New QNAP TS-253B owner, thoughts on security

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
beshur
Getting the hang of things
Posts: 59
Joined: Wed Jul 22, 2020 9:44 pm
Location: Odesa, Ukraine
Contact:

New QNAP TS-253B owner, thoughts on security

Post by beshur »

Hello!

I'm Alex from Ukraine, web developer, and I've just bought and set up TS-253B at home.

My intention is to move away from OneDrive, which we've been using for family pics and videos, and other archive things.

Have read a couple threads while setting up, and I like this community :D

Since I only had two days to setup the jobs, I've enable the qnap my cloud, and opened the ports to the outer world on the router.
I understand there are serious security issues with this.

What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.

Is is possible? Did anyone try to do it?

Thanks.
TS-253B-8G | 2x WD Red Plus 8Tb
User avatar
peelos
Been there, done that
Posts: 580
Joined: Sun Jun 26, 2016 9:28 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by peelos »

Would suggest setting up a VPN on the router or firewall instead.
NAS: TVS-1282-i7-7700-40G / 4 x 500GB SSD 2.5" RAID 10 / 2 x 500GB M.2 SSD / 8 x 12TB WD Whites 3.5" RAID 6 / Noctua L9x65 / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / Transmission / Sonarr / Radarr / Bazarr / Jackett / Tautulli / Home Assistant / Resilio Sync / Python / NetData / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / 1 x Netgear AC3200 R8000 Nighthawk / FreshTomato Firmware
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman »

and disable uPnP on the router
User avatar
beshur
Getting the hang of things
Posts: 59
Joined: Wed Jul 22, 2020 9:44 pm
Location: Odesa, Ukraine
Contact:

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur »

peelos wrote: Fri Jul 24, 2020 8:05 pm Would suggest setting up a VPN on the router or firewall instead.
Thanks for suggestion!
Is it more secure that just leaving ports open on the router?
TS-253B-8G | 2x WD Red Plus 8Tb
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman »

of course

read up on all the hacked web exposed qnaps via open ports

no hacks of qnaps via vpn known to me ..vpn server should be on a firewall/router/dedicated appliance ... not the qnap (works as a last option too)
User avatar
beshur
Getting the hang of things
Posts: 59
Joined: Wed Jul 22, 2020 9:44 pm
Location: Odesa, Ukraine
Contact:

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur »

Thanks.

Do you I have a week before it gets hacked?
TS-253B-8G | 2x WD Red Plus 8Tb
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman »

could be a week ..a year ...never ...could already be part of a bot net or encrypting your files for ransom as we speak

there is no timer on it
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: New QNAP TS-253B owner, thoughts on security

Post by jaysona »

The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
This sounds similar to port-knocing, if you have a router that supports DD-WRT, then you can setup port knocking (using knockd) to open specific ports when you need to access the NAS, and then close the ports when you are done.

If you wish to share videos and pictures, use plex instead of the built-in QTS apps. Plex has a lot more development effort behind it than the QTS apps and plex put is a lot of effort for secure coding.

Make sure UPnP is disabled on your router.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
beshur
Getting the hang of things
Posts: 59
Joined: Wed Jul 22, 2020 9:44 pm
Location: Odesa, Ukraine
Contact:

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur »

Thank you for replies!


jaysona wrote: Sat Jul 25, 2020 12:01 am The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
Does this also concerns myQNAPCloudLink?

I'm asking because I turned UPnP per your request on the router, and now no ports seem to be forwarded, but I can still connect via qlink.
But I see from this point that the vulnerable login page and photostation are exposed, and how VPN could improve security of this.


Will check about knockd, thanks.
TS-253B-8G | 2x WD Red Plus 8Tb
User avatar
beshur
Getting the hang of things
Posts: 59
Joined: Wed Jul 22, 2020 9:44 pm
Location: Odesa, Ukraine
Contact:

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur »

So I disabled the UPnP on the router.
I discovered that actually its behind an ISP NAT, since the external port displayed in router is different from what web-sites see me as (whatsmyip.org e.g.).

I installed myQNAPCloudLink, and setup the NAS access level to Customized, which means when visiting the page via qlink, first I need to log in with QNAP ID, and only then it presents me with a QTS login page.
That sounds pretty safe, isn't it?
TS-253B-8G | 2x WD Red Plus 8Tb
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman »

cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: New QNAP TS-253B owner, thoughts on security

Post by spile »

dolbyman wrote: Mon Jul 27, 2020 10:59 pm cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too
Cloudlink is different to what?
Cloudlink = MyQnapCloud Link
https://www.qnap.com/en/news/2020/qnaps ... cloud-link
Post Reply

Return to “Users' Corner”