[Guide] Best security practises for QNAP NAS 2022

[Moogle Stiltzkin]

this is just a compilation on the subject of best security practises for QNAP NAS which i've added to this thread for the newbs. there are way too many people getting hit by malware not knowing how or why. So this thread is to help educate them how to prevent that. And what is considered possible/not possible on QNAP NAS in terms of security.


This part within quote pertains to how safe it is to host stuff from your QNAP online. it explores that loaded question for people wanting to use their qnap nas remotely, whether it be to access an app, or their shares.

QNAP Secure Hosting: Is it Even Possible? (slides from this video)
https://www.youtube.com/watch?v=Moe2YtUnUtI


How to Make QNAP NAS Secure
https://www.youtube.com/watch?v=fL2qGwRUq38

Secure Your QNAP NAS Immediately From Latest Wave of Attacks
https://www.servethehome.com/secure-you ... f-attacks/

Scotti-BYTE Enterprise Consulting Services youtube channel has a lot of indepth explanations regarding this. it's worth checking out



So he mentions avoid qpkgs, but i think if you are only using qpkgs in your lan only, they should be fine.

But for things you need remote, then containerized apps that is setup properly and using traefic reverse proxy and vpn (maybe also do vlan using managed switch as also suggested) is probably the way to go
viewtopic.php?f=354&t=168577



the simplest answer, if you don't need remote access whether to shares or apps from your nas over the internet, then just do not port forward at all. Pfsense router/firwall by default (change your password) is not exposing your network online, so you should be able to use your qnap nas fine behind it. the trouble only begins once u try enabling upnp, or start opening up ports willy nilly without understanding the security aspects that you ignored while doing so. And this is why people get hit by malware, because they expose their nas online without knowing what they are doing

and not to scaremonger, but i use qpkgs just fine without issue. but at the same time i do not expose my nas online or use any sort of remote. so if your use case is similar to mine, then qpkgs are perfectly fine on the lan.

*update

seeing as there are already people creating strawman arguments guess i have to clarify the youtuber mentions qpkgs, though whether he meant the qnap only qpkgs (e.g. station), or all qpkgs in general, i have no idea (you have to ask him that). For myself i can only say i used qpkgs (both qnaps own like photostation, and third party qpkgs) on lan just fine. If you think the youtuber said something wrong or need clarification of what he meant, you can go to his channel and ask there. as for myself, i merely explained my own experience as having no issues using qpkgs in my no remote/no exposing nas to online setting, and having no issues with that whatsoever. that said i do notice every so often a qnap station app shows up requiring a patch (so in regards to station qpkgs, maybe is better not to use them in situation u r doing some sort of remote https://www.qnap.com/en-us/security-advisories/ "use keyword station" this is my own understanding of the situation). no idea about other third parties qpkgs but these days i tend to use containerized docker apps for my own use when possible. hopefully that clarifies, but i already know this won't make a difference to some people since they are dead set on certain narratives i don't pay attention to trolls most of the time anyway lelz.



another aspect that needs to be looked at is your network setup. i usually find lawrence's videos to be insightful for these types of configurations. in his examples he usually uses pfsense. in some of his example he does remote, which i don't use so i skip those parts. but if you are curious how thats done, you can see his guides/walkthroughs how that is setup

Basic Setup and Configuring pfsense Firewall Rules For Home

Code: Select all

https://www.youtube.com/watch?v=bjr0rm93uVA

Virtual Tour of Our Network and How We Keep Things Secure Using the pFSense Firewall

Code: Select all

https://www.youtube.com/watch?v=gNKpRlRqQrk

Office Network Design and Planning with VLANs, LLDP, Rules, IoT, Guest using UniFi & pfsense

Code: Select all

https://www.youtube.com/watch?v=ouARr-4chJ8

Creating Firewall Rules To Secure Your Synology NAS

Code: Select all

https://youtu.be/A1I1k9Nct-A?t=139

based on this example, seems he uses 2 nas. one he uses for remote, and the other for lan only. so then less important stuff are on that risky nas, and important stuff on the other nas on the private vlan. less risky i guess.

other discussion threads that examine this issue
https://www.reddit.com/r/qnap/comments/ ... _internet/

https://www.reddit.com/r/NextCloud/comm ... proxy_and/

https://www.reddit.com/r/qnap/comments/ ... _measures/

https://www.reddit.com/r/truenas/commen ... _services/

https://www.reddit.com/r/qnap/comments/ ... e_my_qnap/

Code: Select all

https://www.reddit.com/r/qnap/comments/wm979v/how_to_secure_your_qnap/

Code: Select all

https://www.zdnet.com/article/qnap-warns-nas-users-of-deadbolt-ransomware-urges-customers-to-update/

[Moogle Stiltzkin]

for vpn setup guides there is this



Which VPN To Use In pfsense?
https://www.youtube.com/watch?v=GDC9aKtebAU

Tutorial: pfsense OpenVPN Configuration For Remote Users 2020
https://www.youtube.com/watch?v=PgielyUFGeQ

Tutorial: pfsense Wireguard For Remote Access
https://www.youtube.com/watch?v=8jQ5UE_7xds

How to Setup The Tailscale VPN and Routing on pfsense
https://www.youtube.com/watch?v=P-q-8R67OPY

Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller (if u r concerned about privacy/security issues, this is another option compared to tailscale. but is harder/ more complex to setup)
https://www.youtube.com/watch?v=-9gXP6aaayw

PiVPN : How to Run a VPN Server on a $35 Raspberry Pi!
https://www.youtube.com/watch?v=15VjDVCISj0

[Moogle Stiltzkin]

and last but not least, keep a backup
https://www.reddit.com/r/qnap/comments/ ... _a_backup/


if your data is important, make sure to have a backup plan in place and set to backup at acceptable intervals for you. don't cry later how to data recovery. The solution is to have and maintain a backup so if data is loss, you can then recover.

