[SECURITY RISK] Your NAS could be infected. Please read.

[P3R]

I'm running the VPN on my pfSense firewall as the device that's doing the NAT is the optimal place to terminate the VPN. I can recommend pfSense to all the more advanced users that want to improve their perimeter defence to a professional firewall at SMB/home-type cost.

The hardware requirements are not stellar and both physical and virtual hardware is supported but at least Intel AES-NI capability is strongly recommended to have a reasonably future-proof solution. If looking around I wouldn't be surprised if a pfSense firewall could be realized at a lower cost than the high end routers, that have become ridiculously expensive today. If moving to a real firewall (I use pfSense but there are other alterantives as well), the old router is preferably demoted to being an access point only providing wireless services (if the router doesn't have an AP mode, simply disable DHCP in it and don't use the WAN port).

[Moogle Stiltzkin]

putting the pi (running open vpn) behind the router will require you to open the necessary ports to make the vpn work

aa i see thx. so it's stil more secure than running the vpn direct on the router?

is there an alternative to rasberrypi. because it's got a 20mbps cap speed performance (roughly). so was wondering what else is there that can be done similarly (like the pi guide in the youtube video) but with better hardware

[elvisimprsntr]

I'm running the VPN on my pfSense firewall as the device that's doing the NAT is the optimal place to terminate the VPN. I can recommend pfSense to all the more advanced users that want to improve their perimeter defence to a professional firewall at SMB/home-type cost.

+1

I run pfSense on a separate dedicated appliance. Adds an extra software and physical barrier between WAN and NAS.

Those looking for lower cost hardware than Netgate, look at http://www.Protectli.com Of course their is always a DIY build or repurposed computer.

[Moogle Stiltzkin]

yeah the protectli looks good, has better hardware (AES-NI etc..). but one of the models has a wan port. is that suppose to be in front or behind the router? or is the wan model meant to be the router replacement (running pfsense).

but if you're ideally not suppose to run the vpn on the router, then is the model without the wan the one to get? or is it better to get the wan and just run everything vpn and everything on it and use that as the router as well (dhcp and everything).

anyway seems like cooling isn't going to be an issue (roughly 48c ish on load). unlike my router that hits temps of 70-80 then lags out
https://www.youtube.com/watch?v=FMNkJBtDWYE

[P3R]

yeah the protectli looks good, has better hardware (AES-NI etc..). but one of the models has a wan port. is that suppose to be in front or behind the router? or is the wan model meant to be the router replacement (running pfsense).

In pfSense a port is a port. You decide for yourself which is going to be WAN, LAN, DMZ and so on regardless of what it says on the chassis labels. Get a Dymo and rename the ports if you want to swap them around.

but if you're ideally not suppose to run the vpn on the router...

That's the opinion of a single individual and it's very much debatable.

I definitely disagree and say that the VPN should preferably terminate on the system doing the NAT and from a security perspective it doesn't hurt that the system is from the ground up designed with the intention to be facing the internet, like routers are.

When stepping up from routers to real firewalls like pfSense it's by no comparion best to terminate the VPN in there, at least for home and SMB usage.

[Moogle Stiltzkin]

In pfSense a port is a port. You decide for yourself which is going to be WAN, LAN, DMZ and so on regardless of what it says on the chassis labels. Get a Dymo and rename the ports if you want to swap them around.

That's the opinion of a single individual and it's very much debatable.

I definitely disagree and say that the VPN should preferably terminate on the system doing the NAT and from a security perspective it doesn't hurt that the system is from the ground up designed with the intention to be facing the internet, like routers are.

When stepping up from routers to real firewalls like pfSense it's by no comparion best to terminate the VPN in there, at least for home and SMB usage.

ooo i c. so i can get the wan model and do whatever with it... whether to use as a router .... or that dedicated vpn thing (like the other user suggested, which is a device separate from the router without utilizing the wan port on it).

well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something i need).

thx


vpn test @9:10
https://www.youtube.com/watch?v=MQ3tdkiaAno

[P3R]

ooo i c. so i can get the wan model and do whatever with it... whether to use as a router .... or that dedicated vpn thing (like the other user suggested, which is a device separate from the router without utilizing the wan port on it).

