Privat services accessible without access code?

Post your questions about myQNAPcloud service here.
Post Reply
stasts
First post
Posts: 1
Joined: Wed Feb 29, 2012 4:58 am

Privat services accessible without access code?

Post by stasts » Sun Dec 15, 2013 5:49 pm

Hi,

I'm trying to configure my QNAP TS-410 to work with new qnap cloud service. I've configured only QTS Web/File station as services (also as secure). Both of them marked private. My DDNS configured in default that means internet address of the NAS is <devicename>.myqnapcloud.com.

When I'm searching my device name on myqnapcloud.com then no services are listed as public. I have to enter username/access code to get them listed and then able to login with username/password. So far so good.
But there is a problem, if I'm just entering <devicename>.myqnapcloud.com:8080 in browser url, then it's successfully load login screen of the NAS without providing access code. My understanding, that you can search for device names on myqnapcloud.com, every found device could be checked with ddns url (that usually same as devicename) and brut force/guess admin password. What is the point to make services private if they are still accessible via direct url? Or I did some wrong configuration?

User avatar
schumaku
Guru
Posts: 43663
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Privat services accessible without access code?

Post by schumaku » Mon Dec 16, 2013 1:41 am

The "private" applies to the portal only, it's not intended to be an additional security layer - many users never use or see the portal page for most purposes at all, as they connect to the <devicename>.myQNAPcloud.com DDNS direct - nothing the access key stuff can control here. Completely overdesigned in my opinion. Answered several times already, might be hard to find - ok.

Post Reply

Return to “myQNAPcloud service”