Question about security before I buy

Interested in our products? Post your questions here. Let us answer before you buy.
Post Reply
itpromike@gmail.com
Starting out
Posts: 24
Joined: Tue May 18, 2021 8:32 am

Question about security before I buy

Post by itpromike@gmail.com » Wed May 19, 2021 6:35 am

So, I'm new around here and I've started looking into QNAP because my current setup no longer meets my needs. I'm coming from a setup with an old Synology and a Mac Mini as my media server and I'm thinking of simplifying my setup to an all in one solution with just a powerful QNAP and foregoing the Mac Mini. That being said, after looking into QNAP and starting to price things out - I quickly became aware of this newest security incident and then more digging made me aware that this was not isolated and QNAP has had a bad go of it in recent times with security... it's unclear from QNAPS's statements or the various posts I've read what the actual issues are... so my questions are:

1.) Were these issues caused by people just not having strong passwords or using default settings and not protecting themselves?
2.) Were they caused by a breach in the QNAP cloud remote access features?
3.) Were they caused by any other issue that either on the QNAP or user configuration side?

I'd be comfortable to go with QNAP if the people affected just had bad security practices and that's why they were affected. OR even if it was a breach of the QNAP remote connection/management features - I always turn those off for my devices anyway... however if there is some inherent security issue I'm not aware of with their software in general I would really like to know/understand it before I purchased and regretted it later. I'm not dumping on the company - I'm not a troll or a fanboy, I'm just new and trying to understand and do my due diligence...

For my uses as a Plex media server, the only port that would be open to the 'world' would be the port I use for plex. I do not/will not need to remotely manage my NAS so any cloud or remote features will be turned off immediately. I'm behind a Ubuiqiti gateway with intrusion detection/prevention turned on and again I'll have 1 port forwarded just for Plex...

I'd appreciate any advice or guidance on how secure QNAP is or what kind of risk a purchase right now would pose. Sorry for the long post. I really appreciate any/all responses! :)

QNAPDanielFL
Easy as a breeze
Posts: 349
Joined: Fri Mar 31, 2017 7:09 am

Re: Question about security before I buy

Post by QNAPDanielFL » Wed May 19, 2021 7:13 am

Qlocker got NAS devices through a vulnerability in the app HBS3 that was exploited through port forwarding.
We have patched that vulnerability. But for better protection from potential threats in the future, it is safer to not forward ports to the NAS except the VPN port. If you don't forward ports, you are very unlikely to get infected.

But that said, we are doing a lot to improve the security of our apps and OS. And we have QuFirewall to add more protection if someone needs port forwarding for their use case.

itpromike@gmail.com
Starting out
Posts: 24
Joined: Tue May 18, 2021 8:32 am

Re: Question about security before I buy

Post by itpromike@gmail.com » Wed May 19, 2021 7:26 am

QNAPDanielFL wrote:
Wed May 19, 2021 7:13 am
Qlocker got NAS devices through a vulnerability in the app HBS3 that was exploited through port forwarding.
We have patched that vulnerability. But for better protection from potential threats in the future, it is safer to not forward ports to the NAS except the VPN port. If you don't forward ports, you are very unlikely to get infected.

But that said, we are doing a lot to improve the security of our apps and OS. And we have QuFirewall to add more protection if someone needs port forwarding for their use case.
Thanks for the feedback. The reason I would but QNAP is for Plex. Will people be able to connect to my Plex media server I run for remote family members of the port isn’t forwarded?

itpromike@gmail.com
Starting out
Posts: 24
Joined: Tue May 18, 2021 8:32 am

Re: Question about security before I buy

Post by itpromike@gmail.com » Wed May 19, 2021 7:38 am

QNAPDanielFL wrote:
Wed May 19, 2021 7:13 am
Qlocker got NAS devices through a vulnerability in the app HBS3 that was exploited through port forwarding.
We have patched that vulnerability. But for better protection from potential threats in the future, it is safer to not forward ports to the NAS except the VPN port. If you don't forward ports, you are very unlikely to get infected.

But that said, we are doing a lot to improve the security of our apps and OS. And we have QuFirewall to add more protection if someone needs port forwarding for their use case.
Also if I’m not using my NAS for backup/recovery but rather just for media storage do I even need HBS3 or can I disable it completely?

