Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by ColHut »

Here is a capture of some of the logins.
Capture.PNG
mystified.
You do not have the required permissions to view the files attached to this post.
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by spile »

The use of Reddit rather than their own forums to publicise and support their users is very regrettable and one that I have raised directly with Qnap staff. I hope this policy changes.
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by AlastairStevenson »

Here is a capture of some of the logins.
Nothing mysterious about that.
It's the internet, dude.
What do you expect when you allow the entire world to access your device?
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by QNAPDanielFL »

spile wrote: Sat Apr 24, 2021 3:02 pm The use of Reddit rather than their own forums to publicise and support their users is very regrettable and one that I have raised directly with Qnap staff. I hope this policy changes.
I do post here sometimes. But I could post more.
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by AlastairStevenson »

But I could post more.
Indeed.
That would be welcome, and helpful.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by ColHut »

AlastairStevenson wrote: Sun Apr 25, 2021 5:44 am
Here is a capture of some of the logins.
Nothing mysterious about that.
It's the internet, dude.
What do you expect when you allow the entire world to access your device?
I suppose I thought that if I opened only the minimum of ports, used strong passwords, and followed QNAPS’s guidance on keeping my NAS secure I would be fairly safe and I could use it as advertised. I am not sure how access was obtained and likely will never know. Nor am I sure that a vpn would have helped, although at the time a vpn was simply not feasible in my use case.

Regards
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by spile »

AlastairStevenson wrote: Sun Apr 25, 2021 5:56 am
But I could post more.
Indeed.
That would be welcome, and helpful.
Agreed (along with your colleagues) and particularly for questions that have been unanswered or unresolved.
P3R
Guru
Posts: 13183
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by P3R »

ColHut wrote: Sun Apr 25, 2021 11:37 am Nor am I sure that a vpn would have helped...
It would. A properly configured site-to-site or remote access VPN (but not a paid VPN service for privacy) can be considered secure, as long as you're not the with the mafia or interresting for state-sponsored hacking organizations. And even if you are that much of a target, they probably wouldn't attack the VPN but hack you in another way.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
nasmonkey
Starting out
Posts: 25
Joined: Sat Sep 12, 2015 8:40 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by nasmonkey »

I just read about Qlocker and eCh0raix today. When I setup my QNAP years ago, I did not enable any cloud features. Its strictly storage device for my internal LAN.

Some questions:

Has anyone confirmed that only devices that were affected had the cloud features enabled?

Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?

What is considered a "public" network? Is hooking up to your ISP considered a public network? (ISP <-> Cable Model <-> Router)
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by dolbyman »

as long as no ports are forwarded from WAN to LAN (manual or upnp) , the NAS should be safe
User avatar
rafale
Easy as a breeze
Posts: 350
Joined: Tue May 12, 2015 1:53 pm

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by rafale »

nasmonkey wrote: Sat May 01, 2021 6:36 am I just read about Qlocker and eCh0raix today. When I setup my QNAP years ago, I did not enable any cloud features. Its strictly storage device for my internal LAN.

Some questions:

Has anyone confirmed that only devices that were affected had the cloud features enabled?

Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?

What is considered a "public" network? Is hooking up to your ISP considered a public network? (ISP <-> Cable Model <-> Router)
Trying to answer your last question here but it may end up being a networking class if you really want in depth knowledge and you can probably do some research.
To start it is important to understand the terms WAN and LAN. I found a link https://www.makeuseof.com/wan-vs-lan/ which gives some explanation.
Essentially your router is the barrier/bridge between the two networks and it usually include a firewall. The firewall implements rules to either allow data packet to pass or block them and the router translates the addresses... doing the "routing" so that the data packets get to and from the WAN to LAN addresses (That's called a NAT or network address translation). The WAN is where the exposure is and the security issues come when you open and expose ports from your LAN to the WAN. i.e forward a port from your NAS IP to your WAN IP making it accessible to everyone in the world. Even if it may be password protected, it is a huge liability.

The cloud features are a different pathway. Essentially creating a link/bridge between the device inside you LAN to a server in the WAN which could be exploited if someone hacks the cloud server or the owner of the cloud server decides to be malicious.
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks

Post by spile »

nasmonkey wrote: Sat May 01, 2021 6:36 am Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?
I start with the manufacturers own security advice, guides and tools like Security Councillor on the Qnap.
Then do a risk assessment based on YOUR circumstances. No one user can assess your requirements and needs on a forum and it’s something you need to carry out yourself.
Next look at user forums like this one and get a picture of repeated advice. It is important to do this rather than listening to one user. Implement measures (note the plural) as necessary.
Locked

Return to “Users' Corner”