myQnapCloud and permission

Post your questions about myQNAPcloud service here.
Post Reply
erahamim
New here
Posts: 4
Joined: Fri Oct 25, 2013 9:17 pm

myQnapCloud and permission

Post by erahamim » Mon Feb 10, 2014 5:40 am

HI,
I have TS-212 server and I configured it to work with cloud.
Everything works fine but I wounder if there is an ability to limit the users permissions that are accessing the server from the internet.
For example, I don't like the idea that the admin user can logged in from remote. But I don't see any were to configure it that it not allowed.
I want to configure only read only user that will have access to read the files.
Is there a way to limit the access of the admin user from outside network?

User avatar
pwilson
Guru
Posts: 22568
Joined: Fri Mar 06, 2009 11:20 am
Location: Victoria, BC, Canada (UTC-08:00)

Re: myQnapCloud and permission

Post by pwilson » Mon Feb 10, 2014 6:36 am

erahamim wrote:HI,
I have TS-212 server and I configured it to work with cloud.
Everything works fine but I wounder if there is an ability to limit the users permissions that are accessing the server from the internet.
For example, I don't like the idea that the admin user can logged in from remote. But I don't see any were to configure it that it not allowed.
I want to configure only read only user that will have access to read the files.
Is there a way to limit the access of the admin user from outside network?


No there is no way to restrict "admin" access remotely. If users can access it remotely, then "admin" can too.
Yes you can create users with read-only access to your shares.

Image

Patrick M. Wilson
Victoria, BC Canada
QNAP TS-470 Pro w/ 4 * Western Digital WD30EFRX WD Reds (RAID5) - - Single 8.1TB Storage Pool FW: QTS 4.2.0 Build 20151023 - Kali Linux v1.06 (64bit)
Forums: View My Profile - Search My Posts - View My Photo - View My Location - Top Community Posters
QNAP: Turbo NAS User Manual - QNAP Wiki - QNAP Tutorials - QNAP FAQs

Please review: When you're asking a question, please include the following.

User avatar
pbecks1963
Starting out
Posts: 46
Joined: Sun Jan 19, 2014 6:14 am

Re: myQnapCloud and permission

Post by pbecks1963 » Mon Feb 10, 2014 9:14 pm

Hello people,

So what can we do to make our QNAS more secure? I understand that publishing the NAS/services on the web is dangerous in itself (even via https). Is it possible to let admin have it's full rights via the LAN, but with minimal rights via the WAN?

I have already made my router unpingable and disabled the webaccess of the router via WAN. I also restricted the ip/ip-range that can access the web-interface

What more can we do to secure our NAS? (for ex: at work we use "tokens" to have an extra authentication means)
My Qnap = TS-121 QTS 4.3.3.0210

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: myQnapCloud and permission

Post by schumaku » Mon Feb 10, 2014 10:51 pm

pbecks1963 wrote:I understand that publishing the NAS/services on the web is dangerous in itself (even via https).
It's not dangerous - there are some risks: If you want to permit access to NAS services from remote for you, for your family, for a team, ...

pbecks1963 wrote:Is it possible to let admin have it's full rights via the LAN, but with minimal rights via the WAN?
The problem is not per se admin. You can have other users member of the administrators group, and most likely don't want to lock this down. The predefined or well-known usernames like admin (or say root on U**x in general, Administrator in Windows, ...) offer some wider attack vectors* In my opinion, there must be no admin, no root, or whatever default account (commonly accounts with shared passwords) in place permitting privileged NAS access. Only personal accounts should be permitted for authentication in general.

pbecks1963 wrote:I have already made my router unpingable....
What for? If prohibiting all ICMP traffic you can even create troubles when it comes the Path MTU Discovery for example.
pbecks1963 wrote:...and disabled the webaccess of the router via WAN.
Most don't have any usage for it.
pbecks1963 wrote:I also restricted the ip/ip-range that can access the web-interface
Pretty much impossible when you don't know from where you want to access it...

pbecks1963 wrote:What more can we do to secure our NAS?
Ensure you have Security -> Network Access Protection for services exposed *Doing so does mitigate a good part of the risk.

pbecks1963 wrote:(for ex: at work we use "tokens" to have an extra authentication means)
The feature request to add Google 2-Step Verification is open for a while.

Everything pretty much off-subject by the way.

User avatar
pbecks1963
Starting out
Posts: 46
Joined: Sun Jan 19, 2014 6:14 am

Re: myQnapCloud and permission

Post by pbecks1963 » Tue Feb 11, 2014 4:47 am

Thnx schumaku.

(i forgot about google authentication)
My Qnap = TS-121 QTS 4.3.3.0210

User avatar
pbecks1963
Starting out
Posts: 46
Joined: Sun Jan 19, 2014 6:14 am

Re: myQnapCloud and permission

Post by pbecks1963 » Tue Feb 11, 2014 2:44 pm

One more question, is it possible to read-out the file that stores the blocked ip's? (network access protection) I don't see any notifications so far about blocked ip's (could be just lucky?)

Just being curious..

ps: i made my router pingable again
My Qnap = TS-121 QTS 4.3.3.0210

nac_zero
New here
Posts: 9
Joined: Sat Feb 22, 2014 9:08 am

Re: myQnapCloud and permission

Post by nac_zero » Sat Feb 22, 2014 9:24 am

Hi people,

I'm planning to buy a qnap nas server for storing files and accessing the files, documents, photos, music files, from internet by multi users.
I wonder if there is an function to limit users and permission related to files or application.
For example, my idea, User A can access all applications and files from internet, User B can access only music files via qMusic.
(I mean that User A is myself as a root user, User B is a my friend who I want to share my music files with.)
Can I configure qnap WAN access as I expect?

Thank you.

nac_zero
New here
Posts: 9
Joined: Sat Feb 22, 2014 9:08 am

Re: myQnapCloud and permission

Post by nac_zero » Sun Feb 23, 2014 7:24 am

Hello
I understand that myQnapCloud provides user restriction function by published and private services with access code.
I'd like to set all services "private", no published and in private to give permission in accordance with the kinds of services and users.

Thank you.

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: myQnapCloud and permission

Post by schumaku » Tue Feb 25, 2014 3:59 am

nac_zero wrote:For example, my idea, User A can access all applications and files from internet, User B can access only music files via qMusic.
(I mean that User A is myself as a root user, User B is a my friend who I want to share my music files with.)
Qmusic is the mobile companion app to Music Station. For the basic QTS applications, (and access protocols) you can you can manage application rights on a per (local) user base:

QTS_4.1_Application_Privilege.PNG


nac_zero wrote:I understand that myQnapCloud provides user restriction function by published and private services with access code.
Nope- no user restrictions. All connections and authentications are established direct to your NAS - private services are just protected from being listed publicly on the myQNAPcloud portal, the access code is to make the links visible.

nac_zero wrote:I'd like to set all services "private", no published and in private to give permission in accordance with the kinds of services and users.
You can set all services to private to hide them on the myQNAPcloud portal - there is no user access control beyond of the access code.

Beyond of the portal with its private/public/access key administration (total overkill and misleading...) the service works like yet another DDNS service.

Regards,
-Kurt.
You do not have the required permissions to view the files attached to this post.

Post Reply

Return to “myQNAPcloud service”