Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9843
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Moogle Stiltzkin » Thu Mar 25, 2021 4:43 pm

NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

P3R
Guru
Posts: 12626
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by P3R » Thu Mar 25, 2021 11:14 pm

Several experienced administrators have been saying it over and over for years here in the forum that exposing your NASes on a public network is dangerous and strongly not recommended. Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit... :roll:

Use a remote access VPN, preferably implemented on the router/firewall if you absolutely need remote access!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
jaysona
Been there, done that
Posts: 662
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by jaysona » Tue Mar 30, 2021 1:06 am

P3R wrote:
Thu Mar 25, 2021 11:14 pm
Several experienced administrators have been saying it over and over for years here in the forum that exposing your NASes on a public network is dangerous and strongly not recommended. Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit... :roll:

Use a remote access VPN, preferably implemented on the router/firewall if you absolutely need remote access!
QNAP and security, like oil and water, they just don't mix. :roll:
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

QNAPDanielFL
Easy as a breeze
Posts: 340
Joined: Fri Mar 31, 2017 7:09 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by QNAPDanielFL » Tue Mar 30, 2021 4:38 am

"Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit... :roll:"

As for me posting this on Reddit, I posted to make people aware of our Product Security News post.
https://www.qnap.com/en/security-news/2 ... ce-attacks

When I advise on security, I try to give people a variety of options. So I mentioned VPN and using a Qlink as 2 ways not to expose ports on the NAS when accessing NAS remotely. But some people have a reason why they want to forward multiple ports. And if they forward ports, it is safer to use obscure ports rather than standard ports. Not as safe as VPN, but there will be much fewer brute force attacks if you don't use standard ports and disable admin as the Product Security News post suggested.

My goal is to give multiple options for customers who would not want to port forward more than just the VPN port and still have an option for customers who do want to forward ports but still take some reasonable precaussions.

I am open to feedback on this. What do you think I could say differently in the future?

User avatar
Toxic17
Ask me anything
Posts: 5663
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Toxic17 » Tue Mar 30, 2021 4:49 pm

Image

Taipei, Taiwan, March 24, 2021 - QNAP® Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, considers product security its top priority. With increasing reports of brute-force attacks, QNAP urges its users to take immediate action to enhance the security of their devices. These actions include using strong passwords, changing the default access port number, and disabling the admin account.
Recently QNAP has received multiple user reports of hackers attempting to log in to QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as "password" or "12345") hackers can easily gain access to the device, breaching security, privacy, and confidentiality.
To take steps to avoid being hacked, QNAP recommends that users do not expose their devices on public networks. Using default network ports for public services should be avoided as well. Other steps to strengthen the security of QNAP appliances and mitigate brute-force attacks include setting complex (strong) passwords for user accounts, enabling password policies, and disabling the admin account.

For more information, please refer to the following FAQ: https://qnap.to/3c9zfg.
 

AlastairStevenson
Experience counts
Posts: 2315
Joined: Wed Jan 08, 2014 10:34 pm

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by AlastairStevenson » Tue Mar 30, 2021 5:09 pm

And if they forward ports, it is safer to use obscure ports rather than standard ports
I'm sorry - but this only very marginally reduces the risk of being hacked by exposing the NAS to the entire internet, and must not be recommended.

It's so wrong to in any way endorse the practice of port forwarding for remote access to any devices - other than to a VPN server or appliance that's hardened and secured by design.
I've done a few honeypot tests to assess the spread of ports that get probed when exposed, and while it's fair to say that the 'common' ports get more attention than the others, all port ranges were well probed.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9843
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Moogle Stiltzkin » Tue Mar 30, 2021 5:32 pm

:mrgreen:
Last edited by Moogle Stiltzkin on Tue Mar 30, 2021 7:29 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
Toxic17
Ask me anything
Posts: 5663
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Toxic17 » Tue Mar 30, 2021 6:12 pm

done
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.5.3.1652 • TVS-463-16GB 4.5.3.1652 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1624 • APC Back-UPS ES 700G
Network: VM Hub3 • UniFi UDM Pro 1.10-0.9 • Controller: 6.2.23 • UniFi US-16-150W/US-8-60W 5.60.3 • USW Mini Flex 1.8.4 • UniFi G3-Flex • AP: AC Pro 5.60.3 • U6-LR 5.60.3

