QNAP NAS Community Forum

I recently encountered a need to enable the FTP service on my QNAP. I also opened ports 20 & 21 so it can be accessed remotely. It all worked fine however every so often I loose network connectivity. Qfinder Pro is unable to find it, my shares stop working in Windows and I'm unable to log into the web interface. If I shut it down by holding in the power button on the device then start it up again everything is working fine. I do notice the following warning in the system log after:

"[Network & Virtual Switch] Failed to connect to the internet. System default gateway "Virtual Switch 1" and all adapters failed to connect to the internet after checking NCSI."

Sometimes it happens again within 10 minutes after restarting. Other times it can run for a few days before this happens. However if I turn off the FTP service it runs fine indefinitely. I have noticed a lot of system log warnings such as this one:

"Warning 2021-02-16 08:02:30 anonymous 178.32.197.85 --- FTP --- Failed to log in"

I'm wondering if I'm being attacked and QNAP's response is to disconnect the LAN. Any suggestions would be appreciated. Thanks

mroy5150 wrote: ↑Thu Feb 18, 2021 7:04 am I'm wondering if I'm being attacked and QNAP's response is to disconnect the LAN. Any suggestions would be appreciated. Thanks

Yes of course you're being attacked. QNAP is not smart enough to disconnect from the LAN. The internet NAT router may be overwhelmed by all the external connections attempts that it needs to keep track of. Kind of a DOS attack (Denial-Of-Service) if you will. You get a double-whammy. Nice, heh?

Suggestion: Don't expose FTP service to the Internet! This is completely crazy. Nobody in their right mind, whether amateur or pro, does that nowadays.

Mousetick wrote: ↑Thu Feb 18, 2021 7:20 am

mroy5150 wrote: ↑Thu Feb 18, 2021 7:04 am I'm wondering if I'm being attacked and QNAP's response is to disconnect the LAN. Any suggestions would be appreciated. Thanks

Yes of course you're being attacked. QNAP is not smart enough to disconnect from the LAN. The internet NAT router may be overwhelmed by all the external connections attempts that it needs to keep track of. Kind of a DOS attack (Denial-Of-Service) if you will. You get a double-whammy. Nice, heh?

Suggestion: Don't expose FTP service to the Internet! This is completely crazy. Nobody in their right mind, whether amateur or pro, does that nowadays.

Thanks for the response. You confirmed my suspicions. I have used FTP years ago regularly to share files with friends and family but didn't realize how crazy it's gotten. I have turned off the FTP Service and deleted the port settings. Thanks again for your help though you could have dialed down the condescension slightly.

I meant "What on earth were you thinking?" and "What did you expect?" It was just a little slap on the wrist.

When you open ports to the NAS on the Internet, you essentially become a cloud storage provider. Like Google or Microsoft or DropBox, at a micro scale relative to them, but still, you provide cloud storage services accessible to anyone, authorized or not. Which in this day and age, you should not be doing, unless you're adequately skilled, equipped and prepared to face the consequences. On top of that, by using an outdated unsecure protocol, you're making it that much easier to become the target of attacks.

The Internet nowadays is crowded with miscreants and plagued by rogue compromised devices assembled into botnets used to produce email spam, DDOS attacks, steal information, spread ransomware and other malware, compromising more devices in the process, and this goes on and on.

People like you who naively start their own cloud storage service with consumer-grade hardware and software, are part of the problem - by being so careless. Your actions put your own security at risk but also that of others. Don't take it personally, you're not alone.

Mousetick wrote: ↑Thu Feb 18, 2021 8:25 am I meant "What on earth were you thinking?" and "What did you expect?" It was just a little slap on the wrist.

When you open ports to the NAS on the Internet, you essentially become a cloud storage provider. Like Google or Microsoft or DropBox, at a micro scale relative to them, but still, you provide cloud storage services accessible to anyone, authorized or not. Which in this day and age, you should not be doing, unless you're adequately skilled, equipped and prepared to face the consequences. On top of that, by using an outdated unsecure protocol, you're making it that much easier to become the target of attacks.

The Internet nowadays is crowded with miscreants and plagued by rogue compromised devices assembled into botnets used to produce email spam, DDOS attacks, steal information, spread ransomware and other malware, compromising more devices in the process, and this goes on and on.

People like you who naively start their own cloud storage service with consumer-grade hardware and software, are part of the problem - by being so careless. Your actions put your own security at risk but also that of others. Don't take it personally, you're not alone.

Thank you Mousetick for the information. Much appreciated. What about port 443? I had previously opened that port so I can access my qnap remotely in case I need a file. Is it okay to open that port or am I still exposing myself to unnecessary risk?

mroy5150 wrote: ↑Tue Feb 23, 2021 6:33 am Thank you Mousetick for the information. Much appreciated. What about port 443? I had previously opened that port so I can access my qnap remotely in case I need a file. Is it okay to open that port or am I still exposing myself to unnecessary risk?

No it's not okay I'm sorry to say and you will still be the target of attacks.

While port 443 provides secure (encrypted) communication, it still is opened to the Internet and anyone, authorized or not, can come knocking on the door, so to speak. An attacker can probe your public IP address and scan for open ports. Once port 443 is detected, it is easy to make a request to the NAS which will respond with the QTS login page. The attacker now knows that you have a QNAP NAS and can launch targeted attacks tailored to this specific type of device.

They may try to login with well-known user names and common passwords. The repeated attempts may once again overwhelm your router.

Even if you use strong passwords for all the NAS users, and require 2FA (2-factor authentication), which would defeat an attacker's login attempts with username+password, there is still a risk of the attacker exploiting a security hole in the QNAP QTS administration web server, bypassing the login entirely. History shows that security holes are not uncommon in QNAP software.

Basically any mechanism which provides direct access to your NAS or network, especially if it uses username+password authentication, should be avoided otherwise it will be the target of constant intrusion attacks.

You have 2 options to access your NAS remotely that don't rely on such mechanism:
- Use a VPN (Virtual Private Network). You run a VPN server on your LAN (the VPN server can be in your Internet router/firewall, on the NAS, or on a separate device), and you connect from the Internet with a VPN client running on your laptop or smartphone. If the VPN server is not on the Internet router/firewall, the VPN ports need to be forwarded to the device running the VPN server. All other ports are closed and UPnP is disabled on the firewall. The VPN should use key certificate-based authentication, or a combination of certificate + username + password.
- Use QNAP's myQNAPcloud Link feature. In that case, all ports are closed and UPnP is disabled on the firewall. To access your NAS, you connect to a QNAP cloud server rather than to your NAS directly. Your NAS maintains a permanent encrypted connection to the QNAP cloud server, creating a "tunnel" through which you can access it. To connect to QNAP cloud server from your laptop or smartphone, you first provide your myQNAPcloud credentials (which are distinct from your NAS username+password), optionally with 2FA.

There are pros and cons to each option. Off the top of my head:
- VPN Pros: you're in control of everything, don't rely on a 3rd-party availability and security, provides better network throughput performance if you transfer large amounts of data
- VPN Cons: you must set it up yourself, configure everything, learning curve may be steep depending on product used, requires special software installed and configured on the client device
- QNAP Link Pros: easy to set up, user-friendlier for non-technically inclined users, free as long as your QNAP NAS is registered, only requires a web browser on the client device
- QNAP Link Cons: relies on a 3rd-party for availability and security of service, needs to be trusted they're not snooping on your data, provides worse network throughput performance not suitable for transferring large amounts of data

Sorry for the wall of text. Hope this helps.