Security Issues

[rory]

Hi QNAP,

I've been working to secure my box against an array of attacks that come in daily, mostly brute force / dictionary attacks. They come in every 2 - 5 seconds for hours at a time.

I know that you have implemented IP ban lists on the 509 and I assume this is coming for the rest of your products (do we have a timeline?). That's great news and a good first step. However, there are a range of other security issues and concerns faced by users.

This being the case, I request that QNAP establish a top level forum dedicated to security. There is a wealth of information and expertise in these forums. A forum dedicated to security would allow users to pool information. It is badly needed.

I hope others agree.

Rory

[QNAPSimon]

This will most likely be implemented in the December beta firmware. I will let you know when I have more information.

A separate section for security issues is a very good idea. I will forward your suggestion to our Product Management. Thanks.

[Q]

some suggestions:
http://forum.qnap.com/viewtopic.php?f=2 ... 159#p46159

[thrx1]

some suggestions:
http://forum.qnap.com/viewtopic.php?f=2 ... 159#p46159

These are good suggestions.
When can we expect them to be delivered?

[schumaku]

These are good suggestions.

Not much news I am afraid. Moving ports to non-standard ports is just security by obscurity. Any network scanner is very able to unveil this much too often propagated nonsense. Moreover, every slightly better educated script-kiddy (say my 12 year old vs. my 10 year old son) is able to knock on the other doors, too.

When can we expect them to be delivered?

Network Access Protection (also referenced as Auto-ban) is expected come up these weeks for the Ts-190/209/409 Series.

Any other deliverables QNAP have missed from the suggestions posted?

[Q]

hi kurt ^^

yeah that about obscurity is true... however it's still not that bad because the majority of (mass) attacks are done automatically, not by a real person, and no port scanner is used. for a private home user (who can't afford expensive security gateways) IMHO obscurity does a good job. at least it reduces for sure the amount of attacks (several forum users have reported attacks gone from thousands to zero) arriving at the TS and so probably also reduces the system load. and less attacks mean lower risk. so while obscurity has absolutely no effect on a real hacker, it still does lower the risk. i know it's widely disputed among experts so there's no final truth about it i think both sides are right in some way.

as said in another thread:

Changing ports does not solve this security risk.

yeah that's 100% true. that's why it also shouldn't be the only action. it goes a bit into "security by obscurity", however contrary to what many security experts say, it helps. at least for private people it's not a bad idea. because maybe 98% of all attacks - unless you're a worthwhile target like a big company, NASA, pentagon or something ^^ - just come in on standard ports by some automated scripts. so when you change the ports, you can at least already forget that and just care about the 2% that are "real" hackers it's just the most easy we can do without much efforts. and combined with my other suggestions it's already a perfect solution for the majority of people.

and with NAP added, i think we're on a very good security level. of course i don't talk here about the requirements of big companies, they have other security stuff anyway.

[thrx1]

Network Access Protection (also referenced as Auto-ban) is expected come up these weeks for the Ts-190/209/409 Series.

What do you mean by 'these' weeks?

Any other deliverables QNAP have missed from the suggestions posted?

1). If you can deliver the suggestion on the above link (i.e. port across functionality from 509) that's a start.

2). Other important issues to address is that of seperate login page for the different parts of the system (admin, file manager etc.) and letting users switch off ones we do not need - as many users have been asking for.

3). Another critical item is allowing direct login to so that I can setup a DYNDNS service (i.e. myymailyphotos.dyndns.org) to go direct to the MM Station home page on the 209/109 rather than to Admin page and without having to tell people to go to a specific sub directory under the domain.
Not sure if this wil mean more than 1 web server running, but would be ideal to have . We can then have family members login without ever seeing - or knowing - the other functions are there.

4). Ability to change to default admin too if you can't already: I'm not sure if you can't already do this as I'm a 'pre sales' person, waiting for all the above to be fixed before I buy a 209/109 and only just saw reference to the admin passwod issue here: http://forum.qnap.com/viewtopic.php?f=21&t=9163

[schumaku]

Network Access Protection (also referenced as Auto-ban) is expected come up these weeks for the TS-10/9209/409 Series.

What do you mean by 'these' weeks?

Very different code and system environment then all the newer products. Much higher effort in implementation, FLASH optimization, testing, ...

Any other deliverables QNAP have missed from the suggestions posted?

1). If you can deliver the suggestion on the above link (i.e. port across functionality from 509) that's a start.

This is understood - and in the works...

2). Other important issues to address is that of separate login page .... & 3). Another critical item is allowing direct login to so that I can setup a DYNDNS service (i.e. myymailyphotos.dyndns.org) ...

I'm so free and add the exclusive usage of standard ports 80 and 443 (https) for all these to avoid proxy limitations... The keyword is "virtual server" - afraid, QNAP is aware to have their historical design limitations in the Web infrastructure used in different product classes these days. I am working with QNAP towards this direction - adding more personality (remove the obvious type and version indications), and a more flexible Web frontend - the administration, for te system supplied Web applications, and for user supplied web applications.

