New security guide from Qnap

spile · Post by **spile** » Sun Dec 25, 2022 3:23 pm

https://www.qnap.com/en-us/security-new ... y-new-year

A new guide from Qnap but scant information on using a vpn server. For example no reference to Openvpn or Wireguard, compatible routers or using other hardware to host the vpn server. It continues to push the security by obfuscating methods which I find worrying.

dosborne · Post by **dosborne** » Mon Dec 26, 2022 11:09 am

Since security on your network really has nothing to do with your NAS, I wouldn't expect much from QNAP. They can't list every router and network configuration, or every provider, and what they do offer is useless from a network perspective. It is up to the user to figure out what to use on their own network.

Realistically, what do you want them to say other than the best approach is to run a VPN? At least they acknowledge the potential issues, which is more than they used to do.

spile · Post by **spile** » Mon Dec 26, 2022 3:30 pm

dosborne wrote: ↑Mon Dec 26, 2022 11:09 am Since security on your network really has nothing to do with your NAS, I wouldn't expect much from QNAP. They can't list every router and network configuration, or every provider, and what they do offer is useless from a network perspective. It is up to the user to figure out what to use on their own network.

Realistically, what do you want them to say other than the best approach is to run a VPN? At least they acknowledge the potential issues, which is more than they used to do.

Given it’s a device that is likely to be the target of ransomware, I don’t see that as incongruous and after all it’s reflecting the advice given on here. Don’t take my comments to be over critical of the company as I agree it’s a welcome step in the right direction.

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Tue Jan 10, 2023 12:28 pm

this youtuber talks about the deadbolt issue among other security concerns with qnap, and what to do
https://www.youtube.com/watch?v=Qjuhp-MBCoE

basically he suggested, for qnap hardware to flash a different OS, or keep it off the internet. I do both things. I use truenas OS on a ts-653a AND also keep an old ts-509 pro OFFLINE (never EVER expose this. however i should mention despite being a very old model, this still has security patches for qts even up to 2022 last i checked. and they also disabled smb1 to bump u into using smb2). in fact i just don't expose any of my nas online to begin with.

And my main nas a ts-877 i still use QTS, because it works and is still updated. But when it no longer is updated, then i can switch it out for truenas.

This is my recommendation for most people using a QNAP.

Main thing is, do not expose the nas ONLINE. But if you must do remote, then you SHOULD add extra layers of protection/security/precautions e.g.

1. use a vpn (usually vpn server setup on router such as pfsense, opnsense, asus using rt merlin firmware , raspberry pi etc)

2. update often (probably not the first 1-2 weeks in case of bad firmware. but it's expected u should be diligent in keeping up to date for qts, your router, client devices, everything on the network)

3. maybe consider setting up vlans to segregate out iots from more sensitive stuff. Maybe even consider a nas with non sensitive data for remote access on a separate vlan to private network (this is what i saw lawrence did and suggested), so that way if that gets infiltrated, it won't affect the other nas with sensitive data on a separate vlan (assuming that you set up vlan correctly to prevent vlan hopping attack)

4. and like the youtuber pointed out, often these station qpkgs often get some vulnerability. so thats why i started using docker apps, and set watchtower to auto update those apps which are less prone to vulnerability by comparison (not saying they never get those issues, but probly far less). Basically you can't get away from updating software, it's just a fact of life for owning tech

5. keep backups. So in the worse case scenario, at least you can reinitialize then recover. But what people often fail to mention is air gapped backups
https://www.techtarget.com/searchdataba ... re-defense

for example, if your backup is connected to network, malware could spread even to the backups. Thats why i often keep my backups powered off and only turn on for running a backup or when i want to recover. It's not perfect, but it's another precautionary measure for an added layer of protection.

why i think people still get hit by things like deadbolt

1. a newbie who buys a nas who doesn't know about these things, then exposes online. only after they get hit, then they come to forum to complain and find out what happened. I think most of those victims fall into this category. this is why i suggested at least something should be mentioned about security tips in the brochure that comes with the NAS when you buy it (for the newbs).

2. people who KNOW the issue for exposing nas online, yet do it anyway. and even worse, they don't do any due diligence (updating, use vpn, reverse proxies etc etc). Then they get hit, but rather than own up to it, they blame others. No sympathy for these folk

Some people just don't learn until they get hit.

qnap is definitely usable albeit with certain percautions and good practises maintained for using them. and i doubt any other nas brand claims their nas is safe to be exposed online either. hope these tips help.

JDH · Post by **JDH** » Sat Feb 11, 2023 10:27 am

All are valid points that NAS users should observe

Gaudi · Post by **Gaudi** » Tue Feb 14, 2023 1:58 am

Moogle Stiltzkin wrote: 5. keep backups. So in the worse case scenario, at least you can reinitialize then recover. But what people often fail to mention is air gapped backups
https://www.techtarget.com/searchdataba ... re-defense

for example, if your backup is connected to network, malware could spread even to the backups. Thats why i often keep my backups powered off and only turn on for running a backup or when i want to recover. It's not perfect, but it's another precautionary measure for an added layer of protection.

This is key. I have initiated a thread and requested to QNAP to enable to run a script after a backup job has completed.
So far there is no such feature.
It will be great to be able to turn off an intelligent switch to power off external media after the backup has been completed.
And turn on remotely or by schedule to initiate it.

See here:

viewtopic.php?t=167993

viewtopic.php?t=167666

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Tue Feb 14, 2023 7:31 am

Gaudi wrote: ↑Tue Feb 14, 2023 1:58 am
Moogle Stiltzkin wrote: 5. keep backups. So in the worse case scenario, at least you can reinitialize then recover. But what people often fail to mention is air gapped backups
https://www.techtarget.com/searchdataba ... re-defense

for example, if your backup is connected to network, malware could spread even to the backups. Thats why i often keep my backups powered off and only turn on for running a backup or when i want to recover. It's not perfect, but it's another precautionary measure for an added layer of protection.
This is key. I have initiated a thread and requested to QNAP to enable to run a script after a backup job has completed.
So far there is no such feature.
It will be great to be able to turn off an intelligent switch to power off external media after the backup has been completed.
And turn on remotely or by schedule to initiate it.

