How to disable internet access?

[pwjone1]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

[pwjone1]

Forgot one thing. In reading the manual:

http://docs.qnap.com/nas/4.1/Home/en/in ... curity.htm

It appears that I can limit the IP address range, so I was thinking of plugging in 192.168.1.0...192.168.1.255, but I was afraid that might not block external internet, since that probably comes through the router as 192.168.1.1. And if I then excluded the router, then would the firmware updates/time sync service work?

But I figured I might just be missing some really simple way of doing this, as I imagine a lot of people do not want their files accessible from the outside, under any circumstances.

[pwilson]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

This really isn't a NAS issue at all. To prevent Internet access to the NAS simply don't setup Port Forwarding at your Router. Done.

Personally, I simply Port-forward 1194/UDP to my NAS. This allows me to access my NAS from anywhere, but requires me to use OpenVPN in order to do so.

[Gaudi]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

This really isn't a NAS issue at all. To prevent Internet access to the NAS simply don't setup Port Forwarding at your Router. Done.

Personally, I simply Port-forward 1194/UDP to my NAS. This allows me to access my NAS from anywhere, but requires me to use OpenVPN in order to do so.

Hi Pwilson, will setting up OpenVPN on the NAS rather than on the router grant me access to the local network as well?
Or should I set up Open VPN on the router itself?

Thank you

[pwilson]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

This really isn't a NAS issue at all. To prevent Internet access to the NAS simply don't setup Port Forwarding at your Router. Done.

Personally, I simply Port-forward 1194/UDP to my NAS. This allows me to access my NAS from anywhere, but requires me to use OpenVPN in order to do so.

Hi Pwilson, will setting up OpenVPN on the NAS rather than on the router grant me access to the local network as well?
Or should I set up Open VPN on the router itself?

Thank you

If your Router supports OpenVPN, it is always preferable to put it there, as this guarantees that you can access the entire LAN. It is possible to access the entire LAN if setup on the NAS too, but my advice to do it at the Router if possible, still applies. It is definitely easier to do it at the Router too, so you are probably already on your way.

I used to do it on my Router, but my Router occasionally looses all it's settings, so I actually have OpenVPN setup on both devices. (Not recommended, as it makes Routing/Port-Forwarding really complicated). In honesty my strange setup of running on both, was simply done by me so that I could assist Community members here with setting it up on their NAS. I only switched to using the OpenVPN on my NAS most of the time when I started experiencing issues with my Router.

I plan to replace my Router, but I haven't finished my pre-purchase research yet, so I haven't selected my replacement Router. An unexpected expense has made a new Router a low priority, hence my switching over to using OpenVPN at the NAS full time. I have just changed employers, so hopefully a new Router will be in future within the next six months.

My Router is almost 7 years old, so it is time for a new one anyway. I run under DD-WRT rather than manufacturer Firmware on my Routers/WAPs, so Router selection is not a simple task here, as I want LocalDNS, and NAT-Loopback features to be rock solid. (I'm spoiled, I won't run any Router that doesn't support both of these features).

[pwjone1]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

This really isn't a NAS issue at all. To prevent Internet access to the NAS simply don't setup Port Forwarding at your Router. Done.

Personally, I simply Port-forward 1194/UDP to my NAS. This allows me to access my NAS from anywhere, but requires me to use OpenVPN in order to do so.

OK, I have to say, that advice is based on a what may be a naive assumption, as generally Router security is known to be not all that good, here for example is an article in ComputerWorld:

http://www.computerworld.com/article/29 ... again.html

Also the ISPs (Cable companies, etc.) are known to be rather lax about security updates (and for that matter, protection from their end).

So I more or less assume that a determined hacker will get through a level or two of home type routers without much trouble.

What I am after is more of a firewall type setup, but for now, I just want to lock out non-local network access in the QNAP NAS. Hence the original question.

[pwilson]

What I would like to do is basically disable all external access to the box (QNAP TS-251, 4.1.3). Granted, I do realize that I will need time and firmware updates, but otherwise what I would like to turn off, for the time being, is any access to the box excepting from boxes in the 192.168.1.* range (the home network). So no ssh, ftp, etc. external to the home. I am poking my way though the manual, and the FAQs, but if someone has a quick pointer to the how-to on this sort of thing, it would save me quite a bit of time.