4). Ability to change to default admin too if you can't already: I'm not sure if you can't already do this as I'm a 'pre sales' person, waiting for all the above to be fixed before I buy a 209/109 and only just saw reference to the admin password issue here: http://forum.qnap.com/viewtopic.php?f=21&t=9163

Different issues in one thread:

1. Rename the default admin account does not add much security - this is an idea still floating in some minds. Honestly, mc better would be a VERY complex password on admin (== root), and only work with non-privileged accounts overall - and use a strong authentication to gain admin/root access. However, this is beyond scope for a SOHO or SMB NAS ... ok, I _am_ a security person in my real business.

2. So thought more strong passwords - sure you CAN change the admin password to something more strong (or more crazy to type...) - open a ssh session, login...

Code: Select all

[/~] # passwd
Changing password for admin
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: qwert+"*ç%
Re-enter new password: qwert+"*ç%
Password changed.
[/~] #

...but never forget, +"*ç% are simple ASCII characters (and binary numbers under the hood), too. In addition, you might experience side effects, which are outside of QNAP influence and controls. Agree - the password "validity checker" on the Web UI is too "strict" to allow this - crazy, indeed.

At the end of the day - together with the brute force blocker as implemented on the newer and coming-up x86 based models, the standard password security is not that bad. Moreover, it's comparable easy to explain to Grandma and Co.

Regards,
-Kurt.

[thrx1]

Firstly, thanks for the response Kurt.

Network Access Protection (also referenced as Auto-ban) is expected come up these weeks for the TS-10/9209/409 Series.

What do you mean by 'these' weeks?

Very different code and system environment then all the newer products. Much higher effort in implementation, FLASH optimization, testing, ...

So what you are saying is that the IP filter for the 109 II and 209 II units referenced over here ( http://forum.qnap.com/viewtopic.php?f=24&t=10124 )is still in DEVelopment and is being throughly tested prior to release, but you do not actually know when it will be delivered?

Any other deliverables QNAP have missed from the suggestions posted?

1). If you can deliver the suggestion on the above link (i.e. port across functionality from 509) that's a start.

This is understood - and in the works...

Is there a target firmware build for this?
What target date is on the project schedule?

2). Other important issues to address is that of separate login page .... & 3). Another critical item is allowing direct login to so that I can setup a DYNDNS service (i.e. myymailyphotos.dyndns.org) ...

I'm so free and add the exclusive usage of standard ports 80 and 443 (https) for all these to avoid proxy limitations... The keyword is "virtual server" - afraid, QNAP is aware to have their historical design limitations in the Web infrastructure used in different product classes these days. I am working with QNAP towards this direction - adding more personality (remove the obvious type and version indications), and a more flexible Web frontend - the administration, for te system supplied Web applications, and for user supplied web applications.

I'm sorry, I don't understand what you mean by "I'm so free and".
Are you saying that QNAP have the following in DEVelopment:
1). Ability to configure system to use non standard HTTP and ftp ports?
2). Different virtual servers for HTTP, ftp, MM Station etc?
Meaning that I can send my family to look for photo's at: my-fmaily-photos.dyndns.org and have that load my equivalent of http://219.87.144.203:8080/Qmultimedia/
3). Personalisation of the default pages for HTTP, ftp, MM Station etc? (i.e. "adding more personality")?

If yes to the above, is there any idea of a target release date?

4). Ability to change to default admin too if you can't already: I'm not sure if you can't already do this as I'm a 'pre sales' person, waiting for all the above to be fixed before I buy a 209/109 and only just saw reference to the admin password issue here: http://forum.qnap.com/viewtopic.php?f=21&t=9163

Different issues in one thread:

1. Rename the default admin account does not add much security - this is an idea still floating in some minds. Honestly, mc better would be a VERY complex password on admin (== root), and only work with non-privileged accounts overall - and use a strong authentication to gain admin/root access. However, this is beyond scope for a SOHO or SMB NAS ... ok, I _am_ a security person in my real business.

2. So thought more strong passwords - sure you CAN change the admin password to something more strong (or more crazy to type...) - open a ssh session, login...

Code: Select all

[/~] # passwd
Changing password for admin
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password: qwert+"*ç%
Re-enter new password: qwert+"*ç%
Password changed.
[/~] #

...but never forget, +"*ç% are simple ASCII characters (and binary numbers under the hood), too. In addition, you might experience side effects, which are outside of QNAP influence and controls. Agree - the password "validity checker" on the Web UI is too "strict" to allow this - crazy, indeed.

At the end of the day - together with the brute force blocker as implemented on the newer and coming-up x86 based models, the standard password security is not that bad. Moreover, it's comparable easy to explain to Grandma and Co.

Regards,
-Kurt.

Agreed that changing default admin username and password does not add much security, but it still good practice and always the first thing I do on any system I own(if possible).
It's good to know that you can actually change the default admin password and it would be ideal to be do it through the UI. Although I work in IT, I'm not a developer or administrator and always so try to avoid changing things 'under the hood' or that reason.

[initd]

Quick question on strong authentication. Is it true that you need https to really make sure that you are secure, or are there other ways? For example, this site http://www.globalcrypto.com/strong-auth ... -the-cost/ suggest that you can two factor strong authentication and it does not use https?

[jim_locksmith]

that really depends