QNAPDanielFL
Easy as a breeze
Posts: 349
Joined: Fri Mar 31, 2017 7:09 am

Re: Question about security before I buy

Post by QNAPDanielFL » Wed May 19, 2021 8:03 am

You don't need to enable HBS3. You don't need to have the app on your NAS at all.
Plex relay can work without port forwarding. But My understanding is there are bandwidth limitations on the relay service in Plex. So some people choose to forward the plex port. If you just forward that 1 port for plex, the danger should be much less than forwarding the http or https port. But it still might be good to use QuFirewal if you make that decision.

User avatar
Moogle Stiltzkin
Guru
Posts: 10132
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Question about security before I buy

Post by Moogle Stiltzkin » Wed May 19, 2021 8:20 am

the security incident you mentioned is basically because people inappropriately exposed their nas online and expect not to get hit by zero day malware or any unpatched vulnerabilities (usually due to not updating qts as often as they should).

people that require remote access but who use vpn, update regularly qts, their routers and client devices, are way less likely to be hit by something like qlocker. even things like just port forwarding only plex, seemed to be safe. plex is the only safe app afaik that can be port forwarded based on what i've read other qnap users have said about it. oo yes and the vpn port (specifically use openvpn protocol)
https://www.reddit.com/r/PleX/comments/ ... _external/

so if you follow the correct steps for doing a proper setup and not exposing nas improperly online, it should be fine.

while i do think there are some security things that could be better like fixing issues sooner when they are reported to qnap, a lot of the other complaints you will see are just overblown, so read carefully what they are complaining about specifically and see what is the actual problem before you make your conclussions is my advice. mostly by the people who got hit but did not do remote in a way that was responsibly reducing their risks. i don't care what brand you opt for, but you should not expose your nas inappropriately.

there are 2 groups of people in this regard. those with legitimate concerns. and those who just simply lash out to find somebody to blame but themselves (no backup? no good security practises on your end when able to do so? that's on you... nobody else) :S so plz distinguish between the 2 groups when reading their comments.


for remote you can setup vpn server on your router
https://www.youtube.com/watch?v=PgielyUFGeQ

or even a pivpn running on a raspberrypi
https://www.youtube.com/watch?v=15VjDVCISj0

or you can use the inbuilt qvpn on the nas, although i'm not sure how well that is compared to the other 2 options although i'm told it's not preferable compared to the other 2 options mentioned.
Last edited by Moogle Stiltzkin on Wed May 19, 2021 3:55 pm, edited 4 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides/articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

itpromike@gmail.com
Starting out
Posts: 24
Joined: Tue May 18, 2021 8:32 am

Re: Question about security before I buy

Post by itpromike@gmail.com » Wed May 19, 2021 11:36 am

Moogle Stiltzkin wrote:
Wed May 19, 2021 8:20 am

for remote you can setup vpn server on your router
https://www.youtube.com/watch?v=PgielyUFGeQ

or even a pivpn running on a raspberrypi
https://www.youtube.com/watch?v=15VjDVCISj0

or you can use the inbuilt qvpn on the nas, although i'm not sure how well that is compared to the other 2 options.
Ok thanks that’s helpful. As a follow up question, with my use case of running a torrent seedbox and Plex server - how does the VPN come into play? Would people who wanted to play a movie from my Plex library first need to configure VPN on their Plex client and connect to my VPN?

User avatar
Moogle Stiltzkin
Guru
Posts: 10132
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Question about security before I buy

Post by Moogle Stiltzkin » Wed May 19, 2021 4:02 pm

for plex you can go to router port forward the plex port. vpn probly not required for that.

however one thing you can do is obfuscate your port.


plex port is 32400 ya?

so what you can do is use a custom port, which redirects to internal port 32400


what that does is, your client uses the custom port remotely, but it redirects to the internal port. so that hackers who search for port 32400 will be out of luck because you are not using the default port.

all this does though is obfuscate, but it's better than not doing so.


the type of vpn usage i had in mind is like...


say you remote using a client pc. this pc u install a openvpn client app. which connects to your router vpn server located elsewhere. when it connects, this is secure. you can then access your qnap nas to access the shares so you can copy/paste/delete as per usual.

on mobile devices it's a similar process. you may have apps like qfile or something where you can access those files. or if you want to watch a video you can use mxplayer.

this guy explains how vpn works
https://www.youtube.com/watch?v=1mtSNVdC7tM



there are 2 usages for vpn

- vpn subscription services like Mulvad, expressvpn etc, these just help you bypass geoblocking by changing your ip to pretend your from a different country/location when in reality you're not. the truth about vpn for privacy
https://www.youtube.com/watch?v=oja3UzuuqGQ

