[Guide] Best security practises for QNAP NAS 2022

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Moogle Stiltzkin
Guru
Posts: 10964
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

[Guide] Best security practises for QNAP NAS 2022

Post by Moogle Stiltzkin » Thu Nov 24, 2022 9:06 am

this is just a compilation on the subject of best security practises for QNAP NAS which i've added to this thread for the newbs. there are way too many people getting hit by malware not knowing how or why. So this thread is to help educate them how to prevent that. And what is considered possible/not possible on QNAP NAS in terms of security.


This part within quote pertains to how safe it is to host stuff from your QNAP online. it explores that loaded question for people wanting to use their qnap nas remotely, whether it be to access an app, or their shares.

Image

Image

Image

Image

Image

Image

Image


Image

QNAP Secure Hosting: Is it Even Possible? (slides from this video)
https://www.youtube.com/watch?v=Moe2YtUnUtI


How to Make QNAP NAS Secure
https://www.youtube.com/watch?v=fL2qGwRUq38

Secure Your QNAP NAS Immediately From Latest Wave of Attacks
https://www.servethehome.com/secure-you ... f-attacks/


Scotti-BYTE Enterprise Consulting Services youtube channel has a lot of indepth explanations regarding this. it's worth checking out :)



So he mentions avoid qpkgs, but i think if you are only using qpkgs in your lan only, they should be fine.

But for things you need remote, then containerized apps that is setup properly and using traefic reverse proxy and vpn (maybe also do vlan using managed switch as also suggested) is probably the way to go
viewtopic.php?f=354&t=168577



the simplest answer, if you don't need remote access whether to shares or apps from your nas over the internet, then just do not port forward at all. Pfsense router/firwall by default (change your password) is not exposing your network online, so you should be able to use your qnap nas fine behind it. the trouble only begins once u try enabling upnp, or start opening up ports willy nilly without understanding the security aspects that you ignored while doing so. And this is why people get hit by malware, because they expose their nas online without knowing what they are doing :S

and not to scaremonger, but i use qpkgs just fine without issue. but at the same time i do not expose my nas online or use any sort of remote. so if your use case is similar to mine, then qpkgs are perfectly fine on the lan.

*update

seeing as there are already people creating strawman arguments guess i have to clarify :roll: the youtuber mentions qpkgs, though whether he meant the qnap only qpkgs (e.g. station), or all qpkgs in general, i have no idea (you have to ask him that). For myself i can only say i used qpkgs (both qnaps own like photostation, and third party qpkgs) on lan just fine. If you think the youtuber said something wrong or need clarification of what he meant, you can go to his channel and ask there. as for myself, i merely explained my own experience as having no issues using qpkgs in my no remote/no exposing nas to online setting, and having no issues with that whatsoever. that said i do notice every so often a qnap station app shows up requiring a patch (so in regards to station qpkgs, maybe is better not to use them in situation u r doing some sort of remote https://www.qnap.com/en-us/security-advisories/ "use keyword station" this is my own understanding of the situation). no idea about other third parties qpkgs but these days i tend to use containerized docker apps for my own use when possible. hopefully that clarifies, but i already know this won't make a difference to some people since they are dead set on certain narratives :roll: i don't pay attention to trolls most of the time anyway lelz.



another aspect that needs to be looked at is your network setup. i usually find lawrence's videos to be insightful for these types of configurations. in his examples he usually uses pfsense. in some of his example he does remote, which i don't use so i skip those parts. but if you are curious how thats done, you can see his guides/walkthroughs how that is setup
Basic Setup and Configuring pfsense Firewall Rules For Home

Code: Select all

https://www.youtube.com/watch?v=bjr0rm93uVA
Virtual Tour of Our Network and How We Keep Things Secure Using the pFSense Firewall

Code: Select all

https://www.youtube.com/watch?v=gNKpRlRqQrk
Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense

Code: Select all

https://www.youtube.com/watch?v=ouARr-4chJ8
Creating Firewall Rules To Secure Your Synology NAS

Code: Select all

https://youtu.be/A1I1k9Nct-A?t=139
Image

based on this example, seems he uses 2 nas. one he uses for remote, and the other for lan only. so then less important stuff are on that risky nas, and important stuff on the other nas on the private vlan. less risky i guess.


other discussion threads that examine this issue
https://www.reddit.com/r/qnap/comments/ ... _internet/

https://www.reddit.com/r/NextCloud/comm ... proxy_and/

https://www.reddit.com/r/qnap/comments/ ... _measures/

https://www.reddit.com/r/truenas/commen ... _services/

https://www.reddit.com/r/qnap/comments/ ... e_my_qnap/

Code: Select all

https://www.reddit.com/r/qnap/comments/wm979v/how_to_secure_your_qnap/

Code: Select all

https://www.zdnet.com/article/qnap-warns-nas-users-of-deadbolt-ransomware-urges-customers-to-update/
Last edited by Moogle Stiltzkin on Thu Nov 24, 2022 2:37 pm, edited 17 times in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Guru
Posts: 10964
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [Guide] Best security practises for QNAP NAS

