Publish services

Post your questions about myQNAPcloud service here.
rmcpdias
Starting out
Posts: 14
Joined: Fri Jun 04, 2021 1:01 am

Publish services

Post by rmcpdias »

Hi, good afternoon.

Can anyone explain me the purpose of publishing services on myQNAPCloud website?


Best Regards,
Rui
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Publish services

Post by dolbyman »

Don't even bother to publish any services to the public web, a huge security risk that have cost many bitcoins and lost data (ransomware) for many users

remove port forwards and disable upnp on your router !
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Publish services

Post by Moogle Stiltzkin »

it's suppose to be a frontend access for qnap related services if making available online. the services then would have in qts settings like make public or private, and require login to myqnapcloud or have it public access (anyone can just sign in or not). You can also restrict it to specific friend accounts.

personally i don't recommend this. Although maybe it works (some on the forum argued it works fine) ?

But instead, if you need remote access use a vpn (use openvpn protocol) to connect to your qnap. Then you don't need to deal with myqnapcloud, then you can use a standard method for secure remote access that just works.

Only other service i know which is safe to port forward for remote access is plex. But other than that.... do your own research :'
Last edited by Moogle Stiltzkin on Sun Jun 13, 2021 3:50 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Publish services

Post by spile »

I understand the trust is an issue but in terms of actual evidence, I have not seen any published reference (other than hearsay) of MyQnapCloud being used as a point of entry for attack. All points of entry, I have seen reported have not unsurprisingly come as a result of open ports.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Publish services

Post by Moogle Stiltzkin »

spile wrote: Sun Jun 13, 2021 2:19 pm I understand the trust is an issue but in terms of actual evidence, I have not seen any published reference (other than hearsay) of MyQnapCloud being used as a point of entry for attack. All points of entry, I have seen reported have not unsurprisingly come as a result of open ports.
i believe it was daniel who said it's fine. although honestly i don't fully understand the technical reasons for that claim, but i do understand how vpn on the router helps, so that's why i recommend that instead. everyone i've seen does also :'

myqnapcloud basically does a few things

- setup a dyndns using qnapclouds own dyndns address.
- has a upnp capability (WHICH I STRONGLY DO NOT RECOMMEND using :shock: if you must do port forwarding, do it manually )
- then have a GUI settings to publically publish ur services OR to make them private. I believe that private requires white listed users who login to a myqnapcloud account to be able to access

these services are things like e.g. photostation, music station, video station, and even QTS admin webpage itself (you get the idea)

i've tested myqnapcloud myself and tested it working. But whether you should be doing this is a different matter.

At least with openvpn on router, you can still access those services still but minus the myqnapcloud stuff. To access remotely the the vpn, you need the vpn client cert and the credentials in order to do so. Perhaps there can be additional protection, by the admin configuring the router to whitelist specific countries or ip address to login (i see pfsense pfblocker can do this. although i didn't test this myself).

There is also a video for raspberry pi for configuring a pivpn which is more newbie friendly to configure. And it also includes a dyndns if you need that. There is also an automated solution for automatically updating the raspberry pi, which is good for newbies that want good security but low maintenance.
https://www.youtube.com/watch?v=rtUl7BfCNMY
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
rmcpdias
Starting out
Posts: 14
Joined: Fri Jun 04, 2021 1:01 am

Re: Publish services

Post by rmcpdias »

Hi,

thank you very much for all your replies. I've checked what you said about the security problems, and I discovered that although I have all my services disabled:
Screenshot 2021-06-13 122557.png
I still can access everything using my DDNS name or my public IP address.


Best Regards,
Rui
You do not have the required permissions to view the files attached to this post.
User avatar
dolbyman
Guru
Posts: 35015
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Publish services

Post by dolbyman »

the disable upnp asap on your router to prevent your system from getting hacked
rmcpdias
Starting out
Posts: 14
Joined: Fri Jun 04, 2021 1:01 am

Re: Publish services

Post by rmcpdias »

Do you think I should also disable myQNAPCloud Link?
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: Publish services

Post by Cbrad01 »

rmcpdias wrote:Do you think I should also disable myQNAPCloud Link?
Best of practice is to disable and / or uninstall any service or application you are not using
If you use an application occasionally then disable it between uses.
For instance I use download station to handle large / slow downloads. I disable it between uses.
With QNAP cloud you are at QNAP mercy. I love the idea but given their track record on generally security I would not use it. VPN is much better and provides a lot more benefits. For instance I use my home VPN that I set up for accessing QNAP at any “free open” WiFi locations to protect myself. Saves me from purchasing a VPN service


