[SECURITY RISK] Your NAS could be infected. Please read.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I'm running the VPN on my pfSense firewall as the device that's doing the NAT is the optimal place to terminate the VPN. I can recommend pfSense to all the more advanced users that want to improve their perimeter defence to a professional firewall at SMB/home-type cost.
The hardware requirements are not stellar and both physical and virtual hardware is supported but at least Intel AES-NI capability is strongly recommended to have a reasonably future-proof solution. If looking around I wouldn't be surprised if a pfSense firewall could be realized at a lower cost than the high end routers, that have become ridiculously expensive today. If moving to a real firewall (I use pfSense but there are other alterantives as well), the old router is preferably demoted to being an access point only providing wireless services (if the router doesn't have an AP mode, simply disable DHCP in it and don't use the WAN port).
The hardware requirements are not stellar and both physical and virtual hardware is supported but at least Intel AES-NI capability is strongly recommended to have a reasonably future-proof solution. If looking around I wouldn't be surprised if a pfSense firewall could be realized at a lower cost than the high end routers, that have become ridiculously expensive today. If moving to a real firewall (I use pfSense but there are other alterantives as well), the old router is preferably demoted to being an access point only providing wireless services (if the router doesn't have an AP mode, simply disable DHCP in it and don't use the WAN port).
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
aa i see thx. so it's stil more secure than running the vpn direct on the router?
is there an alternative to rasberrypi. because it's got a 20mbps cap speed performance (roughly). so was wondering what else is there that can be done similarly (like the pi guide in the youtube video) but with better hardware
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[SECURITY RISK] Your NAS could be infected. Please read.
+1P3R wrote:I'm running the VPN on my pfSense firewall as the device that's doing the NAT is the optimal place to terminate the VPN. I can recommend pfSense to all the more advanced users that want to improve their perimeter defence to a professional firewall at SMB/home-type cost.
I run pfSense on a separate dedicated appliance. Adds an extra software and physical barrier between WAN and NAS.
Those looking for lower cost hardware than Netgate, look at http://www.Protectli.com Of course their is always a DIY build or repurposed computer.
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
yeah the protectli looks good, has better hardware (AES-NI etc..). but one of the models has a wan port. is that suppose to be in front or behind the router? or is the wan model meant to be the router replacement (running pfsense).
but if you're ideally not suppose to run the vpn on the router, then is the model without the wan the one to get? or is it better to get the wan and just run everything vpn and everything on it and use that as the router as well (dhcp and everything).
anyway seems like cooling isn't going to be an issue (roughly 48c ish on load). unlike my router that hits temps of 70-80 then lags out
https://www.youtube.com/watch?v=FMNkJBtDWYE
but if you're ideally not suppose to run the vpn on the router, then is the model without the wan the one to get? or is it better to get the wan and just run everything vpn and everything on it and use that as the router as well (dhcp and everything).
anyway seems like cooling isn't going to be an issue (roughly 48c ish on load). unlike my router that hits temps of 70-80 then lags out
https://www.youtube.com/watch?v=FMNkJBtDWYE
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [SECURITY RISK] Your NAS could be infected. Please read.
In pfSense a port is a port. You decide for yourself which is going to be WAN, LAN, DMZ and so on regardless of what it says on the chassis labels. Get a Dymo and rename the ports if you want to swap them around.Moogle Stiltzkin wrote: ↑Sat Apr 27, 2019 7:02 pm yeah the protectli looks good, has better hardware (AES-NI etc..). but one of the models has a wan port. is that suppose to be in front or behind the router? or is the wan model meant to be the router replacement (running pfsense).
That's the opinion of a single individual and it's very much debatable.but if you're ideally not suppose to run the vpn on the router...
I definitely disagree and say that the VPN should preferably terminate on the system doing the NAT and from a security perspective it doesn't hurt that the system is from the ground up designed with the intention to be facing the internet, like routers are.
When stepping up from routers to real firewalls like pfSense it's by no comparion best to terminate the VPN in there, at least for home and SMB usage.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
P3R wrote: ↑Sat Apr 27, 2019 8:10 pm That's the opinion of a single individual and it's very much debatable.
I definitely disagree and say that the VPN should preferably terminate on the system doing the NAT and from a security perspective it doesn't hurt that the system is from the ground up designed with the intention to be facing the internet, like routers are.
When stepping up from routers to real firewalls like pfSense it's by no comparion best to terminate the VPN in there, at least for home and SMB usage.
ooo i c. so i can get the wan model and do whatever with it... whether to use as a router .... or that dedicated vpn thing (like the other user suggested, which is a device separate from the router without utilizing the wan port on it).
well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something i need).
thx
vpn test @9:10
https://www.youtube.com/watch?v=MQ3tdkiaAno
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [SECURITY RISK] Your NAS could be infected. Please read.
