Advice from current users on QNAP security

[itpromike@gmail.com]

So I posted something similar in the presages forum but I got a response directly from QNAP which of course will always be more complimentary on this whole security issue. I want to hear from you, the customers before I make my purchase and become a new customer. I’m trying to understand the security issues they’ve had, the risks involved in purchasing, and if I can even use the unit for what my needs are without opening myself up to attack. So I have a few questions.

1.) Were these issues caused by people just not having strong passwords or using default settings and not protecting themselves?
2.) Were they caused by a breach in the QNAP cloud remote access features?
3.) Were they caused by any other issue that either on the QNAP or user configuration side?

I'd be comfortable to go with QNAP if the people affected just had bad security practices and that's why they were affected. OR even if it was a breach of the QNAP remote connection/management features - I always turn those off for my devices anyway... however if there is some inherent security issue I'm not aware of with their software in general I would really like to know/understand it before I purchased and regretted it later. I'm not dumping on the company - I'm not a troll or a fanboy, I'm just new and trying to understand and do my due diligence...

For my uses as a Plex media server, the only port that would be open to the 'world' would be the port I use for plex. I do not/will not need to remotely manage my NAS so any cloud or remote features will be turned off immediately. I'm behind a Ubuiqiti gateway with intrusion detection/prevention turned on and again I'll have 1 port forwarded just for Plex...

I'd appreciate any advice or guidance on how secure QNAP is or what kind of risk a purchase right now would pose. Sorry for the long post. I really appreciate any/all responses from actual customers!

[dolbyman]

answer to 1)2)3) is all exploits ...never ever forward any ports from wan to your QNAP

none of the experienced qnap forum regular do it ..and none got hit (3 qnap malware waves the last 12 months alone)

[itpromike@gmail.com]

answer to 1)2)3) is all exploits ...never ever forward any ports from wan to your QNAP

none of the experienced qnap forum regular do it ..and none got hit (3 qnap malware waves the last 12 months alone)

So I guess my question is how would I effectively run Plex server without the Plex port forwarded? How can I still provide that functionality for my family while securing the NAS?

[dolbyman]

if you can live with 2mbit (plexpass) or 1mbit (free), plex will tunnel your streams for free without port forwarding

if you trust plex enough to have no exploits you can forward your plexport ..plex has so far been clean

[itpromike@gmail.com]

if you can live with 2mbit (plexpass) or 1mbit (free), plex will tunnel your streams for free without port forwarding

if you trust plex enough to have no exploits you can forward your plexport ..plex has so far been clean

Thanks I appreciate this conversation it’s been helpful. 1 last question… someone else suggested I set up a VPN on my router or use a PFSENSE VPN… if I did something like that, that would require everyone who wants to stream a movie from my Plex library to configure VPN on whatever client they use and connect to my VPN every time they want to watch a movie - that sound correct?

[dolbyman]

yes..everyone would need to use a vpn client

[wilsodg]

I have a VPN tunnel between 2 Draytek routers. Plex doesn’t work so well using the VPN connection. Plex is the only port we ever forwarded but even that is turned off now as well.


Sent from my iPhone using Tapatalk

[dolbyman]

What is the speed those draytek can achieve ?

[jaysona]

Thanks I appreciate this conversation it’s been helpful. 1 last question… someone else suggested I set up a VPN on my router or use a PFSENSE VPN… if I did something like that, that would require everyone who wants to stream a movie from my Plex library to configure VPN on whatever client they use and connect to my VPN every time they want to watch a movie - that sound correct?

Correct, but not necessary. A manual port forward of tcp/32400 to the IP of the plex server is all that is required for remote users.

The plex server uses its own web services that is made by the plex devs and had no QNAP involvement at all. There is a very active plex development environment and plex devs are on-top of any identified vulnerability and a fix is typically issued within a day or two of a vulnerability being identified.

To date, there has never been a plex server vulnerability that could be used to gain remote access to a NAS or any other plex server. The only issue with plex (and every other QNAP app) is that they need to run as the admin user with admin privileges in order to function properly. This is not the case for some of the other NAS manufactures, and plex has stated a few times on their forums that they would prefer not to have to run plex as admin, but QNAP has been uncooperative in making that a possibility.

As long as there are no port forwards to the QNAP web admin page and QNAP applications then the NAS is relatively secure. The issue of making a QNAP accessible on the Internet has to do with make QTS and its associated applications accessibly. For more than six years now, QNAP has demonstrated over and over that they are either incapable or unwilling to code securely.

There is no NAS manufacturer that has had more vulnerabilities (some vulnerabilities repeated) in their OS and applications than QNAP.

I even recommend that you prevent the QTS OS and apps being being able to call out. I have black-holed all outbound requests from my NASes, because the next attack vector is going to be on the systems that QNAPs blackbox apps call out to.

[itpromike@gmail.com]

Thanks I appreciate this conversation it’s been helpful. 1 last question… someone else suggested I set up a VPN on my router or use a PFSENSE VPN… if I did something like that, that would require everyone who wants to stream a movie from my Plex library to configure VPN on whatever client they use and connect to my VPN every time they want to watch a movie - that sound correct?

I even recommend that you prevent the QTS OS and apps being being able to call out. I have black-holed all outbound requests from my NASes, because the next attack vector is going to be on the systems that QNAPs blackbox apps call out to.