Post by Moogle Stiltzkin » Thu Nov 24, 2022 9:10 am

for vpn setup guides there is this



Which VPN To Use In pfsense?
https://www.youtube.com/watch?v=GDC9aKtebAU

Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
https://www.youtube.com/watch?v=PgielyUFGeQ

Tutorial: pfsense Wireguard For Remote Access
https://www.youtube.com/watch?v=8jQ5UE_7xds

How to Setup The Tailscale VPN and Routing on pfsense
https://www.youtube.com/watch?v=P-q-8R67OPY

Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller (if u r concerned about privacy/security issues, this is another option compared to tailscale. but is harder/ more complex to setup)
https://www.youtube.com/watch?v=-9gXP6aaayw

PiVPN : How to Run a VPN Server on a $35 Raspberry Pi!
https://www.youtube.com/watch?v=15VjDVCISj0
Last edited by Moogle Stiltzkin on Thu Nov 24, 2022 2:10 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Guru
Posts: 10964
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [Guide] Best security practises for QNAP NAS

Post by Moogle Stiltzkin » Thu Nov 24, 2022 9:14 am

and last but not least, keep a backup
https://www.reddit.com/r/qnap/comments/ ... _a_backup/


if your data is important, make sure to have a backup plan in place and set to backup at acceptable intervals for you. don't cry later how to data recovery. The solution is to have and maintain a backup so if data is loss, you can then recover.
Last edited by Moogle Stiltzkin on Thu Nov 24, 2022 9:40 am, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Moogle Stiltzkin
Guru
Posts: 10964
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [Guide] Best security practises for QNAP NAS 2022

Post by Moogle Stiltzkin » Thu Nov 24, 2022 9:33 am

plz do not be this guy who takes no responsibility but then goes on youtube to complain why he got malware after exposing his nas online without any sort of due diligence.
https://www.youtube.com/watch?v=S_4p68lDWfA&t=1211s

https://www.youtube.com/watch?v=BEie7fhG4zQ


and what gobsmacked me, he complains about frequency of having to update, yet he expects security patches.... that makes no sense x_x; if you want security. the next funny part he says he lost his data. then why didn't you maintain a backup? who's fault is that if not your own :roll:

1. do not expose nas online
2. update
3. backup
4. only blame when it's warranted (why did not notify about vulnerability? why did it take so long to release the patch? etc..). but also affect the fact that some of the responsbility that falls under you, is your own as well (why did you expose your nas online? when was the last time you updated? why no vlans? why are u exposing the qpkg station apps online? etc...) :roll:


in recent years qnap did introduce an auto update feature. so his complaint has since been answered to some extent, as the nas would auto update for him. but then now you got a different issue, what if the firmware you updated to is a bad one? well that is the trade off for using auto updating, which is why i personally don't use that, nor do i endorse it for others. but the option is there :wink:
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
jaysona
Been there, done that
Posts: 806
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [Guide] Best security practises for QNAP NAS 2022

Post by jaysona » Thu Nov 24, 2022 10:48 am

*groan* more "experts" that don't even know what it is they do not know about the subject matter for which they profess to be experts in.

QTS is not a Linux distro with after market additions. QTS is a severely bas.tar.dized and crippled Linux implementation, where QNAP has done just about as much as is possible to decimate the standard UNIX/Linux security model.

As for QPKGS, I am pretty certain that OneCD, QoolBox, Silas, Plex and other would take exception to the overly broad statement regarding QPKGs.

When it comes to security, QTS is a sh0t-show (replace 0 with an i) and not one QNAP written service (the QTS apps) should ever be accessible from the Internet.

As for 3rd party applications, each one needs to be evaluated on its own merit before deciding if the risk of Internet exposure is sufficiently low or not. If a user is incapable of performing such a risk assessment of an application/service they wish to expose to the Internet, then it is probably safe to say the application/service should not be made available on the Internet.

As for some of the security recommendations, clearly the guy has not scratched the surface of those "security" programs, otherwise he would not be recommending them.
Last edited by jaysona on Thu Nov 24, 2022 12:49 pm, edited 1 time in total.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)

User avatar
OneCD
Guru
Posts: 10594
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Guide] Best security practises for QNAP NAS 2022

Post by OneCD » Thu Nov 24, 2022 12:37 pm

jaysona wrote:
Thu Nov 24, 2022 10:48 am
As for QPKGS, I am pretty certain that OneCD, QoolBox, Silas, Plex and other would take exception to the overly broad statement regarding QPKGs.
Must admit: I stopped reading Moogle's posts some time ago (there's just too much waffle to sort through, and I don't have the time), so I'm not sure what has been claimed with regard to QPKGs.

