Take Action to Protect Your QNAP Devices From Brute-Force Attacks
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Take Action to Protect Your QNAP Devices From Brute-Force Attacks
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Several experienced administrators have been saying it over and over for years here in the forum that exposing your NASes on a public network is dangerous and strongly not recommended. Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit...Moogle Stiltzkin wrote: ↑Thu Mar 25, 2021 4:43 pm https://www.reddit.com/r/qnap/comments/ ... ices_from/
Use a remote access VPN, preferably implemented on the router/firewall if you absolutely need remote access!
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
QNAP and security, like oil and water, they just don't mix.P3R wrote: ↑Thu Mar 25, 2021 11:14 pm Several experienced administrators have been saying it over and over for years here in the forum that exposing your NASes on a public network is dangerous and strongly not recommended. Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit...
Use a remote access VPN, preferably implemented on the router/firewall if you absolutely need remote access!
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Easy as a breeze
- Posts: 488
- Joined: Fri Mar 31, 2017 7:09 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
"Now finally even Qnap admit that exposing your NAS on the internet (that they've been pushing their users into doing with both marketing and insecure defaults) is a bad thing to do. But they do it with a confusing message as they still have the security-by-obscurity recommendation of changing port numbers. And they do it on reddit... "
As for me posting this on Reddit, I posted to make people aware of our Product Security News post.
https://www.qnap.com/en/security-news/2 ... ce-attacks
When I advise on security, I try to give people a variety of options. So I mentioned VPN and using a Qlink as 2 ways not to expose ports on the NAS when accessing NAS remotely. But some people have a reason why they want to forward multiple ports. And if they forward ports, it is safer to use obscure ports rather than standard ports. Not as safe as VPN, but there will be much fewer brute force attacks if you don't use standard ports and disable admin as the Product Security News post suggested.
My goal is to give multiple options for customers who would not want to port forward more than just the VPN port and still have an option for customers who do want to forward ports but still take some reasonable precaussions.
I am open to feedback on this. What do you think I could say differently in the future?
As for me posting this on Reddit, I posted to make people aware of our Product Security News post.
https://www.qnap.com/en/security-news/2 ... ce-attacks
When I advise on security, I try to give people a variety of options. So I mentioned VPN and using a Qlink as 2 ways not to expose ports on the NAS when accessing NAS remotely. But some people have a reason why they want to forward multiple ports. And if they forward ports, it is safer to use obscure ports rather than standard ports. Not as safe as VPN, but there will be much fewer brute force attacks if you don't use standard ports and disable admin as the Product Security News post suggested.
My goal is to give multiple options for customers who would not want to port forward more than just the VPN port and still have an option for customers who do want to forward ports but still take some reasonable precaussions.
I am open to feedback on this. What do you think I could say differently in the future?
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Taipei, Taiwan, March 24, 2021 - QNAP® Systems, Inc. (QNAP), a leading computing, networking and storage solution innovator, considers product security its top priority. With increasing reports of brute-force attacks, QNAP urges its users to take immediate action to enhance the security of their devices. These actions include using strong passwords, changing the default access port number, and disabling the admin account.
Recently QNAP has received multiple user reports of hackers attempting to log in to QNAP devices using brute-force attacks – where hackers would try every possible password combination of a QNAP device user account. If a simple, weak, or predictable password is used (such as "password" or "12345") hackers can easily gain access to the device, breaching security, privacy, and confidentiality.
To take steps to avoid being hacked, QNAP recommends that users do not expose their devices on public networks. Using default network ports for public services should be avoided as well. Other steps to strengthen the security of QNAP appliances and mitigate brute-force attacks include setting complex (strong) passwords for user accounts, enabling password policies, and disabling the admin account.
For more information, please refer to the following FAQ: https://qnap.to/3c9zfg.