No matter how the ports are labeled on the chassis they're all just network interfaces that can be assigned to any use in pfSense.

Using a pfSense inside of a home router would be a terrible waste as you'd then have the much better firewall being protected by a worse one. The only times that such non-optimal configurations may be necessary is if you have a bad ISP that refuse to bridge their CPE or some other special arrangement with hardware that can't be replaced by the pfSense completely. Everyone that have their own Ethernet-connected home router can use the pfSense directly towards the internet.

well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something i need).

There's no need to get a fancy access point for that. As I explained here earlier, simply use the router inside the LAN as an access point instead. That's what I've been doing for many years.

[BilboB360]

Bilbo, hopefully support have responded to your ticket by now. It seems they have retired the derek-be-gone script for a newer one. Anybody else still having trouble with this malware should open a ticket too.

They did, thanks, and it's now sorted. I'd also recommend opening a ticket with them for anyone else affected, so that they've got better visibility of the issue and in case the solution gets updated again.

Here's what I was told (note the updated script link) :

1) Refer the link below and access your NAS by SSH.

https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh

2) Execute the command lines over SSH.

# curl https://download.qnap.com/Storage/tsd/u ... cleanme.sh | sh

3) Restart the NAS and re-update the latest firmware manually.

https://www.qnap.com/en/how-to/tutorial ... s-firmware

The latest firmware can be downloaded from https://www.qnap.com/en-uk/download

4) After the latest firmware is re-updated, please change the all users password

5) Restart the NAS and check if all the apps can be updated or not.

Edit: Forgot to say, I received a letter from my ISP saying they'd detected malware behaviour on my network (you known it's not great when your ISP is flagging this to you!). It was recognised as part of the caphaw family of malware. Could be of interest to someone here, as QNAP aren't really talking about it.

[elvisimprsntr]

well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something)

With a pfSense firewall, I simply flash OpenWRT on my existing wireless routers and disable firewall, DHCP, etc to render it as a AP.

[autolux]

mindblowing to me QNAP has still not even addressed or acknowledged this issue...

[Samsonality]

I’m not sure where go here. But my NAS recently is getting failed HTTP logins from random IP addresses almost every 10 seconds over and over. Is there any way to stop this?!?

[dolbyman]

have you tried searching the forum?

viewtopic.php?f=50&t=149157

[ncnmra]

I realize this is an old thread, but I recently got a security warning from my ISP.

Code: Select all

IP 99.243.xxx.xxx .
 data: TIMESTAMP: 2019-10-10 14:08:38
IP: 99.243.xxx.xxx
PORT: 50501
ASN: 812
GEO: CA
REGION: ONTARIO
CITY: LONDON
HOSTNAME: CPEb4750e67d1de-CM0c473df26b10.cpe.net.cable.rogers.com
INFECTION: caphaw
URL: /qnap_firmware.xml?t=1570716515
CC_IP: 208.100.26.251
CC_PORT: 443
CC_DNS: jpu0zn.ga
NAICS: 517311
SIC: 737415
SECTOR: Communications
PUBLIC_SOURCE: SecurityScorecard

From the "/qnap_firmware.xml" file reference, I presumed it was coming from my QNAP NAS, and it was simply doing a firmware check. A few days later, I got banned. I had to call in to restore my service.

I figure my QNAP was hacked. I didn't realize it but I guess I had it port forwarded, so that may have been the exposure point. I have since closed that port forward, changed the admin/user passwords and installed the Malware Remover. Is there anything else I should check for? I looked through the hosts file, and it does seem ok.

[dolbyman]

best bet would be a full wipe (including DOM) and restore from backups .. if this was a custom hack, malware remover has no cleanup for this

[ncnmra]

Malware remover states that it has removed some malware, but does not indicate when/where. This seems to happen almost every night. Not very useful.

My NAS *IS* my backup, so I guess I'll have to dump my shared data and do a full wipe