[Moogle Stiltzkin]

plz do not be this guy who takes no responsibility but then goes on youtube to complain why he got malware after exposing his nas online without any sort of due diligence.
https://www.youtube.com/watch?v=S_4p68lDWfA&t=1211s

https://www.youtube.com/watch?v=BEie7fhG4zQ


and what gobsmacked me, he complains about frequency of having to update, yet he expects security patches.... that makes no sense x_x; if you want security. the next funny part he says he lost his data. then why didn't you maintain a backup? who's fault is that if not your own

1. do not expose nas online
2. update
3. backup
4. only blame when it's warranted (why did not notify about vulnerability? why did it take so long to release the patch? etc..). but also affect the fact that some of the responsbility that falls under you, is your own as well (why did you expose your nas online? when was the last time you updated? why no vlans? why are u exposing the qpkg station apps online? etc...)


in recent years qnap did introduce an auto update feature. so his complaint has since been answered to some extent, as the nas would auto update for him. but then now you got a different issue, what if the firmware you updated to is a bad one? well that is the trade off for using auto updating, which is why i personally don't use that, nor do i endorse it for others. but the option is there

[jaysona]

*groan* more "experts" that don't even know what it is they do not know about the subject matter for which they profess to be experts in.

QTS is not a Linux distro with after market additions. QTS is a severely bas.tar.dized and crippled Linux implementation, where QNAP has done just about as much as is possible to decimate the standard UNIX/Linux security model.

As for QPKGS, I am pretty certain that OneCD, QoolBox, Silas, Plex and other would take exception to the overly broad statement regarding QPKGs.

When it comes to security, QTS is a sh0t-show (replace 0 with an i) and not one QNAP written service (the QTS apps) should ever be accessible from the Internet.

As for 3rd party applications, each one needs to be evaluated on its own merit before deciding if the risk of Internet exposure is sufficiently low or not. If a user is incapable of performing such a risk assessment of an application/service they wish to expose to the Internet, then it is probably safe to say the application/service should not be made available on the Internet.

As for some of the security recommendations, clearly the guy has not scratched the surface of those "security" programs, otherwise he would not be recommending them.

[OneCD]

As for QPKGS, I am pretty certain that OneCD, QoolBox, Silas, Plex and other would take exception to the overly broad statement regarding QPKGs.

Must admit: I stopped reading Moogle's posts some time ago (there's just too much waffle to sort through, and I don't have the time), so I'm not sure what has been claimed with regard to QPKGs.

However, it's safe-to-say @jaysona's security concerns are always on-point, and I wholeheartedly agree with them.

[jaysona]

Must admit: I stopped reading Moogle's posts some time ago (there's just too much waffle to sort through, and I don't have the time), so I'm not sure what has been claimed with regard to QPKGs.

I tend to do the same, between the lazy spelling, lazy grammar and incessant copy and pasting of 80% of articles, Moogle's post are generally the half-blind leading the blind, but I felt this one merrited a response since Moogle is a "guru" and there are just so many half-truths in the post such that many lesser savvy readers would take the multiple posts in their entirety as complete truths and blindly go down a path they otherwise might not have pursued so readily.

Regarding the QPKG statement - well, that's up for interpretation. The statement is "Don't use QNAP designed QPKG applications" and the argument could be made that every QPKG is "designed" by QNAP as it is QNAP that provided the framework for making a QPKG.

I suspect the intention is more along the lines of "Do not use QNAP written QPKG applications"

However, it's safe-to-say @jaysona's security concerns are always on-point, and I wholeheartedly agree with them.

[dolbyman]

I am caught between a rock and a hard place ..I do agree with jasona (qnap security concerns and Moogles 'over eagerness' with posting masses of youtube links and massive quote walls)

But I also do see Moogle beeing supportive and generally with more 'upbeat' replies in contrast to more grounded members ( yours truly...'mr grumpmeister' included) so I also do not want to really p*ss him off...

In terms of 'guru'...I never liked these auto forum titles and I would never have given myself this status...there is and was other members that deserve this designation more than me for sure (and some posters have found 'offence' in them in the past)

[spile]

There are technical users who have communication “issues”.
There are good communicators who the above group criticise.
I try to come to a consensus by reading posts by both groups.

[OneCD]

@dm, I like Moogle’s (usually) upbeat mood too, but his posts have become long, rambling and quite tedious to read. He seems to be preferring quantity over quality.

This is particularly unfortunate when he tries to help someone with a problem, as the victim is invariably inundated with a flood of suggested fixes, URLs, images and opinions - most having little relevance to the issue.

Regarding the forum assigning those titles: I’ll ask QNAP if this can be changed.

@jaysona, I hear you on the QPKGs. Personally, I wish QNAP would stop treating non-QNAP creators of QPKGs as if they are the ones responsible for the malware ending-up on so many NAS, whilst simultaneously suggesting QNAP’s own packages are completely secure and above-board.

[Skwor]

...

I wish QNAP would stop treating non-QNAP creators of QPKGs as if they are the ones responsible for the malware ending-up on so many NAS, whilst simultaneously suggesting QNAP’s own packages are completely secure and above-board.

Plex security is pretty top notch, I trust their package over anything QNAP writes themselves. Over the last few years Plex had 2 security issues I can recall, one a DDoS relay, which they patched in literally a matter of days. The second, a semi recent breach where we found out they use ALL the industry best practices to protect peoples data. Still they admitted it immediately and encouraged everyone to reset their passwords and re-logging to reset credentials.

Honestly if the only port you have open is their port and you use no third party Plex add-ons you are most likely safe. I want to say you are safe but absolute statements tend to come back and bite you.