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
I'm sorry - but this only very marginally reduces the risk of being hacked by exposing the NAS to the entire internet, and must not be recommended.And if they forward ports, it is safer to use obscure ports rather than standard ports
It's so wrong to in any way endorse the practice of port forwarding for remote access to any devices - other than to a VPN server or appliance that's hardened and secured by design.
I've done a few honeypot tests to assess the spread of ports that get probed when exposed, and while it's fair to say that the 'common' ports get more attention than the others, all port ranges were well probed.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Last edited by Moogle Stiltzkin on Tue Mar 30, 2021 7:29 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
done
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Not really. It's only safer for the users that haven't changed to a strong admin password, not disabled admin and not enabled 2FA but since those users haven't done any of that, they're typically not the ones that will change their ports either.QNAPDanielFL wrote: ↑Tue Mar 30, 2021 4:38 am And if they forward ports, it is safer to use obscure ports rather than standard ports.
What obscuring a port does is that it hide one of the symptoms of the inherent insecurity of having ports open and it will give many home and SMB users a sense of security so after changing that and the system appear to be secure again, several of them will most likely think that it's okay to continue with a system open for remote access. They have after all followed the Qnap "security" recommendations. In the reddit comments to your thread we see "Switching the public port helped a great deal. Now no more attacks.". I'd think that the total net effect of change in risk for the installed base of Qnaps by that obscurity advice is marginal, unchanged or maybe even a slight increase.
I'm not saying that it's all wrong to move a well-known service to an obscure port but it is wrong to present it as something that increases security. It doesn't protect against zero-day vulnerabilities and it doesn't in any way prevent a targeted attack. The positive thing it does is that it make the log files less cluttered and give a more experienced user at best a few minutes to react to a targeted attack, so in some cases it could be said to add a tiny bit security but nothing that makes it worth to be mentioned as a security precaution.
That could have been a good advice if the system design had allowed it without negative consequences. Take for example the configuration of a snapshot replica, that with it's hard-coded(!) admin account forces everyone to have admin enabled and to disable 2FA on the system holding the remote snapshot vault. So there we have a Qnap data safety feature implemented in a way that prevent the possibility to secure the system. Isn't that ironic......and disable admin...
By the way, in the comments to your reddit post I noticed you replying that only admin can login with SSH. That is incorrect. I don't remember when it was added but on the SSH page you can edit the access permissions to include other administrative users to login via SSH and thereby keep admin disabled and still have remote SSH access from support as was the request. That doesn't help against hard-coded user names in QTS though...
I don't think that you've said anything wrong, I would have preferred you to say those things here as well though. I don't understand why reddit is a more valued communication channel for Qnap than this community and why you want to force users to reddit to get a Qnap spokesperson view on security issues. But you're employed by Qnap so you have to deliver the corporate message, that's not your fault.I am open to feedback on this. What do you think I could say differently in the future?
I'm frustrated that the company have for years pushed their less experienced users (with both marketing and insecure defaults) into what us more security-oriented admins have warned about and that have lead to thousands of users being seriously affected by ransomware and other malware. I'm frustrated about how a glossy outside is prioritized over a stable and secure structure on the inside. I'm frustrated about the security culture still being the extremely dated one of never reveiling more than absolutely necessary and rather obscure than inform. It's so pre-internet and about at the same as the security culture in companies like Microsoft 30-40 years ago. Look at the Malware Scanner that keep users in the dark of what it does. Look at the Qnap CVEs, they never contain any technical details so hackers know about your security vulnerabilities but your customers don't.
Last edited by P3R on Tue Apr 06, 2021 12:01 am, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
I firmly believe this is the primary reason why QNAP got their own CNA - that is the only way they get to control (and hide the details) the narrative of QNAP related security vulnerabilities.
Although - that may change. There are some discussions in the hacker community about avoiding QNAP (due to their lack of responsiveness and some of the gag orders they try to impose) and going full disclosure a la pastebin style.
Only time will tell.....
