Channeling default port assignments

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
AlFromCochrane
Getting the hang of things
Posts: 75
Joined: Wed Feb 10, 2016 9:19 am
Location: Cochrane, AB, Canada

Channeling default port assignments

Post by AlFromCochrane » Tue Jan 08, 2019 12:58 pm

We now have Security Councillor recommending we change the default port assignments for web access. I tried searching the forum for some discussions on this, but I can’t seem to get very far with the searches because the search facility doesn’t support phrase searches.

If there is a topic open on this please direct me. I would much rather read FAQ’s and other discussions that have to ask blindly.


Failing that, I wish to comply with QNAP recommendations. I was thinking of picking a port in the 50000-60000 range to port forward for external access.

If I change it in QTS, and then append that port number to the iP address in my browser for local access, Is there any gotcha’s? I don’t want to lose ability to get back in to the QTS front end on the LAN.


I am currently having my family use ssl and have sent them a “qlink.to” link that specifies https. I use a qnap ssl certificate. What would i have to do to get them to use the new port?

Any other recommendations and help references greatly appreciated.
best regards, Allan

Firmware Version:Always updated
TS-873 4GB Ram, 5 x 8TB Seagate IronWolf NAS Model: ST8000VN0022, 21.8TB total raid 6
Storage Pool, 3.3TB reserved for snapshots, M.2 SSD slots Empty, as Front end NAS server. Connection speed
@ 1 Gb to Backup server TS-431 with 4 x 6TB WD NAS Red WD60EFRX Raid 5, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD HDD models(as above), network services/apps: PuTTY,
Media server apps, HBS.

User avatar
OneCD
Ask me anything
Posts: 6045
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Channeling default port assignments

Post by OneCD » Tue Jan 08, 2019 1:13 pm

Maybe leave your NAS ports how they are, and use your router to remap your incoming ports via port-forwarding?

Example:
Within your LAN, let's assume you access your NAS QTS UI via 192.168.0.10:8080

So, in your router, create a port-forward to that maps incoming public port 60,000 to private port 8080 at IP 192.168.0.10

When someone from outside your LAN wants to access your NAS QTS UI, they'd use your public IP (or domain name) and port 60,000. (e.g. 1.2.3.4:60000) and this will be invisibly translated into port 8080 for your NAS. ;)

This means your LAN clients don't need to change anything. Only those attempting access from the WAN.

I've shown you one possible way to do this, but I must add I don't recommend exposing the QTS UI to the Internet on any port. Use a VPN to access your LAN. If you do, you won't need to remap any ports, and will only be exposing the VPN port(s).

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190322

one.cd.only@gmail.com

Image Image Image Image

Thisisnotmyname
Easy as a breeze
Posts: 353
Joined: Mon Nov 19, 2018 1:21 am

Re: Channeling default port assignments

Post by Thisisnotmyname » Tue Jan 08, 2019 1:25 pm

AlFromCochrane wrote:
Tue Jan 08, 2019 12:58 pm
We now have Security Councillor recommending we change the default port assignments for web access. I tried searching the forum for some discussions on this, but I can’t seem to get very far with the searches because the search facility doesn’t support phrase searches.

If there is a topic open on this please direct me. I would much rather read FAQ’s and other discussions that have to ask blindly.


Failing that, I wish to comply with QNAP recommendations. I was thinking of picking a port in the 50000-60000 range to port forward for external access.

If I change it in QTS, and then append that port number to the iP address in my browser for local access, Is there any gotcha’s? I don’t want to lose ability to get back in to the QTS front end on the LAN.


I am currently having my family use ssl and have sent them a “qlink.to” link that specifies https. I use a qnap ssl certificate. What would i have to do to get them to use the new port?

Any other recommendations and help references greatly appreciated.


My two cents, if you're not comfortable running a web server on 80 and 443 (which from things I've seen in this forum you shouldn't be with QNAP) then I wouldn't be comfortable running it on any other port either. You're still just as vulnerable to an exploit, you're just requiring that attackers scan ports other than 80/443 to find you (which many will).

AlFromCochrane
Getting the hang of things
Posts: 75
Joined: Wed Feb 10, 2016 9:19 am
Location: Cochrane, AB, Canada

Re: Channeling default port assignments

Post by AlFromCochrane » Tue Jan 08, 2019 2:11 pm

Thanks to both of you.

OneCD answered my questions and I will take both of your advice. I actually received the VPN advice from Dolbyman in the first place.

OneCD has been following my posts and knows that it could take me months to get all my family members using a VPN. So I will use his advise to make QNAP’s security councillor happy and perhaps a little tougher for the hackers.. Since I am not really a target worth going for, I believe my attacks are mostly by convenience. So this may be all that I require. Definitely for the interim.

I can learn OpenVPN on PC’s and coach those family members, but I have at least 4 that use a Mac as their computer of choice. Since I don’t have one of those, I will have to travel to my nearest one with a Mac, and perhaps learn on theirs. Knowing full well that I have absolutely no Mac experience to start with. Lol. This sort of thing is much easier for a company that preconfigures computer resources for it’s employees forcing them to access the company network via the installed VPN. Not so easy in my application.

So the VPN is a very long way from OK I’ll get it done next week kind of thing. But I will work on it. I am very good with making backups to 3 different devices, and even having offsite backups, so I am not worried about ransom so much. But I want to provide the most secure cloud service possible for my family. And I’m understanding VPN is the only way to achieve that. And even that is only as strong as a good password and good practice of NOT automating any login.

Thanks and cheers
best regards, Allan

Firmware Version:Always updated
TS-873 4GB Ram, 5 x 8TB Seagate IronWolf NAS Model: ST8000VN0022, 21.8TB total raid 6
Storage Pool, 3.3TB reserved for snapshots, M.2 SSD slots Empty, as Front end NAS server. Connection speed
@ 1 Gb to Backup server TS-431 with 4 x 6TB WD NAS Red WD60EFRX Raid 5, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD HDD models(as above), network services/apps: PuTTY,
Media server apps, HBS.

User avatar
OneCD
Ask me anything
Posts: 6045
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Channeling default port assignments

Post by OneCD » Tue Jan 08, 2019 2:46 pm

AlFromCochrane wrote:
Tue Jan 08, 2019 2:11 pm
So I will use his advise to make QNAP’s security councillor happy and perhaps a little tougher for the hackers.
Well, it's unlikely to make Security Counselor happy, as that app checks the ports assigned on the NAS. It won't realise you have re-mapped the incoming ports in your router.

But it does mean you can ignore its warnings about using the default ports. ;)

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190322

one.cd.only@gmail.com

Image Image Image Image

AlFromCochrane
Getting the hang of things
Posts: 75
Joined: Wed Feb 10, 2016 9:19 am
Location: Cochrane, AB, Canada

Re: Channeling default port assignments

Post by AlFromCochrane » Sat Jan 12, 2019 8:21 am

Thanks OneCD. I didn’t realize you had replied.
best regards, Allan

Firmware Version:Always updated
TS-873 4GB Ram, 5 x 8TB Seagate IronWolf NAS Model: ST8000VN0022, 21.8TB total raid 6
Storage Pool, 3.3TB reserved for snapshots, M.2 SSD slots Empty, as Front end NAS server. Connection speed
@ 1 Gb to Backup server TS-431 with 4 x 6TB WD NAS Red WD60EFRX Raid 5, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD HDD models(as above), network services/apps: PuTTY,
Media server apps, HBS.

Post Reply

Return to “Miscellaneous”