New QNAP TS-253B owner, thoughts on security
- beshur
- Getting the hang of things
- Posts: 59
- Joined: Wed Jul 22, 2020 9:44 pm
- Location: Odesa, Ukraine
- Contact:
New QNAP TS-253B owner, thoughts on security
Hello!
I'm Alex from Ukraine, web developer, and I've just bought and set up TS-253B at home.
My intention is to move away from OneDrive, which we've been using for family pics and videos, and other archive things.
Have read a couple threads while setting up, and I like this community
Since I only had two days to setup the jobs, I've enable the qnap my cloud, and opened the ports to the outer world on the router.
I understand there are serious security issues with this.
What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
Is is possible? Did anyone try to do it?
Thanks.
I'm Alex from Ukraine, web developer, and I've just bought and set up TS-253B at home.
My intention is to move away from OneDrive, which we've been using for family pics and videos, and other archive things.
Have read a couple threads while setting up, and I like this community
Since I only had two days to setup the jobs, I've enable the qnap my cloud, and opened the ports to the outer world on the router.
I understand there are serious security issues with this.
What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
Is is possible? Did anyone try to do it?
Thanks.
TS-253B-8G | 2x WD Red Plus 8Tb
- peelos
- Been there, done that
- Posts: 580
- Joined: Sun Jun 26, 2016 9:28 pm
Re: New QNAP TS-253B owner, thoughts on security
Would suggest setting up a VPN on the router or firewall instead.
NAS: TVS-1282-i7-7700-40G / 4 x 500GB SSD 2.5" RAID 10 / 2 x 500GB M.2 SSD / 8 x 12TB WD Whites 3.5" RAID 6 / Noctua L9x65 / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / Transmission / Sonarr / Radarr / Bazarr / Jackett / Tautulli / Home Assistant / Resilio Sync / Python / NetData / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / 1 x Netgear AC3200 R8000 Nighthawk / FreshTomato Firmware
Software: Plex Media Server / Transmission / Sonarr / Radarr / Bazarr / Jackett / Tautulli / Home Assistant / Resilio Sync / Python / NetData / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / 1 x Netgear AC3200 R8000 Nighthawk / FreshTomato Firmware
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: New QNAP TS-253B owner, thoughts on security
and disable uPnP on the router
- beshur
- Getting the hang of things
- Posts: 59
- Joined: Wed Jul 22, 2020 9:44 pm
- Location: Odesa, Ukraine
- Contact:
Re: New QNAP TS-253B owner, thoughts on security
Thanks for suggestion!
Is it more secure that just leaving ports open on the router?
TS-253B-8G | 2x WD Red Plus 8Tb
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: New QNAP TS-253B owner, thoughts on security
of course
read up on all the hacked web exposed qnaps via open ports
no hacks of qnaps via vpn known to me ..vpn server should be on a firewall/router/dedicated appliance ... not the qnap (works as a last option too)
read up on all the hacked web exposed qnaps via open ports
no hacks of qnaps via vpn known to me ..vpn server should be on a firewall/router/dedicated appliance ... not the qnap (works as a last option too)
- beshur
- Getting the hang of things
- Posts: 59
- Joined: Wed Jul 22, 2020 9:44 pm
- Location: Odesa, Ukraine
- Contact:
Re: New QNAP TS-253B owner, thoughts on security
Thanks.
Do you I have a week before it gets hacked?
Do you I have a week before it gets hacked?
TS-253B-8G | 2x WD Red Plus 8Tb
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: New QNAP TS-253B owner, thoughts on security
could be a week ..a year ...never ...could already be part of a bot net or encrypting your files for ransom as we speak
there is no timer on it
there is no timer on it
- jaysona
- Been there, done that
- Posts: 846
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: New QNAP TS-253B owner, thoughts on security
The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.
If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
If you wish to share videos and pictures, use plex instead of the built-in QTS apps. Plex has a lot more development effort behind it than the QTS apps and plex put is a lot of effort for secure coding.
Make sure UPnP is disabled on your router.
If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
This sounds similar to port-knocing, if you have a router that supports DD-WRT, then you can setup port knocking (using knockd) to open specific ports when you need to access the NAS, and then close the ports when you are done.What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
If you wish to share videos and pictures, use plex instead of the built-in QTS apps. Plex has a lot more development effort behind it than the QTS apps and plex put is a lot of effort for secure coding.
Make sure UPnP is disabled on your router.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- beshur
- Getting the hang of things
- Posts: 59
- Joined: Wed Jul 22, 2020 9:44 pm
- Location: Odesa, Ukraine
- Contact:
Re: New QNAP TS-253B owner, thoughts on security
Thank you for replies!
I'm asking because I turned UPnP per your request on the router, and now no ports seem to be forwarded, but I can still connect via qlink.
But I see from this point that the vulnerable login page and photostation are exposed, and how VPN could improve security of this.
Will check about knockd, thanks.
Does this also concerns myQNAPCloudLink?jaysona wrote: ↑Sat Jul 25, 2020 12:01 am The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.
If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
I'm asking because I turned UPnP per your request on the router, and now no ports seem to be forwarded, but I can still connect via qlink.
But I see from this point that the vulnerable login page and photostation are exposed, and how VPN could improve security of this.
Will check about knockd, thanks.
TS-253B-8G | 2x WD Red Plus 8Tb
- beshur
- Getting the hang of things
- Posts: 59
- Joined: Wed Jul 22, 2020 9:44 pm
- Location: Odesa, Ukraine
- Contact:
Re: New QNAP TS-253B owner, thoughts on security
So I disabled the UPnP on the router.
I discovered that actually its behind an ISP NAT, since the external port displayed in router is different from what web-sites see me as (whatsmyip.org e.g.).
I installed myQNAPCloudLink, and setup the NAS access level to Customized, which means when visiting the page via qlink, first I need to log in with QNAP ID, and only then it presents me with a QTS login page.
That sounds pretty safe, isn't it?
I discovered that actually its behind an ISP NAT, since the external port displayed in router is different from what web-sites see me as (whatsmyip.org e.g.).
I installed myQNAPCloudLink, and setup the NAS access level to Customized, which means when visiting the page via qlink, first I need to log in with QNAP ID, and only then it presents me with a QTS login page.
That sounds pretty safe, isn't it?
TS-253B-8G | 2x WD Red Plus 8Tb
- dolbyman
- Guru
- Posts: 35005
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: New QNAP TS-253B owner, thoughts on security
cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too
- spile
- Been there, done that
- Posts: 637
- Joined: Tue May 24, 2016 12:13 am
Re: New QNAP TS-253B owner, thoughts on security
Cloudlink is different to what?
Cloudlink = MyQnapCloud Link
https://www.qnap.com/en/news/2020/qnaps ... cloud-link