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Come to think of it, is this not something similar to when the outbreak of COVID-19 happened
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Know my way around
- Posts: 249
- Joined: Sat Oct 14, 2017 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Thankyou all for your comments here. It motivated me to really check the logs etc as well as the updates and security settings.
I am gobsmacked to find that on the 8th December last there were two temporary bans against a Singapore IP followed on the 9th by 14 unknown to me user access from accounts I don’t have on their followed by 27 from an IP matching Amazon Ireland, again user names I have never heard of.
I have been through the general log and cannot see what they did. I even checked my emails to see if there was something going on at the time. The users were completely unknown to me.
Those IPs were 64.235.45.132 and 34.253.92.139.
I cannot see any dodgy programs running, no idea what they got. As far as I can see they just logged in. I do note that the guts of the 251D were transferred from a TS212E a few weeks or more earlier but I am not sure of the relevance.
I am seriously confused and mighty paranoid.
Regards.
I am gobsmacked to find that on the 8th December last there were two temporary bans against a Singapore IP followed on the 9th by 14 unknown to me user access from accounts I don’t have on their followed by 27 from an IP matching Amazon Ireland, again user names I have never heard of.
I have been through the general log and cannot see what they did. I even checked my emails to see if there was something going on at the time. The users were completely unknown to me.
Those IPs were 64.235.45.132 and 34.253.92.139.
I cannot see any dodgy programs running, no idea what they got. As far as I can see they just logged in. I do note that the guts of the 251D were transferred from a TS212E a few weeks or more earlier but I am not sure of the relevance.
I am seriously confused and mighty paranoid.
Regards.
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Do you actually see successful login or a failed login - as depicted below?ColHut wrote: ↑Sat Apr 24, 2021 12:12 am ...
I cannot see any dodgy programs running, no idea what they got. As far as I can see they just logged in. I do note that the guts of the 251D were transferred from a TS212E a few weeks or more earlier but I am not sure of the relevance.
I am seriously confused and mighty paranoid.
Regards.
If someone that you do not know was able to successfully login to your NAS from the Internet, then they could have done pretty much anything to your NAS.
Personally, if I were in your situation, I would back up my data - and only the data. I would perform a firmware recovery, wipe the hard drives by connecting them to another computer using the other computer to format the hard disks and then re-initialize the NAS from scratch.
That is the only way to be relatively certain that your NAS has not been compromised for whatever purpose(s).
Firmware recovery instructions:
https://wiki.qnap.com/wiki/Firmware_Recovery
You do not have the required permissions to view the files attached to this post.
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
did you use vpn for your remote setup? and do you regularly update your qts and other client devices on network? and do you keep backups of your data on a separate device you should
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- Know my way around
- Posts: 249
- Joined: Sat Oct 14, 2017 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Thanks.
I Have a TS-451A at my house which backs up the local PCs. I have been using only Qlink, (or so I thought but will check for NAS to NAS). No Vpn, The TS-251D is at another site, and I have limited control of the router there- its is not my house. I just got them to turn off upnp? My own router has upnp disabled.
I also back up each NAS once a month onto its own USB HDD which I keep in the other location. And I back up more important files on each NAS to the other NAS as well.
I am fanatical about updates, but was probably insufficiently focussed when setting up the 251D back in November/December last. Probably took my eye off the ball.
I wil need to go through all settings with a fine tooth fomb.
I Have a TS-451A at my house which backs up the local PCs. I have been using only Qlink, (or so I thought but will check for NAS to NAS). No Vpn, The TS-251D is at another site, and I have limited control of the router there- its is not my house. I just got them to turn off upnp? My own router has upnp disabled.
I also back up each NAS once a month onto its own USB HDD which I keep in the other location. And I back up more important files on each NAS to the other NAS as well.
I am fanatical about updates, but was probably insufficiently focussed when setting up the 251D back in November/December last. Probably took my eye off the ball.
I wil need to go through all settings with a fine tooth fomb.