No matter how the ports are labeled on the chassis they're all just network interfaces that can be assigned to any use in pfSense.Moogle Stiltzkin wrote: ↑Sat Apr 27, 2019 9:28 pm ooo i c. so i can get the wan model and do whatever with it... whether to use as a router .... or that dedicated vpn thing (like the other user suggested, which is a device separate from the router without utilizing the wan port on it).
Using a pfSense inside of a home router would be a terrible waste as you'd then have the much better firewall being protected by a worse one. The only times that such non-optimal configurations may be necessary is if you have a bad ISP that refuse to bridge their CPE or some other special arrangement with hardware that can't be replaced by the pfSense completely. Everyone that have their own Ethernet-connected home router can use the pfSense directly towards the internet.
There's no need to get a fancy access point for that. As I explained here earlier, simply use the router inside the LAN as an access point instead. That's what I've been doing for many years.well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something i need).
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- New here
- Posts: 2
- Joined: Sun Oct 14, 2018 4:46 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
They did, thanks, and it's now sorted. I'd also recommend opening a ticket with them for anyone else affected, so that they've got better visibility of the issue and in case the solution gets updated again.
Here's what I was told (note the updated script link) :
Edit: Forgot to say, I received a letter from my ISP saying they'd detected malware behaviour on my network (you known it's not great when your ISP is flagging this to you!). It was recognised as part of the caphaw family of malware. Could be of interest to someone here, as QNAP aren't really talking about it.1) Refer the link below and access your NAS by SSH.
https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh
2) Execute the command lines over SSH.
# curl https://download.qnap.com/Storage/tsd/u ... cleanme.sh | sh
3) Restart the NAS and re-update the latest firmware manually.
https://www.qnap.com/en/how-to/tutorial ... s-firmware
The latest firmware can be downloaded from https://www.qnap.com/en-uk/download
4) After the latest firmware is re-updated, please change the all users password
5) Restart the NAS and check if all the apps can be updated or not.
[SECURITY RISK] Your NAS could be infected. Please read.
With a pfSense firewall, I simply flash OpenWRT on my existing wireless routers and disable firewall, DHCP, etc to render it as a AP.Moogle Stiltzkin wrote: well when merlin decides to stop supporting my current router i'll look into this protectli (as my router replacement). But then i'd need something like Ubiquiti wireless AP to then provide my wireless (which is something)
-
- Starting out
- Posts: 39
- Joined: Thu Nov 19, 2009 1:33 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
mindblowing to me QNAP has still not even addressed or acknowledged this issue...
-
- First post
- Posts: 1
- Joined: Tue Jun 25, 2019 8:39 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I’m not sure where go here. But my NAS recently is getting failed HTTP logins from random IP addresses almost every 10 seconds over and over. Is there any way to stop this?!?
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
- Know my way around
- Posts: 113
- Joined: Sun Oct 10, 2010 8:24 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I realize this is an old thread, but I recently got a security warning from my ISP.
From the "/qnap_firmware.xml" file reference, I presumed it was coming from my QNAP NAS, and it was simply doing a firmware check. A few days later, I got banned. I had to call in to restore my service.
I figure my QNAP was hacked. I didn't realize it but I guess I had it port forwarded, so that may have been the exposure point. I have since closed that port forward, changed the admin/user passwords and installed the Malware Remover. Is there anything else I should check for? I looked through the hosts file, and it does seem ok.
Code: Select all
IP 99.243.xxx.xxx .
data: TIMESTAMP: 2019-10-10 14:08:38
IP: 99.243.xxx.xxx
PORT: 50501
ASN: 812
GEO: CA
REGION: ONTARIO
CITY: LONDON
HOSTNAME: CPEb4750e67d1de-CM0c473df26b10.cpe.net.cable.rogers.com
INFECTION: caphaw
URL: /qnap_firmware.xml?t=1570716515
CC_IP: 208.100.26.251
CC_PORT: 443
CC_DNS: jpu0zn.ga
NAICS: 517311
SIC: 737415
SECTOR: Communications
PUBLIC_SOURCE: SecurityScorecard
I figure my QNAP was hacked. I didn't realize it but I guess I had it port forwarded, so that may have been the exposure point. I have since closed that port forward, changed the admin/user passwords and installed the Malware Remover. Is there anything else I should check for? I looked through the hosts file, and it does seem ok.
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
best bet would be a full wipe (including DOM) and restore from backups .. if this was a custom hack, malware remover has no cleanup for this
-
- Know my way around
- Posts: 113
- Joined: Sun Oct 10, 2010 8:24 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Malware remover states that it has removed some malware, but does not indicate when/where. This seems to happen almost every night. Not very useful.
My NAS *IS* my backup, so I guess I'll have to dump my shared data and do a full wipe
My NAS *IS* my backup, so I guess I'll have to dump my shared data and do a full wipe