P3R
Guru
Posts: 12626
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by P3R » Wed Mar 31, 2021 12:10 am

QNAPDanielFL wrote:
Tue Mar 30, 2021 4:38 am
And if they forward ports, it is safer to use obscure ports rather than standard ports.
Not really. It's only safer for the users that haven't changed to a strong admin password, not disabled admin and not enabled 2FA but since those users haven't done any of that, they're typically not the ones that will change their ports either.

What obscuring a port does is that it hide one of the symptoms of the inherent insecurity of having ports open and it will give many home and SMB users a sense of security so after changing that and the system appear to be secure again, several of them will most likely think that it's okay to continue with a system open for remote access. They have after all followed the Qnap "security" recommendations. In the reddit comments to your thread we see "Switching the public port helped a great deal. Now no more attacks.". I'd think that the total net effect of change in risk for the installed base of Qnaps by that obscurity advice is marginal, unchanged or maybe even a slight increase.

I'm not saying that it's all wrong to move a well-known service to an obscure port but it is wrong to present it as something that increases security. It doesn't protect against zero-day vulnerabilities and it doesn't in any way prevent a targeted attack. The positive thing it does is that it make the log files less cluttered and give a more experienced user at best a few minutes to react to a targeted attack, so in some cases it could be said to add a tiny bit security but nothing that makes it worth to be mentioned as a security precaution.
...and disable admin...
That could have been a good advice if the system design had allowed it without negative consequences. Take for example the configuration of a snapshot replica, that with it's hard-coded(!) admin account forces everyone to have admin enabled and to disable 2FA on the system holding the remote snapshot vault. So there we have a Qnap data safety feature implemented in a way that prevent the possibility to secure the system. Isn't that ironic... :roll:

By the way, in the comments to your reddit post I noticed you replying that only admin can login with SSH. That is incorrect. I don't remember when it was added but on the SSH page you can edit the access permissions to include other administrative users to login via SSH and thereby keep admin disabled and still have remote SSH access from support as was the request. That doesn't help against hard-coded user names in QTS though... :wink:
I am open to feedback on this. What do you think I could say differently in the future?
I don't think that you've said anything wrong, I would have preferred you to say those things here as well though. I don't understand why reddit is a more valued communication channel for Qnap than this community and why you want to force users to reddit to get a Qnap spokesperson view on security issues. But you're employed by Qnap so you have to deliver the corporate message, that's not your fault.

I'm frustrated that the company have for years pushed their less experienced users (with both marketing and insecure defaults) into what us more security-oriented admins have warned about and that have lead to thousands of users being seriously affected by ransomware and other malware. I'm frustrated about how a glossy outside is prioritized over a stable and secure structure on the inside. I'm frustrated about the security culture still being the extremely dated one of never reveiling more than absolutely necessary and rather obscure than inform. It's so pre-internet and about at the same as the security culture in companies like Microsoft 30-40 years ago. Look at the Malware Scanner that keep users in the dark of what it does. Look at the Qnap CVEs, they never contain any technical details so hackers know about your security vulnerabilities but your customers don't.
Last edited by P3R on Tue Apr 06, 2021 12:01 am, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
jaysona
Been there, done that
Posts: 662
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by jaysona » Mon Apr 05, 2021 11:53 pm

P3R wrote:
Wed Mar 31, 2021 12:10 am
...
Look at the Qnap CVEs, they never contain any technical details so hackers know about your security vulnerabilities but your customers don't.
I firmly believe this is the primary reason why QNAP got their own CNA - that is the only way they get to control (and hide the details) the narrative of QNAP related security vulnerabilities.

Although - that may change. There are some discussions in the hacker community about avoiding QNAP (due to their lack of responsiveness and some of the gag orders they try to impose) and going full disclosure a la pastebin style.