However, it's safe-to-say @jaysona's security concerns are always on-point, and I wholeheartedly agree with them. Image

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
jaysona
Been there, done that
Posts: 806
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [Guide] Best security practises for QNAP NAS 2022

Post by jaysona » Thu Nov 24, 2022 1:03 pm

OneCD wrote:
Thu Nov 24, 2022 12:37 pm
Must admit: I stopped reading Moogle's posts some time ago (there's just too much waffle to sort through, and I don't have the time), so I'm not sure what has been claimed with regard to QPKGs.
I tend to do the same, between the lazy spelling, lazy grammar and incessant copy and pasting of 80% of articles, Moogle's post are generally the half-blind leading the blind, but I felt this one merrited a response since Moogle is a "guru" and there are just so many half-truths in the post such that many lesser savvy readers would take the multiple posts in their entirety as complete truths and blindly go down a path they otherwise might not have pursued so readily.

Regarding the QPKG statement - well, that's up for interpretation. The statement is "Don't use QNAP designed QPKG applications" and the argument could be made that every QPKG is "designed" by QNAP as it is QNAP that provided the framework for making a QPKG.

I suspect the intention is more along the lines of "Do not use QNAP written QPKG applications"
However, it's safe-to-say @jaysona's security concerns are always on-point, and I wholeheartedly agree with them. Image
:ubergeek:
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)

User avatar
dolbyman
Guru
Posts: 29470
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [Guide] Best security practises for QNAP NAS 2022

Post by dolbyman » Thu Nov 24, 2022 1:49 pm

I am caught between a rock and a hard place ..I do agree with jasona (qnap security concerns and Moogles 'over eagerness' with posting masses of youtube links and massive quote walls)

But I also do see Moogle beeing supportive and generally with more 'upbeat' replies in contrast to more grounded members ( yours truly...'mr grumpmeister' included) so I also do not want to really p*ss him off...

In terms of 'guru'...I never liked these auto forum titles and I would never have given myself this status...there is and was other members that deserve this designation more than me for sure (and some posters have found 'offence' in them in the past)

User avatar
spile
Been there, done that
Posts: 563
Joined: Tue May 24, 2016 12:13 am

Re: [Guide] Best security practises for QNAP NAS 2022

Post by spile » Thu Nov 24, 2022 3:33 pm

There are technical users who have communication “issues”.
There are good communicators who the above group criticise.
I try to come to a consensus by reading posts by both groups.

User avatar
OneCD
Guru
Posts: 10594
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [Guide] Best security practises for QNAP NAS 2022

Post by OneCD » Thu Nov 24, 2022 4:49 pm

@dm, I like Moogle’s (usually) upbeat mood too, but his posts have become long, rambling and quite tedious to read. He seems to be preferring quantity over quality.

This is particularly unfortunate when he tries to help someone with a problem, as the victim is invariably inundated with a flood of suggested fixes, URLs, images and opinions - most having little relevance to the issue. :(

Regarding the forum assigning those titles: I’ll ask QNAP if this can be changed.

@jaysona, I hear you on the QPKGs. Personally, I wish QNAP would stop treating non-QNAP creators of QPKGs as if they are the ones responsible for the malware ending-up on so many NAS, whilst simultaneously suggesting QNAP’s own packages are completely secure and above-board.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Skwor
Know my way around
Posts: 230
Joined: Thu Feb 27, 2020 1:38 am

Re: [Guide] Best security practises for QNAP NAS 2022

Post by Skwor » Thu Nov 24, 2022 10:07 pm

OneCD wrote:
Thu Nov 24, 2022 4:49 pm
...

I wish QNAP would stop treating non-QNAP creators of QPKGs as if they are the ones responsible for the malware ending-up on so many NAS, whilst simultaneously suggesting QNAP’s own packages are completely secure and above-board.
Plex security is pretty top notch, I trust their package over anything QNAP writes themselves. Over the last few years Plex had 2 security issues I can recall, one a DDoS relay, which they patched in literally a matter of days. The second, a semi recent breach where we found out they use ALL the industry best practices to protect peoples data. Still they admitted it immediately and encouraged everyone to reset their passwords and re-logging to reset credentials.

Honestly if the only port you have open is their port and you use no third party Plex add-ons you are most likely safe. I want to say you are safe but absolute statements tend to come back and bite you.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos

Post Reply

Return to “Users' Corner”