disable the default admin account -- not possible

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

disable the default admin account -- not possible

Post by graemev »

I just got a message in qmessage centre, to the effect of "Disable the default admin account",

My 1st thought was "How, the dumb SSH server on QNAP hardwires 'admin'" (in the past I tried all sorts of thing, really don't want to be SSHing as "root" , but it's just hardwired)

Looking at the QNAP site:
There are two reasons for not disabling the default admin account. If you want to access the QNAP turbo NAS via Secure Shell (SSH) or Telnet, do not disable the default admin account. Also, if you're going to access Console Management, do not disable the default admin account.
So pretty much, you can't disable "admin" if you want to be able to access the NAS.

The obvious "fix" is for QNAP to install a regular sshd and telnetd , so we can do as they "suggest" (but the rule out)
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disable the default admin account -- not possible

Post by dolbyman »

either ignore the message .. or just try it out ..qnap has changed some things around since that message was written (users can be assigned to groups and also given ssh permission via gui)

changing the default account is a desperate attempt by qnap to look "proactive" in their constant battle against bad press caused by advertising these units as private cloud and subsequently getting users hacked
rpfleging
Starting out
Posts: 37
Joined: Wed Aug 03, 2016 7:43 am

Re: disable the default admin account -- not possible

Post by rpfleging »

I have TS-451+. I created a new user with full administrator privileges. I logged out and back in as the new user, confirmed everything works, then disabled the account named admin. No problems. I did that a few months ago when China was trying brute force attacks to get in my system.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disable the default admin account -- not possible

Post by dolbyman »

if you get attacked ..stop exposing your NAS..comes the next exploit no changed username or 2fa (etc) will save your nas
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: disable the default admin account -- not possible

Post by Cbrad01 »

When I disabled the account I had problems with containers…


Sent from my iPhone using Tapatalk
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

rpfleging wrote: Thu Jul 29, 2021 10:14 pm I have TS-451+. I created a new user with full administrator privileges. I logged out and back in as the new user, confirmed everything works, then disabled the account named admin. No problems. I did that a few months ago when China was trying brute force attacks to get in my system.
When you say "logged back" .... do you mean telnet or SSH (ditto FTP login, SMB etc? for completeness, for others,, but not my issue )
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: disable the default admin account -- not possible

Post by Cbrad01 »

To be clear in my case containers I had could no longer interact with the network using bridge mode. I also had problems with using container images that were downloaded using the admin account. In short it was like they containers that the admin created no longer had permission or something.


Sent from my iPhone using Tapatalk
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

Well in /etc/passwd, admin is really root (uid=0)

Code: Select all

admin:x:0:0:administrator,,,:/share/homes/admin:/bin/sh
So if you had u+s (setuid) permissions on a (executable) file (owned by uid=0) that would cause problem if that uid wasn't around. But what does QNAPs "disable a user" actually do? You can't just remove root from a system (except for e.g. B1 secure system etc, but not what we have here I think ) ?

Can somebody who's "Disabled Admin" , show what line it has in /etc/passwd now ?
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

dolbyman wrote: Thu Jul 29, 2021 8:04 pm either ignore the message .. or just try it out ..qnap has changed some things around since that message was written (users can be assigned to groups and also given ssh permission via gui)

changing the default account is a desperate attempt by qnap to look "proactive" in their constant battle against bad press caused by advertising these units as private cloud and subsequently getting users hacked
I assume you mean "Try out ssh as non-admin user" e.g. as me ? Just tired is, same as before just Admin. I have vague memory of checking this out before and it used a non-standard ssd (busybox?)
at your suggestion, I just checked ssd:

Code: Select all

[~] # type sshd               
sshd is /usr/sbin/sshd
[~] # ls -l /usr/sbin/sshd    
-rwxr-xr-x 1 admin administrators 764640 2021-07-25 23:34 /usr/sbin/sshd*
[~] # 
Which looks a bit more like "normal" sshd ... so I just added my name to "AllowUsers" /etc/ssh/sshd_config ...did a kill -1 on sshd (didn't work) QNAP seems to lack service(8) [ won't even bother looking for systemctl(1) ] ...so I'll
have to do the Microsoft route (reboot) but my disks are scrubbing right now, so it'll have to wait a bit.

