We now have Security Councillor recommending we change the default port assignments for web access. I tried searching the forum for some discussions on this, but I can’t seem to get very far with the searches because the search facility doesn’t support phrase searches.
If there is a topic open on this please direct me. I would much rather read FAQ’s and other discussions that have to ask blindly.
Failing that, I wish to comply with QNAP recommendations. I was thinking of picking a port in the 50000-60000 range to port forward for external access.
If I change it in QTS, and then append that port number to the iP address in my browser for local access, Is there any gotcha’s? I don’t want to lose ability to get back in to the QTS front end on the LAN.
I am currently having my family use ssl and have sent them a “qlink.to” link that specifies https. I use a qnap ssl certificate. What would i have to do to get them to use the new port?
Any other recommendations and help references greatly appreciated.
Channeling default port assignments
-
- Know my way around
- Posts: 128
- Joined: Wed Feb 10, 2016 9:19 am
- Location: Canada
Channeling default port assignments
best regards, Allan
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .
- OneCD
- Guru
- Posts: 12038
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Channeling default port assignments
Maybe leave your NAS ports how they are, and use your router to remap your incoming ports via port-forwarding?
Example:
Within your LAN, let's assume you access your NAS QTS UI via 192.168.0.10:8080
So, in your router, create a port-forward to that maps incoming public port 60,000 to private port 8080 at IP 192.168.0.10
When someone from outside your LAN wants to access your NAS QTS UI, they'd use your public IP (or domain name) and port 60,000. (e.g. 1.2.3.4:60000) and this will be invisibly translated into port 8080 for your NAS.
This means your LAN clients don't need to change anything. Only those attempting access from the WAN.
I've shown you one possible way to do this, but I must add I don't recommend exposing the QTS UI to the Internet on any port. Use a VPN to access your LAN. If you do, you won't need to remap any ports, and will only be exposing the VPN port(s).
Example:
Within your LAN, let's assume you access your NAS QTS UI via 192.168.0.10:8080
So, in your router, create a port-forward to that maps incoming public port 60,000 to private port 8080 at IP 192.168.0.10
When someone from outside your LAN wants to access your NAS QTS UI, they'd use your public IP (or domain name) and port 60,000. (e.g. 1.2.3.4:60000) and this will be invisibly translated into port 8080 for your NAS.
This means your LAN clients don't need to change anything. Only those attempting access from the WAN.
I've shown you one possible way to do this, but I must add I don't recommend exposing the QTS UI to the Internet on any port. Use a VPN to access your LAN. If you do, you won't need to remap any ports, and will only be exposing the VPN port(s).
-
- Easy as a breeze
- Posts: 447
- Joined: Mon Nov 19, 2018 1:21 am
Re: Channeling default port assignments
AlFromCochrane wrote: ↑Tue Jan 08, 2019 12:58 pm We now have Security Councillor recommending we change the default port assignments for web access. I tried searching the forum for some discussions on this, but I can’t seem to get very far with the searches because the search facility doesn’t support phrase searches.
If there is a topic open on this please direct me. I would much rather read FAQ’s and other discussions that have to ask blindly.
Failing that, I wish to comply with QNAP recommendations. I was thinking of picking a port in the 50000-60000 range to port forward for external access.
If I change it in QTS, and then append that port number to the iP address in my browser for local access, Is there any gotcha’s? I don’t want to lose ability to get back in to the QTS front end on the LAN.
I am currently having my family use ssl and have sent them a “qlink.to” link that specifies https. I use a qnap ssl certificate. What would i have to do to get them to use the new port?
Any other recommendations and help references greatly appreciated.
My two cents, if you're not comfortable running a web server on 80 and 443 (which from things I've seen in this forum you shouldn't be with QNAP) then I wouldn't be comfortable running it on any other port either. You're still just as vulnerable to an exploit, you're just requiring that attackers scan ports other than 80/443 to find you (which many will).
-
- Know my way around
- Posts: 128
- Joined: Wed Feb 10, 2016 9:19 am
- Location: Canada
Re: Channeling default port assignments
Thanks to both of you.
OneCD answered my questions and I will take both of your advice. I actually received the VPN advice from Dolbyman in the first place.
OneCD has been following my posts and knows that it could take me months to get all my family members using a VPN. So I will use his advise to make QNAP’s security councillor happy and perhaps a little tougher for the hackers.. Since I am not really a target worth going for, I believe my attacks are mostly by convenience. So this may be all that I require. Definitely for the interim.
I can learn OpenVPN on PC’s and coach those family members, but I have at least 4 that use a Mac as their computer of choice. Since I don’t have one of those, I will have to travel to my nearest one with a Mac, and perhaps learn on theirs. Knowing full well that I have absolutely no Mac experience to start with. Lol. This sort of thing is much easier for a company that preconfigures computer resources for it’s employees forcing them to access the company network via the installed VPN. Not so easy in my application.
So the VPN is a very long way from OK I’ll get it done next week kind of thing. But I will work on it. I am very good with making backups to 3 different devices, and even having offsite backups, so I am not worried about ransom so much. But I want to provide the most secure cloud service possible for my family. And I’m understanding VPN is the only way to achieve that. And even that is only as strong as a good password and good practice of NOT automating any login.
Thanks and cheers
OneCD answered my questions and I will take both of your advice. I actually received the VPN advice from Dolbyman in the first place.
OneCD has been following my posts and knows that it could take me months to get all my family members using a VPN. So I will use his advise to make QNAP’s security councillor happy and perhaps a little tougher for the hackers.. Since I am not really a target worth going for, I believe my attacks are mostly by convenience. So this may be all that I require. Definitely for the interim.
I can learn OpenVPN on PC’s and coach those family members, but I have at least 4 that use a Mac as their computer of choice. Since I don’t have one of those, I will have to travel to my nearest one with a Mac, and perhaps learn on theirs. Knowing full well that I have absolutely no Mac experience to start with. Lol. This sort of thing is much easier for a company that preconfigures computer resources for it’s employees forcing them to access the company network via the installed VPN. Not so easy in my application.
So the VPN is a very long way from OK I’ll get it done next week kind of thing. But I will work on it. I am very good with making backups to 3 different devices, and even having offsite backups, so I am not worried about ransom so much. But I want to provide the most secure cloud service possible for my family. And I’m understanding VPN is the only way to achieve that. And even that is only as strong as a good password and good practice of NOT automating any login.
Thanks and cheers
best regards, Allan
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .
- OneCD
- Guru
- Posts: 12038
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Channeling default port assignments
Well, it's unlikely to make Security Counselor happy, as that app checks the ports assigned on the NAS. It won't realise you have re-mapped the incoming ports in your router.AlFromCochrane wrote: ↑Tue Jan 08, 2019 2:11 pm So I will use his advise to make QNAP’s security councillor happy and perhaps a little tougher for the hackers.
But it does mean you can ignore its warnings about using the default ports.
-
- Know my way around
- Posts: 128
- Joined: Wed Feb 10, 2016 9:19 am
- Location: Canada
Re: Channeling default port assignments
Thanks OneCD. I didn’t realize you had replied.
best regards, Allan
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .
Firmware Version:Always updated
TS-873 32GB Ram, 8 x 8TB Seagate IronWolf NAS Model: ST8000VN0022,
45 TB total RAID 6 storage pool, M.2 SSD slots empty, Unit for offsite HDD Backups:
Vantec Nexstar MX NST-400MX-S3R-Utilizing 2x WD 8TB Red),
network services/apps: PuTTY, Media server apps, HBS, Plex .