This really isn't a NAS issue at all. To prevent Internet access to the NAS simply don't setup Port Forwarding at your Router. Done.

Personally, I simply Port-forward 1194/UDP to my NAS. This allows me to access my NAS from anywhere, but requires me to use OpenVPN in order to do so.

OK, I have to say, that advice is based on a what may be a naive assumption, as generally Router security is known to be not all that good, here for example is an article in ComputerWorld:

http://www.computerworld.com/article/29 ... again.html

Also the ISPs (Cable companies, etc.) are known to be rather lax about security updates (and for that matter, protection from their end).

So I more or less assume that a determined hacker will get through a level or two of home type routers without much trouble.

What I am after is more of a firewall type setup, but for now, I just want to lock out non-local network access in the QNAP NAS. Hence the original question.

If your ports aren't forwarded, it doesn't matter how lame the Router is. I personally decline all the "free" Routers offered by my ISP. I chose to purchase my own Router after researching many many models prior to purchase.

[pwjone1]

Interestingly enough, in looking a bit at what the TS-251 is doing, it appears it has 3-4 ports it is using for uTorrent:

192.168.1.8:48278
192.168.1.8:50485
192.168.1.8:6881

all uTorrent/2210(25130) UDP Any. (In other words, these are port forwarded)

Anyone know what the heck that is about?

[pwilson]

Interestingly enough, in looking a bit at what the TS-251 is doing, it appears it has 3-4 ports it is using for uTorrent:

192.168.1.8:48278
192.168.1.8:50485
192.168.1.8:6881

all uTorrent/2210(25130) UDP Any. (In other words, these are port forwarded)

Anyone know what the heck that is about?

Disable UPnP-IGD protocol in your Router, and they won't be. It looks like you have both Download Station and a second one running on your NAS. Download Station for sure.

If you want to secure your system, disabling UPnP-IGD is the first place to start. You will need to manually configure your own port-forwards if you do this. With no port-forwarding defined, and UPnP-IGD disabled. You will severely limit the capabilities of your network, but will make it far more secure.

[pwjone1]

If your ports aren't forwarded, it doesn't matter how lame the Router is. I personally decline all the "free" Routers offered by my ISP. I chose to purchase my own Router after researching many many models prior to purchase.

Once they control the router, then they can turn on or off port forwarding, or just about anything they want. You will likely never know, as they will clean-up afterwards. Read the article. What is your current router? I would be willing to bet that anything you have been able to buy, home oriented anyway, particularly if it is older, has been hacked at one time or another. Linksys (Cisco), Netgear, D-Link, TP-Link, Trendnet, Asus, etc. Have you reflashed the firmware in the router since Poodle, Moon, etc.? If not, quite likely it is very open to attack right now.

[pwilson]

If your ports aren't forwarded, it doesn't matter how lame the Router is. I personally decline all the "free" Routers offered by my ISP. I chose to purchase my own Router after researching many many models prior to purchase.

Once they control the router, then they can turn on or off port forwarding, or just about anything they want. You will likely never know, as they will clean-up afterwards. Read the article. What is your current router? I would be willing to bet that anything you have been able to buy, home oriented anyway, particularly if it is older, has been hacked at one time or another. Linksys (Cisco), Netgear, D-Link, TP-Link, Trendnet, Asus, etc. Have you reflashed the firmware in the router since Poodle, Moon, etc.? If not, quite likely it is very open to attack right now.

I'm using DD-WRT Firmware on Routers from multiple hardware providers. I am not running "stock" Firmware on any of my Routers. All my Routers, except the primary one, as configured as WAPs. Technically this means I have one Router, and 4 WAP's, but all of them started as Routers.

My Router WebUI is locked to HTTPS-only, and the SSH port requires "Authorized Keys". I am not naive enough to smugly claim I'm 100% secure in this area, but I do check my logs daily. (I e-mail them to myself via a script). Brute-force attacks do occur, but they are infrequent.

My ISP can not access my Router, as I declined all their "free" Routers, so they can see my Router but can not access it. (My network is none of their business).