ABTW. The ssh_conf does support using keys...so I've not actually used a password to SSH onto the box for many years (and 2 NAS) ... turning off password logins might be a more secure route ...just obfuscation of username is no protection
no changed username or 2fa (etc) will save your nas
:lol:
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disable the default admin account -- not possible

Post by dolbyman »

I meant adding ssh permissions via web gui...there is an option for that now

no idea how my warning is funny...all the users that were hacked in recent months and had their files encrypted, aint laughing :'
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

Well, that was a surprise . Still not rebooted , found the option via control Panel ---> Network&File--> Telnet/SSH --> Edit Access Permission
(I'd expected it at Control Panel --> Privilege --> Users --> (choose user) ---> Edit Application Privilege --> [FTP is here, expect to find SSH etc] )

Having changed it , without a reboot, was able to connect as "me" and a new admin (different name) ...in the case of "me" , was able to use my KEY (no password prompt)
no idea how my warning is funny...all the users that were hacked in recent months and had their files encrypted, aint laughing :'

I guess, from your response the play on words was unintended "save your nas" vs "save your **" ...I though it was a reasonably clever play on Hollywood movie shorthand
(BTW, this forum seems to have censored my quote, I hope the message is still clear , the creature Equus africanus asinus ...ohh even that got censored, and it's Latin ...just say A Donkey)
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: disable the default admin account -- not possible

Post by dolbyman »

the forum has all sorts of funny and/or unexpected word censorships...

whatever a chineses native (qnap forum admin) thinks are bad english spam words ..some forum sections even have common words like "watch" censored
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

Meant to add (got distracted by the censorship) the file /etc/ssh/sshd_config contains

Code: Select all

AllowUsers admin <myuserid>
Which was how I left it , so the new admin username is NOT there, suggesting the control is done elsewhere (and it's still not a standard sshd :( )
kellic
Starting out
Posts: 28
Joined: Fri Mar 02, 2018 2:33 am

Re: disable the default admin account -- not possible

Post by kellic »

This company is getting stupider and stupider all the time. This disable admin is right out of 2003's security playbook and is stupid beyond words. I have multiple interlinking scripts that need admin and am not disabling it. My password is 26 characters in length, using 2FA, and for SSH and the web interface I'm not using the normal ports and the system is behind its own firewall and another physical firewall with almost every service disabled. In short if someone hacks me its not going to be due to them guessing that the username is admin. This is Qnap freaking the hell out and throwing everything at the wall for security meanwhile all the processes running on their NAS's are running with super user prevleges. If they want to focus on fixing something stop beating us over the head with tired, borderline ineffective processes.

Meanwhile EVERY. DAMN. TIME I sign in I get prompted hey go disable admin without being able to disable the nagware. Seriously when it comes time to decom this NAS I'm completely done with QNAP.
User avatar
graemev
Know my way around
Posts: 199
Joined: Sun Feb 12, 2012 10:17 pm

Re: disable the default admin account -- not possible

Post by graemev »

yep, it feels like "inverse marketing". I buy a pair of cycle clips, their. algorithm says "you need to buy a huge PRAT truck"and every day a gey an ad to taht effect. I buy a QNAP, it says , you did wrong and every day it sends me reminder of the mistake I made.

I suspect I'll just install Debian over the top of original firmware at some point. It was all the "job focused" features that sold me on a dedicated device in the 1st place, but with 30w power vs 9w for central server and worse backup and related support it's seeming less and less like a sane choice
Post Reply

Return to “Users' Corner”