Page 1 of 1

New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 6:21 pm
by beshur
Hello!

I'm Alex from Ukraine, web developer, and I've just bought and set up TS-253B at home.

My intention is to move away from OneDrive, which we've been using for family pics and videos, and other archive things.

Have read a couple threads while setting up, and I like this community :D

Since I only had two days to setup the jobs, I've enable the qnap my cloud, and opened the ports to the outer world on the router.
I understand there are serious security issues with this.

What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.

Is is possible? Did anyone try to do it?

Thanks.

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 8:05 pm
by peelos
Would suggest setting up a VPN on the router or firewall instead.

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 9:37 pm
by dolbyman
and disable uPnP on the router

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 9:46 pm
by beshur
peelos wrote:
Fri Jul 24, 2020 8:05 pm
Would suggest setting up a VPN on the router or firewall instead.
Thanks for suggestion!
Is it more secure that just leaving ports open on the router?

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 9:49 pm
by dolbyman
of course

read up on all the hacked web exposed qnaps via open ports

no hacks of qnaps via vpn known to me ..vpn server should be on a firewall/router/dedicated appliance ... not the qnap (works as a last option too)

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 9:53 pm
by beshur
Thanks.

Do you I have a week before it gets hacked?

Re: New QNAP TS-253B owner, thoughts on security

Posted: Fri Jul 24, 2020 10:16 pm
by dolbyman
could be a week ..a year ...never ...could already be part of a bot net or encrypting your files for ransom as we speak

there is no timer on it

Re: New QNAP TS-253B owner, thoughts on security

Posted: Sat Jul 25, 2020 12:01 am
by jaysona
The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
This sounds similar to port-knocing, if you have a router that supports DD-WRT, then you can setup port knocking (using knockd) to open specific ports when you need to access the NAS, and then close the ports when you are done.

If you wish to share videos and pictures, use plex instead of the built-in QTS apps. Plex has a lot more development effort behind it than the QTS apps and plex put is a lot of effort for secure coding.

Make sure UPnP is disabled on your router.

Re: New QNAP TS-253B owner, thoughts on security

Posted: Sun Jul 26, 2020 4:30 am
by beshur
Thank you for replies!


jaysona wrote:
Sat Jul 25, 2020 12:01 am
The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
Does this also concerns myQNAPCloudLink?

I'm asking because I turned UPnP per your request on the router, and now no ports seem to be forwarded, but I can still connect via qlink.
But I see from this point that the vulnerable login page and photostation are exposed, and how VPN could improve security of this.


Will check about knockd, thanks.

Re: New QNAP TS-253B owner, thoughts on security

Posted: Mon Jul 27, 2020 10:40 pm
by beshur
So I disabled the UPnP on the router.
I discovered that actually its behind an ISP NAT, since the external port displayed in router is different from what web-sites see me as (whatsmyip.org e.g.).

I installed myQNAPCloudLink, and setup the NAS access level to Customized, which means when visiting the page via qlink, first I need to log in with QNAP ID, and only then it presents me with a QTS login page.
That sounds pretty safe, isn't it?

Re: New QNAP TS-253B owner, thoughts on security

Posted: Mon Jul 27, 2020 10:59 pm
by dolbyman
cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too

Re: New QNAP TS-253B owner, thoughts on security

Posted: Tue Jul 28, 2020 6:26 pm
by spile
dolbyman wrote:
Mon Jul 27, 2020 10:59 pm
cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too
Cloudlink is different to what?
Cloudlink = MyQnapCloud Link
https://www.qnap.com/en/news/2020/qnaps ... cloud-link