QVR Pro remote access creates extreme vulnerability to NAS

QVR Pro, QVR Pro Client, QVR Center and Surveillance Station
Post Reply
jmine
New here
Posts: 6
Joined: Sun Jan 10, 2021 12:28 am

QVR Pro remote access creates extreme vulnerability to NAS

Post by jmine »

I started getting hundreds of failed login attempts on my Turbo NAS. The only open port through my router was 443 because that is required by QVR Pro.

QNAP please allow us to change the port in the QVR Pro Client so we can avoid using 443 or 8080, this would at least allow us to add a layer of difficulty in making it harder for hackers to track down QNAP NAS devices by simply looking for port traffic and track down our devices.

So it appears I have a choice, eliminate QVR Pro access (so I can eliminate port 443 access to the NAS) or keep it and suffer with these daily login attacks.

Anyone else know how to use QVR Pro Client with out having to open the NAS on port 443 or 8080?

Thanks,
Jmine
User avatar
spile
Been there, done that
Posts: 638
Joined: Tue May 24, 2016 12:13 am

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by spile »

The issue is not QVRPro.
Close open ports on your router and disable upnp so that you can only access it when on your lan.
Install a vpn server on your router, a Raspberry Pi or the NAS itself.
Install vpn clients on devices you need to use away from the lan and enable them.
Then you can access QVRPro safely.
gribnut
Starting out
Posts: 24
Joined: Sun Mar 07, 2021 12:03 am

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by gribnut »

As spile mentions, the most secure method is to use a VPN on your local network.

If you're looking for a solution that allows you to connect to QVR Pro from Internet w/o establishing a VPN, you can configure your router/firewall to forward an alternate port (something other than 443) to port 443 of your NAS. Depending upon how you access today - either by hostname or QNAP ID, and you have UPnP enabled on your router/gateway, you may already be using a port other than 443 on Internet side of your router/gateway. I don't use myqnapcloud so unsure whether they use random port. I used to forward port 8443 at router/firewall to my QNAP NAS for QVR Pro but eventually started seeing login attempts for admin user on that port. While port 8443 is not an obscure port, it does show that changing to alternate port won't necessarily eliminate the login attempts you are seeing. I believe the logins were attempts to take advantage of known QNAP vulnerabilities since the since the same web server/port serve QVR Pro as well as other admin services. I also recommend the VPN option to minimize risk.
jmine
New here
Posts: 6
Joined: Sun Jan 10, 2021 12:28 am

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by jmine »

I agree on VPN being the best way to deal with remote access, but don't you think it would be very easy for QNAP to allow the QVR Pro Client user the ability to select any port in setting up the app for connection to the NAS? That way one could pick some obscure port number and as you pointed out the router could then translate to 443 on the LAN side. Maybe there is some technical issue with allowing the port in the client to be something other than 8080 or 443?
User avatar
spile
Been there, done that
Posts: 638
Joined: Tue May 24, 2016 12:13 am

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by spile »

With a vpn there is no need to change the default port but by unticking detect port automatically I can do this if I want.
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by AlastairStevenson »

I agree on VPN being the best way to deal with remote access, but don't you think it would be very easy for QNAP to allow the QVR Pro Client user the ability to select any port in setting up the app for connection to the NAS? That way one could pick some obscure port number and as you pointed out the router could then translate to 443 on the LAN side. Maybe there is some technical issue with allowing the port in the client to be something other than 8080 or 443?
The reality is that this 'security by obscurity' approach makes little difference to the level of protection of a device exposed to the internet by port forwarding.
It's an old myth that changing the port gives a good level of protection against hacking attempts. It doesn't.

I've run several 'honeypot' experiments with devices such as IP cameras exposed to the internet, and crunched lots of data on ports probed and methods used.
Whilst it's fair to say that common ports were well covered, they were by no means dominant, the probes covered the whole range.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
dragerfroe
Starting out
Posts: 13
Joined: Sat Jul 21, 2018 5:58 am

Re: QVR Pro remote access creates extreme vulnerability to NAS

Post by dragerfroe »

When you open anything up to the internet, doesn't matter what you try to obscure, they will uncover it and run a script up against that port. I remember running a web server and all of a sudden I saw sooooooo many scripts I couldn't even figure out what 80% of them did. It's the wild west man, just do your best to have a robust networking solution and complicated admin settings (username and password). Good luck, I see the same thing all day long on my QNAP server. Nothing I have seen that has been compromised though, but its what I dont know that is important.
NAS: QNAP Turbo NAS TS-870U-RP, 16 GB Ram
CPU Upgrade: Intel i7-2600S
System Fan Mod: AVC DE07015B12L 7CM 12V 0.3A 7015 AVC CPU (x2) Fan to reduce Motherboard fan noise - (easy drop in)
PSU Fan Mod: SUNON HA40201V4-000U-999 4cm Super-silent Fan Magnetic (X2) - (modded each power supply myself, some soldering, but easy mod)
Post Reply

Return to “Surveillance Solution”