Plecotus wrote: ↑Fri Jan 28, 2022 9:07 am
yemartin wrote: ↑Fri Jan 28, 2022 5:16 am
5) You only access your QNAP through a VPN. This allows remote access without exposing the NAS to the open Internet.
My use case is having a number of independent sales contractors (about 50 of them) needing to view and (more importantly) upload files from their tablets and smartphones while in the field.
Qfile works like a charm for this particular purpose and I'm not sure how I'd accomplish a similar user-friendly (none of them are very tech savvy) experience with VPN. Having to first connect VPN on their iPad's, iPhone's or Android before then using Qfile is going to be off-putting for the majority of these guys.
Qfile (SSL enabled) can be setup to use any other but the default 443 HTTPS port, eg port 19443. Would that somewhat mitigate the risk/exposure against threats/exploits like these while still benefiting from the ease-of-use that Qfile natively offers?
Undoubtedly. Changing the ports used by default greatly decreases any intrusion attempts. It is not a guarantee that it cannot be attacked, but for practical purposes it eliminates more than 99% of the problems. Why?
As I said, these types of attacks are indiscriminate. They do not search for a specific device, but instead try to infect as many devices as possible. What is done in this type of attack (the vast majority of the time), is to launch the xploit directly to the ports where the vulnerable services are located. Yes, you can send the exploit to all 65535 ports on a device, but the time it takes is exponential, not to mention that many router firewalls themselves will detect a clear anomaly and drop traffic. They could also do an investigation to try to find out the port to which it has moved, but I repeat that this is not the case in indiscriminate attacks of this type.
For practical and real purposes, and especially in "home" environments, simply changing the default ports reduces any problem to a minimum. In other words, I'm pretty sure there haven't been any infected users qith DeadBolt that had the ports changed. It wouldn't prevent a premeditated attack or a very conscientious attack, that's usually not a problem.
Another recommendation that I always make together with the above, and makes the system practically free of infections, is to correctly configure the Firewall of the NAS or the Router that we put ahead, with something as simple as filtering the traffic that comes outside our country. 99% of malware of these attacks all come from the same countries, so unless you live in precisely one of those countries, filtering international traffic makes you pretty safe.
Applying these and other practices that are the A-B-C of security, I have never had a single problem of attempted intrusion/infection in my systems. In other words, my computers are essentially "invisible" to the background noise of the Internet. That doesn't make them invulnerable, targeted or well-planned attacks would possibly achieve the goal, but no one performs such attacks for home users or small businesses.