Sent from my iPhone using Tapatalk
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Publish services

Post by spile »

rmcpdias wrote: Sun Jun 13, 2021 11:57 pm Do you think I should also disable myQNAPCloud Link?
That is the trust issue I referred to above. As long as upnp is off and you are not forwarding from a security aspect, I personally would not have an issue in using Cloud Link for remote sharing, IF and only if I wasn’t using a VPN server on a Raspberry Pi. However, having to route traffic via Qnap servers does not appeal from a speed point of view.
Last edited by spile on Tue Jun 15, 2021 2:46 pm, edited 1 time in total.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Publish services

Post by Moogle Stiltzkin »

cloudlink to my understanding is for people who can't use vpn. cloudlink gets around that problem somehow. but if i am not mistaken, it has a limited speed throttle for that service? whereas if you use your own vpn, you don't have such limitations. in terms of trust i don't believe qnap is malicious (you all decide for yourselves. but plz understand that taiwan is not china.... so just because china is always spying and stuff, doesn't mean taiwan is doing the same oppresive stuff at least on that sort of scale.... afaik). but still if you use less cloud stuff, and online footprint, then the safer you are. too many companies online get hacked then credentials get exposed..... that's how i see things :'
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Publish services

Post by Mousetick »

The myQNAPcloud infrastructure uses Amazon AWS data centers. They are located in the USA for America and Europe users.

While Cloud Link provides secure communication between NAS and QNAP relay servers, there is still a question of trust and security because we don't know who owns the encryption key. Is this a common single key owned by QNAP and stored on QNAP servers? Is this a randomly generated unique key stored on the NAS? How is the key protected?

If the key(s) is/are stored on the QNAP server side, then there is a risk that it could be used by malicious actors to eavesdrop and steal information.

If QNAP were serious, they should clearly document how the data is encrypted between the NAS and QNAP relay servers, how the key is generated and where it is stored. Ideally they should allow users to generate and provide their own key.

In that regard QNAP is no better or worse than a service like Dropbox for example, which controls encryption on the server side and doesn't allow user-supplied keys.

I think Cloud Link is fine as a poor-man's VPN or as a substitute when VPN access is not possible, certainly much better than directly port forwarding to the NAS. I don't use it myself, but if I were to use it, I would use a dedicated NAS user with restricted access for login and I wouldn't transfer super sensitive stuff with it unless it was stored into files encrypted by myself.
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Publish services

Post by spile »

Mousetick wrote: Mon Jun 14, 2021 4:48 pm The myQNAPcloud infrastructure uses Amazon AWS data centers. They are located in the USA for America and Europe users.

While Cloud Link provides secure communication between NAS and QNAP relay servers, there is still a question of trust and security because we don't know who owns the encryption key. Is this a common single key owned by QNAP and stored on QNAP servers? Is this a randomly generated unique key stored on the NAS? How is the key protected?

If the key(s) is/are stored on the QNAP server side, then there is a risk that it could be used by malicious actors to eavesdrop and steal information.

If QNAP were serious, they should clearly document how the data is encrypted between the NAS and QNAP relay servers, how the key is generated and where it is stored. Ideally they should allow users to generate and provide their own key.

In that regard QNAP is no better or worse than a service like Dropbox for example, which controls encryption on the server side and doesn't allow user-supplied keys.

I think Cloud Link is fine as a poor-man's VPN or as a substitute when VPN access is not possible, certainly much better than directly port forwarding to the NAS. I don't use it myself, but if I were to use it, I would use a dedicated NAS user with restricted access for login and I wouldn't transfer super sensitive stuff with it unless it was stored into files encrypted by myself.
That sums up my attitude and thanks for information on server location. I have edited my post accordingly. I think it would be clearer for all if Qnap made a clear line in the sand between MyQnapCloud and MyQnapCloud Link by referring to the latter (as we have done) as CloudLink.
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Publish services

Post by spile »

My comment about trust and MyQnapCloud Link needs updating...
https://www.qnap.com/en-uk/security-adv ... dium=email
elvisimprsntr

Re: Publish services

Post by elvisimprsntr »

Glad I jettisoned QNAP QTS from my home.
Locked

Return to “myQNAPcloud service”