Hello all,
Ive got my qnap apps behind apache with ssl talking to Qnapcloud
app port -> apache ssl -> router port forward -> qnapcloud
It works fine, some cases I have to configure the router to forward a port and thats ok.
The question is. Ive noticed some ports are available in qnapcloud even when I don't forward them in the router.
This is a huge problem because some of those ports are not using ssl.
How can I 100% block those ports from being available on the internet via qnapcloud?
Cheers
QnapCloud Ports and Security
-
- Know my way around
- Posts: 198
- Joined: Thu May 26, 2016 3:05 pm
QnapCloud Ports and Security
Last edited by presenceofmind on Tue Dec 01, 2020 12:39 am, edited 1 time in total.
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QnapCloud Ports and Security
NEVER expose QNAP apps to the web. Plenty of malware around.
Disable uPnP and leverage a VPN server (on router or dedicated firewall) to access your NAS from WAN
Disable uPnP and leverage a VPN server (on router or dedicated firewall) to access your NAS from WAN
-
- Know my way around
- Posts: 198
- Joined: Thu May 26, 2016 3:05 pm
Re: QnapCloud Ports and Security
Why are there ports available on qnapcloud even when port forward is not enabled for them?
Is it uPnP? Should I turn it off and do it manually? But those ports are not in the list.
I also noticed this new QuFirewall app. Will it allow me to block those ports?
Is it uPnP? Should I turn it off and do it manually? But those ports are not in the list.
I also noticed this new QuFirewall app. Will it allow me to block those ports?
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QnapCloud Ports and Security
not sure what you mean by "ports available on qnapcloud"
ports are forwarded from router to NAS, qnapcloud would only be the DDNS service
ports are forwarded from router to NAS, qnapcloud would only be the DDNS service
-
- Know my way around
- Posts: 198
- Joined: Thu May 26, 2016 3:05 pm
Re: QnapCloud Ports and Security
I have an app running in port 3000 , I proxy this port to another port 3043 with ssl.
I add only port 3043 to the router (port forward).
for some reason qnapcloud.com:3000 works.
I want to block port 3000 and let only port 3043 to be available online.
Cheers
I add only port 3043 to the router (port forward).
for some reason qnapcloud.com:3000 works.
I want to block port 3000 and let only port 3043 to be available online.
Cheers
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QnapCloud Ports and Security
then something on your router is still listening to port 3000
check the port forward table on the (unknown) router model
to be sure, disable uPnP and do it all by hand
check the port forward table on the (unknown) router model
to be sure, disable uPnP and do it all by hand
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: QnapCloud Ports and Security
If qnapcloud.com:3000 works inside your LAN, it's normal, as the app on the NAS is still listening to port 3000, and you're bypassing your router WAN firewall.presenceofmind wrote: ↑Tue Dec 01, 2020 12:59 am I have an app running in port 3000 , I proxy this port to another port 3043 with ssl.
I add only port 3043 to the router (port forward).
for some reason qnapcloud.com:3000 works.
You need to test qnapcloud.com:3000 from outside your LAN, to verify it's blocked.
Also if you want to completely block port 3000 even inside your LAN, you may be able to configure the app that's listening on port 3000 to only listen to the loopback interface (127.0.0.1), if the app allows this kind of configuration, it should work since the apache proxy is running on the same host.
-
- Know my way around
- Posts: 198
- Joined: Thu May 26, 2016 3:05 pm
Re: QnapCloud Ports and Security
Yes thats it. The apps dont give this feature. Can it be done in another way? Firewall perhaps.Mousetick wrote: ↑Tue Dec 01, 2020 1:14 am Also if you want to completely block port 3000 even inside your LAN, you may be able to configure the app that's listening on port 3000 to only listen to the loopback interface (127.0.0.1), if the app allows this kind of configuration, it should work since the apache proxy is running on the same host.
Cheers