QNAP NAS Community Forum

[rinthos]

Request 1:
When logging into the admin section an entering a username (presumably admin) and password, when the authentication attempt fails, please clear the password field. I've had this mentioned by several security folks so figured I'd submit it here as a feature request, thanks!
Current behavior is red exclamation marks with "Login failure, please try again".
Best practice is to clear the text fields after a failed login in the off-chance the password was correct and a username typo, or even close proximity to the correct values, this is a rather simple chance that is very noticeable.
Either that, or perhaps add a system setting to force-clear fields on failed authentication attempts?

Request 2:
While it is great marketing/advertising, showing the version number of the firmware on the login screen is considered a poor security practice.
Why should we inform the users of the version so they can go research what vulnerabilities exist?

Thanks!
---

[schumaku]

Request 1: ...Either that, or perhaps add a system setting to force-clear fields on failed authentication attempts?

Make sene. Potential security risk is mainly baed on the assumption the browser or it's host OS is not secure, and the actual password in the input buffer is sreadable internally. Clearing the password field does - for most attempts - simply avoid the second attampt will fail, because the false password is still there. Overall, it's about user-friendlyness.

Request 2:
While it is great marketing/advertising, showing the version number of the firmware on the login screen is considered a poor security practice.
Why should we inform the users of the version so they can go research what vulnerabilities exist?

That's probably the most long standing issue... Can't agree more.

[pwilson]

Request 2:
While it is great marketing/advertising, showing the version number of the firmware on the login screen is considered a poor security practice.
Why should we inform the users of the version so they can go research what vulnerabilities exist?

That's probably the most long standing issue... Can't agree more.

I agree that showing the Firmware revision "prior" to Login is a bad practice, however I would like it predominantly displayed after "successful" login, as it is useful to have when troubleshooting.

Patrick.

[rinthos]

I agree that showing the Firmware revision "prior" to Login is a bad practice, however I would like it predominantly displayed after "successful" login, as it is useful to have when troubleshooting.
Patrick.

Certainly. Nothing wrong with it being displayed 'after'. Given the user has gained access to the device, they could find out that information in many other ways, so that's reasonable.
But for unauthenticated users (without access) to the device, it's not very wise to give "unauthorized" users information that they could potentially abuse.

That's probably the most long standing issue... Can't agree more.

Yeah. It follows the typical best practice with Apache web server (as one example) and recommendations to change default error screens.
I'm actually surprised Qnap and their 'S' competitor have both overlooked this....

[pwilson]

I agree that showing the Firmware revision "prior" to Login is a bad practice, however I would like it predominantly displayed after "successful" login, as it is useful to have when troubleshooting.
Patrick.

Certainly. Nothing wrong with it being displayed 'after'. Given the user has gained access to the device, they could find out that information in many other ways, so that's reasonable.
But for unauthenticated users (without access) to the device, it's not very wise to give "unauthorized" users information that they could potentially abuse.

That's probably the most long standing issue... Can't agree more.

Yeah. It follows the typical best practice with Apache web server (as one example) and recommendations to change default error screens.
I'm actually surprised Qnap and their 'S' competitor have both overlooked this....

Definitely agree with you here.

You also might want to edit the content of your /etc/config/proftpd.conf file, to change the "ServerName" line

The default entry is:

Code: Select all

ServerName      "ProFTPD"

Which tells the "script-kiddies" which FTP server software you are running. Unfortunately it will still show them a version number of your server.
The first line displayed by the Server is (if you don't change that line is:

NASFTPD Turbo station 1.3.2e Server (ProFTPD)

Again, releasing information of the server to the connecting user prior to login. This issue is actually more serious, as FTP is on a "standard" port, while the Admin WebUI is at least up is on Port 8080/TCP, rather than Port 80/TCP. ProFTP is pretty secure, but I, like you, prefer to not release too much information prior to successful login.

Patrick.