New QNAP TS-253B owner, thoughts on security

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
beshur
New here
Posts: 5
Joined: Wed Jul 22, 2020 9:44 pm

New QNAP TS-253B owner, thoughts on security

Post by beshur » Fri Jul 24, 2020 6:21 pm

Hello!

I'm Alex from Ukraine, web developer, and I've just bought and set up TS-253B at home.

My intention is to move away from OneDrive, which we've been using for family pics and videos, and other archive things.

Have read a couple threads while setting up, and I like this community :D

Since I only had two days to setup the jobs, I've enable the qnap my cloud, and opened the ports to the outer world on the router.
I understand there are serious security issues with this.

What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.

Is is possible? Did anyone try to do it?

Thanks.

User avatar
peelos
Easy as a breeze
Posts: 496
Joined: Sun Jun 26, 2016 9:28 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by peelos » Fri Jul 24, 2020 8:05 pm

Would suggest setting up a VPN on the router or firewall instead.
NAS: TVS-1282-i7K-40G / 4 x 500GB SSD 2.5" / 2 x 500GB M.2 SSD / 8 x 4TB WD Red 3.5" / Corsair H5-SF Watercooling / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / QTransmission / Sonarr / Radarr / Jackett / QMono / Tautulli / OpenHAB / Resilio Sync / QPython / QJDK 8 / NetData / Qapache / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / Advanced Tomato Firmware

dolbyman
Guru
Posts: 19659
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman » Fri Jul 24, 2020 9:37 pm

and disable uPnP on the router

User avatar
beshur
New here
Posts: 5
Joined: Wed Jul 22, 2020 9:44 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur » Fri Jul 24, 2020 9:46 pm

peelos wrote:
Fri Jul 24, 2020 8:05 pm
Would suggest setting up a VPN on the router or firewall instead.
Thanks for suggestion!
Is it more secure that just leaving ports open on the router?

dolbyman
Guru
Posts: 19659
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman » Fri Jul 24, 2020 9:49 pm

of course

read up on all the hacked web exposed qnaps via open ports

no hacks of qnaps via vpn known to me ..vpn server should be on a firewall/router/dedicated appliance ... not the qnap (works as a last option too)

User avatar
beshur
New here
Posts: 5
Joined: Wed Jul 22, 2020 9:44 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur » Fri Jul 24, 2020 9:53 pm

Thanks.

Do you I have a week before it gets hacked?

dolbyman
Guru
Posts: 19659
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman » Fri Jul 24, 2020 10:16 pm

could be a week ..a year ...never ...could already be part of a bot net or encrypting your files for ransom as we speak

there is no timer on it

User avatar
jaysona
Easy as a breeze
Posts: 277
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: New QNAP TS-253B owner, thoughts on security

Post by jaysona » Sat Jul 25, 2020 12:01 am

The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
What I have in mind is to open ports on demand. So they are usually closed, and unless I need to connect to NAS from external network, I can expose it for some time.
For example:
1. Set up a polling job on NAS that will check a certain public file value (e.g. have some txt file on my hosting or Google Drive, that I can easily edit, with values of 1 or 0).
2. If the value is 1, then send UPnP request to router to open ports.
3. If the value is 0, then send UPnP request to router to remove those ports.
This sounds similar to port-knocing, if you have a router that supports DD-WRT, then you can setup port knocking (using knockd) to open specific ports when you need to access the NAS, and then close the ports when you are done.

If you wish to share videos and pictures, use plex instead of the built-in QTS apps. Plex has a lot more development effort behind it than the QTS apps and plex put is a lot of effort for secure coding.

Make sure UPnP is disabled on your router.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig)
H/W: TS-509 Pro x2 / TS-569 Pro / TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.18
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.3
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
beshur
New here
Posts: 5
Joined: Wed Jul 22, 2020 9:44 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur » Sun Jul 26, 2020 4:30 am

Thank you for replies!


jaysona wrote:
Sat Jul 25, 2020 12:01 am
The QNAP QTS admin page and QTS apps (Helpdesk, Filestation, Photostation, Musicstation, etc) are really insecure, and there are several 0-day php vulnerabilities in those apps.

If you wish to remotely access the QTS Admin webpage of your NAS, then do so using a VPN, and it would be best that the VPN server be a separate device such as a Raspberry Pi or the router.
Does this also concerns myQNAPCloudLink?

I'm asking because I turned UPnP per your request on the router, and now no ports seem to be forwarded, but I can still connect via qlink.
But I see from this point that the vulnerable login page and photostation are exposed, and how VPN could improve security of this.


Will check about knockd, thanks.

User avatar
beshur
New here
Posts: 5
Joined: Wed Jul 22, 2020 9:44 pm

Re: New QNAP TS-253B owner, thoughts on security

Post by beshur » Mon Jul 27, 2020 10:40 pm

So I disabled the UPnP on the router.
I discovered that actually its behind an ISP NAT, since the external port displayed in router is different from what web-sites see me as (whatsmyip.org e.g.).

I installed myQNAPCloudLink, and setup the NAS access level to Customized, which means when visiting the page via qlink, first I need to log in with QNAP ID, and only then it presents me with a QTS login page.
That sounds pretty safe, isn't it?

dolbyman
Guru
Posts: 19659
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: New QNAP TS-253B owner, thoughts on security

Post by dolbyman » Mon Jul 27, 2020 10:59 pm

cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too

spile
Know my way around
Posts: 143
Joined: Tue May 24, 2016 12:13 am

Re: New QNAP TS-253B owner, thoughts on security

Post by spile » Tue Jul 28, 2020 6:26 pm

dolbyman wrote:
Mon Jul 27, 2020 10:59 pm
cloudlink is different ..it does not expose you directly ..but all traffic goes via qnap servers ..so you need to trust them with your data (and security) if they get compromised your nas could be too
Cloudlink is different to what?
Cloudlink = MyQnapCloud Link
https://www.qnap.com/en/news/2020/qnaps ... cloud-link

Post Reply

Return to “Users' Corner”