Thanks for the detailed post. Super helpful! If I do get a QNAP, how would I perform the same blackhole measure? Is it settings in the QNAP I can change or is there a host file I need to edit so apps aren’t able to call out?

[jaysona]

Thanks for the detailed post. Super helpful! If I do get a QNAP, how would I perform the same blackhole measure? Is it settings in the QNAP I can change or is there a host file I need to edit so apps aren’t able to call out?

I use a Raspberry Pi as my VPN server (Wireguard) and DNS black hole and ad blocker by using Pi hole.

https://pi-hole.net/

[wilsodg]

What is the speed those draytek can achieve ?

Good question! I am using a 2925 as the server router, and this is rated at 50Mbps for IPSEC VPN. I am on VDSL, so limited to 20Mbps upload. Of course, this is at the system level, so if sharing upload or multiple VPN sessions then real world will be less. At the other end of the trunked VPN is a 2830, and I cannot find a rating for that, but it is 10 years old so maybe it is less than the 20Mbps, although it ought to be adequate. Maybe time to upgrade routers - the new ones handle 800Mbps IPSEc

I had plex on a non-standard port at the WAN end, mapped to 32400 on the NAS and considered this safe due to Plex apparently being more robust (not so sure now, and in any case, if I was a hacker and knowing that Plex is perhaps now the most common exposed port, I might be inclined to start poking around plex and looking for exploits). But to get back on topic, we'll start playing with plex over router VPN (or Ipad) and post conclusions. Unfortunately AppleTV which the family mostly use for Plex does not have native VPN built in.

[jaysona]

....
I had plex on a non-standard port at the WAN end, mapped to 32400 on the NAS and considered this safe due to Plex apparently being more robust (not so sure now, and in any case, if I was a hacker and knowing that Plex is perhaps now the most common exposed port, I might be inclined to start poking around plex and looking for exploits). But to get back on topic, we'll start playing with plex over router VPN (or Ipad) and post conclusions. Unfortunately AppleTV which the family mostly use for Plex does not have native VPN built in.

Plex servers are constantly being poked and probed and plex has employed some very robust authentication mechanisms. Malware developers and opportunistic hackers go for the east stuff the low hanging fruit, plex is not easy or low hanging fruit by any stretch.

The only reasons to attack the plex services is if a new zero-day vulnerability is discovered, but the window of exposure is limited as plex is really responsive when it comes to security fixes, the other reason to spend the effort required to attack a plex server is if the specific server has something the attacker wants, which would be a targeted attack and not a campaign attack.

If someone has a hard on for your server and you're a specific target, then the only methods of protection are hardware auth and disconnecting from the Internet, all other means of security can be circumvented.

[xavierh]

So I posted something similar in the presages forum but I got a response directly from QNAP which of course will always be more complimentary on this whole security issue. I want to hear from you, the customers before I make my purchase and become a new customer. I’m trying to understand the security issues they’ve had, the risks involved in purchasing, and if I can even use the unit for what my needs are without opening myself up to attack. So I have a few questions.

1.) Were these issues caused by people just not having strong passwords or using default settings and not protecting themselves?
2.) Were they caused by a breach in the QNAP cloud remote access features?
3.) Were they caused by any other issue that either on the QNAP or user configuration side?

I'd be comfortable to go with QNAP if the people affected just had bad security practices and that's why they were affected. OR even if it was a breach of the QNAP remote connection/management features - I always turn those off for my devices anyway... however if there is some inherent security issue I'm not aware of with their software in general I would really like to know/understand it before I purchased and regretted it later. I'm not dumping on the company - I'm not a troll or a fanboy, I'm just new and trying to understand and do my due diligence...

For my uses as a Plex media server, the only port that would be open to the 'world' would be the port I use for plex. I do not/will not need to remotely manage my NAS so any cloud or remote features will be turned off immediately. I'm behind a Ubuiqiti gateway with intrusion detection/prevention turned on and again I'll have 1 port forwarded just for Plex...

I'd appreciate any advice or guidance on how secure QNAP is or what kind of risk a purchase right now would pose. Sorry for the long post. I really appreciate any/all responses from actual customers!

i have been a QNAP user since the days of the TS-209 devices. The risk of an services exposed to the internet is always there. The issue has stemmed not only from services that are exposed to the outside world that have vulnerabilities that can be easily exploited but also from users not understanding basic network security. but this is nothing new and affects from example IoT devices suffer formt he same issue.

the rule of thumb is to minimize the amount of services that you expose to the outside. i am also a plex user. in my case i use a docker container that runs with an specific user (not root as it happens with the qpkg) which is best practice when it comes to running containers, and that is the only service that i expose hosted on the NAS. i have a vpn solution if i need to connect to my home network from the outside. also aa you can see form my signature i am a ubiquity user.

the issue is the average user as i mentioned is either not knowledgeable or trust implicitly the hardware and software provider when it comes to security.

[xavierh]

Thanks for the detailed post. Super helpful! If I do get a QNAP, how would I perform the same blackhole measure? Is it settings in the QNAP I can change or is there a host file I need to edit so apps aren’t able to call out?

I use a Raspberry Pi as my VPN server (Wireguard) and DNS black hole and ad blocker by using Pi hole.

https://pi-hole.net/

good choice!!!