Take Action to Protect Your QNAP Devices From Brute-Force Attacks
-
- Know my way around
- Posts: 249
- Joined: Sat Oct 14, 2017 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Here is a capture of some of the logins.
mystified.You do not have the required permissions to view the files attached to this post.
- spile
- Been there, done that
- Posts: 641
- Joined: Tue May 24, 2016 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
The use of Reddit rather than their own forums to publicise and support their users is very regrettable and one that I have raised directly with Qnap staff. I hope this policy changes.
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Nothing mysterious about that.Here is a capture of some of the logins.
It's the internet, dude.
What do you expect when you allow the entire world to access your device?
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Easy as a breeze
- Posts: 488
- Joined: Fri Mar 31, 2017 7:09 am
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Indeed.But I could post more.
That would be welcome, and helpful.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Know my way around
- Posts: 249
- Joined: Sat Oct 14, 2017 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
I suppose I thought that if I opened only the minimum of ports, used strong passwords, and followed QNAPS’s guidance on keeping my NAS secure I would be fairly safe and I could use it as advertised. I am not sure how access was obtained and likely will never know. Nor am I sure that a vpn would have helped, although at the time a vpn was simply not feasible in my use case.AlastairStevenson wrote: ↑Sun Apr 25, 2021 5:44 amNothing mysterious about that.Here is a capture of some of the logins.
It's the internet, dude.
What do you expect when you allow the entire world to access your device?
Regards
- spile
- Been there, done that
- Posts: 641
- Joined: Tue May 24, 2016 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Agreed (along with your colleagues) and particularly for questions that have been unanswered or unresolved.AlastairStevenson wrote: ↑Sun Apr 25, 2021 5:56 amIndeed.But I could post more.
That would be welcome, and helpful.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
It would. A properly configured site-to-site or remote access VPN (but not a paid VPN service for privacy) can be considered secure, as long as you're not the with the mafia or interresting for state-sponsored hacking organizations. And even if you are that much of a target, they probably wouldn't attack the VPN but hack you in another way.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
-
- Starting out
- Posts: 25
- Joined: Sat Sep 12, 2015 8:40 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
I just read about Qlocker and eCh0raix today. When I setup my QNAP years ago, I did not enable any cloud features. Its strictly storage device for my internal LAN.
Some questions:
Has anyone confirmed that only devices that were affected had the cloud features enabled?
Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?
What is considered a "public" network? Is hooking up to your ISP considered a public network? (ISP <-> Cable Model <-> Router)
Some questions:
Has anyone confirmed that only devices that were affected had the cloud features enabled?
Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?
What is considered a "public" network? Is hooking up to your ISP considered a public network? (ISP <-> Cable Model <-> Router)
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
as long as no ports are forwarded from WAN to LAN (manual or upnp) , the NAS should be safe
- rafale
- Easy as a breeze
- Posts: 350
- Joined: Tue May 12, 2015 1:53 pm
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
Trying to answer your last question here but it may end up being a networking class if you really want in depth knowledge and you can probably do some research.nasmonkey wrote: ↑Sat May 01, 2021 6:36 am I just read about Qlocker and eCh0raix today. When I setup my QNAP years ago, I did not enable any cloud features. Its strictly storage device for my internal LAN.
Some questions:
Has anyone confirmed that only devices that were affected had the cloud features enabled?
Is there a guide to make sure your device is setup securely? How can I be 100% sure that there aren't any cloud features enabled on my NAS?
What is considered a "public" network? Is hooking up to your ISP considered a public network? (ISP <-> Cable Model <-> Router)
To start it is important to understand the terms WAN and LAN. I found a link https://www.makeuseof.com/wan-vs-lan/ which gives some explanation.
Essentially your router is the barrier/bridge between the two networks and it usually include a firewall. The firewall implements rules to either allow data packet to pass or block them and the router translates the addresses... doing the "routing" so that the data packets get to and from the WAN to LAN addresses (That's called a NAT or network address translation). The WAN is where the exposure is and the security issues come when you open and expose ports from your LAN to the WAN. i.e forward a port from your NAS IP to your WAN IP making it accessible to everyone in the world. Even if it may be password protected, it is a huge liability.
The cloud features are a different pathway. Essentially creating a link/bridge between the device inside you LAN to a server in the WAN which could be exploited if someone hacks the cloud server or the owner of the cloud server decides to be malicious.
Server: TVS-872XT i9 9900 ES, 64GB DDR4 2666MHz, intel X550-T2, Asus RTX3070 Dual OC (On pico PSU), 2x Phison E12 1TB M.2, 4x Micron 5210 7.68TB, 4x WD Purple 4TB
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
Backup NAS: TS-473 20GB DDR4 2400MHz, Mellanox ConnectX3, 2x Samsung PM871b 256GB M.2, 4x WD Red 8TB
Former units: TVS-1282, TS-871, TS-469
- spile
- Been there, done that
- Posts: 641
- Joined: Tue May 24, 2016 12:13 am
Re: Take Action to Protect Your QNAP Devices From Brute-Force Attacks
I start with the manufacturers own security advice, guides and tools like Security Councillor on the Qnap.
Then do a risk assessment based on YOUR circumstances. No one user can assess your requirements and needs on a forum and it’s something you need to carry out yourself.
Next look at user forums like this one and get a picture of repeated advice. It is important to do this rather than listening to one user. Implement measures (note the plural) as necessary.