- to have secure encrypted access over the internet safely. the connection over this tunnel is encrypted and can't be breached into. (vpn was originally designed for this purpose)

so for you, you will be using the 2nd method usage for vpn purposes.


this chap is the perfect example of not doing due diligence then getting mad about it
https://www.youtube.com/watch?v=S_4p68lDWfA

i do concede on one point he made in his comments later. that qnap knew about a vulnerability for 4months but did not fix it after that time. Yes that was bad of qnap, hope they do better :S

but you do realize mistakes can happen on both ends? :' but then come along the trolls accusing of victimg blaming :roll: because they only have 1 agenda on mind, so logic and reasoning goes out the window if all they care for is creating stawman arguements/trolling/and other disingenious commentary that pushes their own narratives. not worth discussing with these types of nobodies :lol:
Last edited by Moogle Stiltzkin on Sat May 29, 2021 12:28 pm, edited 3 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides/articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Question about security before I buy

Post by jaysona » Thu May 20, 2021 12:29 am

Moogle Stiltzkin wrote:
Wed May 19, 2021 8:20 am
the security incident you mentioned is basically because people inappropriately exposed their nas online and expect not to get hit by zero day malware or any unpatched vulnerabilities (usually due to not updating qts as often as they should).

....
:roll: :roll: Here we go with more victim blaming. :roll: :roll:

QNAP employed deceitful marketing and was negligent in their coding practices, that is why there have been so many QNAP security related incidents.

For more than half a decade QNAP NASes have been targeted repeatedly multiple times per year, the attack vector was almost always the same - attack QTS and its Internet facing applications (Photo, Music, File, Media sharing) by exploiting the abysmally poor coding (mostly PHP) that QNAP has used since they released QTS 4. During that same half decade time-frame, QNAP has ramped up their marketing of how simple it is for the average person to share their digital life on-line and infer that the NAS is secure.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

User avatar
spile
Easy as a breeze
Posts: 407
Joined: Tue May 24, 2016 12:13 am

Re: Question about security before I buy

Post by spile » Thu May 20, 2021 2:17 pm

jaysona wrote:
Thu May 20, 2021 12:29 am

:roll: :roll: Here we go with more victim blaming. :roll: :roll:

QNAP employed deceitful marketing and was negligent in their coding practices, that is why there have been so many QNAP security related incidents.

For more than half a decade QNAP NASes have been targeted repeatedly multiple times per year, the attack vector was almost always the same - attack QTS and its Internet facing applications (Photo, Music, File, Media sharing) by exploiting the abysmally poor coding (mostly PHP) that QNAP has used since they released QTS 4. During that same half decade time-frame, QNAP has ramped up their marketing of how simple it is for the average person to share their digital life on-line and infer that the NAS is secure.
And that could not be said of all the main commercial NAS vendors?
https://www.synology.com/en-uk/company/ ... Ransomware

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Question about security before I buy

Post by jaysona » Thu May 20, 2021 10:51 pm

spile wrote:
Thu May 20, 2021 2:17 pm
And that could not be said of all the main commercial NAS vendors?
https://www.synology.com/en-uk/company/ ... Ransomware
lolz! Are you really that shallow?

You post a 2 year old notice by one vendor wherein the notice is providing additional simple and useful information to their customers on how to secure their NAS and try to paint them with the same brush as QNAP? Omg! I love people like you, you're the personality type that make my "competitive intelligence" engagements so easy to complete. ;)

The Synology notice refers the a dumb brute force dictionary attack and how to protect against that. In addition, out of the box, other vendors (Asustor is the only one I have personal experience with) have taken measures to increase the security posture of their NASes and are not vulnerable to brute force attacks the way QNAPs are still vulnerable.

Sure, all NAS vendors are subject to unrelenting brute force dictionary attacks, other vendors are more resilient against those attacks than QNAP. The real beauty of QNAP insecurity is that the best openings to QNAP don't even require any sort of brute force attempts. QNAP has so many other easily to exploit vulnerabilities that that the brute force attack vectors are relegated to the script kiddies and recycled botnets during their downtime while new targeted campaigns are under development.

QNAP NASes have been repeatedly and successfully attacked during the past six or so years using the same attack vectors over and over, QNAP has effectively done nothing to actually improve the security of their products, the successful yearly attack campaigns against QNAP are clear evidence of that.

