  1. Go to TOS Desktop > Control Panel > General Settings > Security > SPC.
  2. Check "Enable Security and Privacy Control (SPC) Protection" and click "Apply".
  3. In the pop-up prompt for reactivation, click "OK".
  4. Enter your account password for identity verification and click "OK".
  5. Wait for the system to restart—SPC will be successfully enabled.

Authorization Types

  • Network Services: Applications without this permission cannot access network services.
  • Storage Space: Applications without this permission cannot access storage space.

Authorization Methods

  • Authorize During Installation: After an application is installed, the system will pop up an authorization prompt. Check the required permissions to complete authorization.
  • Authorize in the SPC Interface: Go to the "Security > SPC" interface, check the required permissions for the target application, and click "OK".
Note
  1. If an application is not granted storage permission, it cannot be enabled. Some applications require both network permission and storage permission to function properly.
  2. Enabling or disabling the SPC function requires a system restart.

DoS

Denial of Service (DoS) Protection can effectively defend against malicious traffic attacks from the Internet, preventing TNAS from experiencing network congestion, slow service responses, or system paralysis due to a large number of abnormal connection requests. After enabling this function, the system will monitor and identify abnormal access behaviors, and automatically block IP addresses suspected of launching attacks.

Security Isolation Mode

After enabling Security Isolation Mode, TNAS will only allow access to resources within the local network segment, cannot access external network addresses, and no longer accept any access requests from external networks.

Note
  1. After enabling Security Isolation Mode, some functions and applications of your TNAS may not work properly. To use these functions, please disable Security Isolation Mode first.
  2. After enabling Security Isolation Mode, all custom firewall rules will be automatically disabled, and you cannot configure or modify firewall rules in this mode.