See here:

viewtopic.php?t=167993

viewtopic.php?t=167666

qnap does have some sort of power scheduling.

i never used it, but i assume that using that, you could possibly set when the qnap is powered on, then hbs would be scheduled to perform a backup during that time.

i haven't seen or heard of anyone doing this (though honestly i wasn't looking that hard either), so i'm unsure if this is the case. i only know that the power scheduling feature exist for qnap.

also i think there is some settings in HBS that will prevent any shutdowns while HBS is still performing an active job being run. But i'm not 100% on this, so you best double check yourself. I just never had to try those things out to know for sure, cause i always play it safe

anyway i don't think qnap necessarily have to step in, since users can already manage their backups (they just need to be properly educated to know how to go about it, assuming they even cared to spend the time to find out which everyone does unfortunately, yet when suddenly when disaster strikes then they care and it's already too late by then

)

but i'm all far your suggestion. Maybe qnap can also make a youtube explaining how this sort of setup would work. This is also important. Because it's just not enough having that sort of capability, they need to also explain/educate their users how that would work so they can follow along on that guide then utilize it for their own backup strategies.

PeterT1959 · Post by **PeterT1959** » Tue Feb 14, 2023 8:00 am

I use IFTTT to listen for an email triggered by a log entry on ejection of the external USB drive to power off the USB drive.

In a similar manner I power on the drive when backups of the PCs in the house complete which it's turn initiates the HBS backup to the USB device.

Sent from my Pixel 4a using Tapatalk

Gaudi · Post by **Gaudi** » Tue Feb 14, 2023 4:16 pm

PeterT1959 wrote:I use IFTTT to listen for an email triggered by a log entry on ejection of the external USB drive to power off the USB drive.

In a similar manner I power on the drive when backups of the PCs in the house complete which it's turn initiates the HBS backup to the USB device.

Sent from my Pixel 4a using Tapatalk

Thank you, I have read about this solution. Whereas it is a nice workaround, it is complicated and prone to errors as you are relying on an email trigger rather than on a direct action.
Besides, enabling a script to run based on the backup job outcome could potentially enable way more flexibility.

Moogle Stiltzkin wrote:
Gaudi wrote: ↑Tue Feb 14, 2023 1:58 am
Moogle Stiltzkin wrote: 5. keep backups. So in the worse case scenario, at least you can reinitialize then recover. But what people often fail to mention is air gapped backups
https://www.techtarget.com/searchdataba ... re-defense

for example, if your backup is connected to network, malware could spread even to the backups. Thats why i often keep my backups powered off and only turn on for running a backup or when i want to recover. It's not perfect, but it's another precautionary measure for an added layer of protection.
This is key. I have initiated a thread and requested to QNAP to enable to run a script after a backup job has completed.
So far there is no such feature.
It will be great to be able to turn off an intelligent switch to power off external media after the backup has been completed.
And turn on remotely or by schedule to initiate it.

See here:

viewtopic.php?t=167993

viewtopic.php?t=167666
qnap does have some sort of power scheduling.

i never used it, but i assume that using that, you could possibly set when the qnap is powered on, then hbs would be scheduled to perform a backup during that time.

i haven't seen or heard of anyone doing this (though honestly i wasn't looking that hard either), so i'm unsure if this is the case. i only know that the power scheduling feature exist for qnap.

also i think there is some settings in HBS that will prevent any shutdowns while HBS is still performing an active job being run. But i'm not 100% on this, so you best double check yourself. I just never had to try those things out to know for sure, cause i always play it safe

anyway i don't think qnap necessarily have to step in, since users can already manage their backups (they just need to be properly educated to know how to go about it, assuming they even cared to spend the time to find out which everyone does unfortunately, yet when suddenly when disaster strikes then they care and it's already too late by then )

but i'm all far your suggestion. Maybe qnap can also make a youtube explaining how this sort of setup would work. This is also important. Because it's just not enough having that sort of capability, they need to also explain/educate their users how that would work so they can follow along on that guide then utilize it for their own backup strategies.

I do not mean to power off the unit, but the external drive.

Moogle Stiltzkin · Post by **Moogle Stiltzkin** » Wed Feb 15, 2023 12:25 pm

Gaudi wrote: ↑Tue Feb 14, 2023 4:16 pm
I do not mean to power off the unit, but the external drive.

only thing i'm aware about external drive,

the QNAP TR (and maybe the TL as well) series can be auto powered off automatically when the NAS powers off. Not quite sure what other capabilities for that it has other than that

Gaudi · Post by **Gaudi** » Thu Feb 16, 2023 6:31 am

Moogle Stiltzkin wrote:
Gaudi wrote: ↑Tue Feb 14, 2023 4:16 pm
I do not mean to power off the unit, but the external drive.
only thing i'm aware about external drive,

the QNAP TR (and maybe the TL as well) series can be auto powered off automatically when the NAS powers off. Not quite sure what other capabilities for that it has other than that

There are none, but it should be fairly easy for QNAP to add the option to run a script after the job completes successfully. You could then use the script to execute whatever task you want: turn of the external media by an intelligent switch, turn on a green light to notify you.

Moreover, it could even pass some parameters to the script based on the backup result, so you could turn a red light if it failed.

I have requested the feature to QNAP. So if anyone find this useful more request could lead in increased priority.

Regards

QNAP NAS Community Forum