QuFirewwall? What a joke of a "firewall" software, so much lulz. QNAP uses AWS addresses for some of their services, so if I want to attack a QNAP, I just get a slot in the same address range - boom access granted! :lol: :lol:

I now have all my QNAPs blocked from being able to initiate outbound connections to the Internet, and the inbound connections permitted are for plex, smtp(s), imaps which I am in the process of migrating to my Asustor NASes. The only inbound connection that will permitted on my remaining QNAP NAS will be for my seedbox.

The only secure QNAP NAS is a QNAP NAS that has no connection to the Internet.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

User avatar
spile
Easy as a breeze
Posts: 407
Joined: Tue May 24, 2016 12:13 am

Re: Question about security before I buy

Post by spile » Fri May 21, 2021 1:13 pm

jaysona wrote:
Thu May 20, 2021 10:51 pm
spile wrote:
Thu May 20, 2021 2:17 pm
And that could not be said of all the main commercial NAS vendors?
https://www.synology.com/en-uk/company/ ... Ransomware
lolz! Are you really that shallow?

You post a 2 year old notice by one vendor wherein the notice is providing additional simple and useful information to their customers on how to secure their NAS and try to paint them with the same brush as QNAP? Omg! I love people like you, you're the personality type that make my "competitive intelligence" engagements so easy to complete. ;)

The Synology notice refers the a dumb brute force dictionary attack and how to protect against that. In addition, out of the box, other vendors (Asustor is the only one I have personal experience with) have taken measures to increase the security posture of their NASes and are not vulnerable to brute force attacks the way QNAPs are still vulnerable.

Sure, all NAS vendors are subject to unrelenting brute force dictionary attacks, other vendors are more resilient against those attacks than QNAP. The real beauty of QNAP insecurity is that the best openings to QNAP don't even require any sort of brute force attempts. QNAP has so many other easily to exploit vulnerabilities that that the brute force attack vectors are relegated to the script kiddies and recycled botnets during their downtime while new targeted campaigns are under development.

QNAP NASes have been repeatedly and successfully attacked during the past six or so years using the same attack vectors over and over, QNAP has effectively done nothing to actually improve the security of their products, the successful yearly attack campaigns against QNAP are clear evidence of that.

QuFirewwall? What a joke of a "firewall" software, so much lulz. QNAP uses AWS addresses for some of their services, so if I want to attack a QNAP, I just get a slot in the same address range - boom access granted! :lol: :lol:

I now have all my QNAPs blocked from being able to initiate outbound connections to the Internet, and the inbound connections permitted are for plex, smtp(s), imaps which I am in the process of migrating to my Asustor NASes. The only inbound connection that will permitted on my remaining QNAP NAS will be for my seedbox.

The only secure QNAP NAS is a QNAP NAS that has no connection to the Internet.
The point I was making relates to the vulnerability inherent in all manufacturers of such devices and that extends beyond one manufacturer. The example given is one of many as I am sure you know. If you believe that other manufacturers provide a more secure infrastructure then why are you hanging around here? You are venting your spleen to no effect. We know the limitations of Qnap. Given your technical skills I would have thought you would be developing your own solution. It would be appreciated if you shed more light and less heat.I would also recommend working on your attitude to other forum users in this community .

User avatar
Moogle Stiltzkin
Guru
Posts: 10132
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Question about security before I buy

Post by Moogle Stiltzkin » Fri May 21, 2021 3:06 pm

i don't see the point trying to reason with him. clearly he has issues, which is between him and him. best just ignore him if he is being rude and toxic. not worth your time or effort tbh. best leave discussions with other more mature users in the community :)
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides/articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
McBride
Know my way around
Posts: 106
Joined: Fri Jun 07, 2013 3:00 pm
Location: Vienna

Re: Question about security before I buy

Post by McBride » Fri May 21, 2021 9:41 pm

Yeah, naw. @jaysona got a point here, even if he’s not very diplomatic. QNAPs security practices are lax at best. When I had issues and they wanted to connect to my device, they practically wanted me to expose it, uncontrolled. You have to shake your head how the QNAP fanboyz are defending the brand here. Admitting failure is the first step to resolution. They never admired any wrongdoing. Not even after everyone knew, they had hard coded passwords in their qpkgs. Working in IT since 35 years and in a company that does development and software testing as well, my guess is that I can judge things a tiny bit.


Austria est imperare orbi universo

Post Reply

Return to “Presales”