Only time will tell.....
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
Toxic17
Ask me anything
Posts: 5663
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Toxic17 » Fri Apr 23, 2021 5:16 am

jaysona wrote:
Mon Apr 05, 2021 11:53 pm
(due to their lack of responsiveness and some of the gag orders they try to impose
Come to think of it, is this not something similar to when the outbreak of COVID-19 happened :lol:
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.5.3.1652 • TVS-463-16GB 4.5.3.1652 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1624 • APC Back-UPS ES 700G
Network: VM Hub3 • UniFi UDM Pro 1.10-0.9 • Controller: 6.2.23 • UniFi US-16-150W/US-8-60W 5.60.3 • USW Mini Flex 1.8.4 • UniFi G3-Flex • AP: AC Pro 5.60.3 • U6-LR 5.60.3

ColHut
Getting the hang of things
Posts: 69
Joined: Sat Oct 14, 2017 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by ColHut » Sat Apr 24, 2021 12:12 am

Thankyou all for your comments here. It motivated me to really check the logs etc as well as the updates and security settings.

I am gobsmacked to find that on the 8th December last there were two temporary bans against a Singapore IP followed on the 9th by 14 unknown to me user access from accounts I don’t have on their followed by 27 from an IP matching Amazon Ireland, again user names I have never heard of.

I have been through the general log and cannot see what they did. I even checked my emails to see if there was something going on at the time. The users were completely unknown to me.
Those IPs were 64.235.45.132 and 34.253.92.139.

I cannot see any dodgy programs running, no idea what they got. As far as I can see they just logged in. I do note that the guts of the 251D were transferred from a TS212E a few weeks or more earlier but I am not sure of the relevance.

I am seriously confused and mighty paranoid.

Regards.

User avatar
jaysona
Been there, done that
Posts: 662
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by jaysona » Sat Apr 24, 2021 2:29 am

ColHut wrote:
Sat Apr 24, 2021 12:12 am
...
I cannot see any dodgy programs running, no idea what they got. As far as I can see they just logged in. I do note that the guts of the 251D were transferred from a TS212E a few weeks or more earlier but I am not sure of the relevance.

I am seriously confused and mighty paranoid.

Regards.
Do you actually see successful login or a failed login - as depicted below?
AdmLoginSuccFail.png
If someone that you do not know was able to successfully login to your NAS from the Internet, then they could have done pretty much anything to your NAS.

Personally, if I were in your situation, I would back up my data - and only the data. I would perform a firmware recovery, wipe the hard drives by connecting them to another computer using the other computer to format the hard disks and then re-initialize the NAS from scratch.

That is the only way to be relatively certain that your NAS has not been compromised for whatever purpose(s).

Firmware recovery instructions:
https://wiki.qnap.com/wiki/Firmware_Recovery
You do not have the required permissions to view the files attached to this post.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9843
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by Moogle Stiltzkin » Sat Apr 24, 2021 9:50 am

ColHut wrote:
Sat Apr 24, 2021 12:12 am
...
did you use vpn for your remote setup? and do you regularly update your qts and other client devices on network? and do you keep backups of your data on a separate device :' you should
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

ColHut
Getting the hang of things
Posts: 69
Joined: Sat Oct 14, 2017 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by ColHut » Sat Apr 24, 2021 10:52 am

Thanks.

I Have a TS-451A at my house which backs up the local PCs. I have been using only Qlink, (or so I thought but will check for NAS to NAS). No Vpn, The TS-251D is at another site, and I have limited control of the router there- its is not my house. I just got them to turn off upnp? My own router has upnp disabled.

I also back up each NAS once a month onto its own USB HDD which I keep in the other location. And I back up more important files on each NAS to the other NAS as well.

I am fanatical about updates, but was probably insufficiently focussed when setting up the 251D back in November/December last. Probably took my eye off the ball.

I wil need to go through all settings with a fine tooth fomb.

Post Reply

Return to “Users' Corner”