All this discussion however is still side-stepping the original question in the thread. My original answer still stands. If you disable UPnP-IGD protocol on the Router, and perform only manual Port-Forwarding you can minimize your exposure of your NAS to the Internet. Port-forwarding is what controls access to your NAS remotely, regardless of the ports the NAS opens within your local network.

After this is complete, Router security is the next issue to be addressed. As you have quite correctly identified if they can hack the Router itself, they can setup any port forwarding they want. OpenVPN and SSH w/ Keys, are the major parts of my security strategy here.

[P3R]

Read the article. What is your current router? I would be willing to bet that anything you have been able to buy, home oriented anyway, particularly if it is older, has been hacked at one time or another. Linksys (Cisco), Netgear, D-Link, TP-Link, Trendnet, Asus, etc.

The article is exagerating. If you read it and look behind the usual scare part, you'll notice that the insecurities comes mainly from lazy/incompetent administration.
No product whatsoever can be protected from administrative stupidity!

1. If the ISP require the use of their equipment in your house, ask them to disable any WifI and configure it as a bridge.
2. Place your own router behind ISP-supplied box.
3. Change the default password of your router to a complicated one and disable all remote administration.
4. Make sure the router firmware is updated to the latest available.
5. Never enable WiFi without security, WPA2 is preferable.
6. Disable UPnP-IGD if enabled.
7. Close all open ports and verify with an external security scanner that the router is locked down.
8. If external remote access is abolutely required, then implement a VPN in the router.
9. If services need to be exposed to the internet, open only the specific port and manage the related system behind it carefully (checking the the logs, daily patching and so on).

99 % of all home users fail the above at one or more points - that is what make them vulnerable, it's not the router itself.

This list will not make you totally safe (certainly not from a very determined person) but you'll avoid being among the low hanging fruit and have perimeter security enough for most home users.

If not, quite likely it is very open to attack right now.

Very few routers are vulnerable if administered correctly.

[pwilson]

Read the article. What is your current router? I would be willing to bet that anything you have been able to buy, home oriented anyway, particularly if it is older, has been hacked at one time or another. Linksys (Cisco), Netgear, D-Link, TP-Link, Trendnet, Asus, etc.

The article is exagerating. If you read it and look behind the usual scare part, you'll notice that the insecurities comes mainly from lazy/incompetent administration.
No product whatsoever can be protected from administrative stupidity!

1. If the ISP require the use of their equipment in your house, ask them to disable any WifI and configure it as a bridge.
2. Place your own router behind ISP-supplied box.
3. Change the default password of your router to a complicated one and disable all remote administration.
4. Make sure the router firmware is updated to the latest available.
5. Never enable WiFi without security, WPA2 is preferable.
6. Disable UPnP-IGD if enabled.
7. Close all open ports and verify with an external security scanner that the router is locked down.
8. If external remote access is abolutely required, then implement a VPN in the router.
9. If services need to be exposed to the internet, open only the specific port and manage the related system behind it carefully (checking the the logs, daily patching and so on).

99 % of all home users fail the above at one or more points - that is what make them vulnerable, it's not the router itself.

This list will not make you totally safe (certainly not from a very determined person) but you'll avoid being among the low hanging fruit and have perimeter security enough for most home users.

If not, quite likely it is very open to attack right now.

Very few routers are vulnerable if administered correctly.

Thanks P3R. I agree with all your points, especially your last sentence.

I also agree with your opinion of ComputerWorld article: A compromised router is a problem both for the Internet at large and for its owner that our OP this thread provided.

If anything, it is a testament of poor Router administration. In fact I do give the article in question credit for identifying that some of the problem is with ISP's that paralyze the Firmware of their "free" devices, by disabling access to the "configuration menus" for some of the features provided by the OEM Router/Modem manufacturer. It is annoying that many of the BotNet/DoS attacks detected on the Internet are propagated by ISP devices, where the ISP has "customized" the OEM product to remove access to specific configuration settings menus, but have not changed the default settings normally found on those same menus. Sometimes hackers are attacking things in a Router that the Router Admin can't fix even if they want to.

You also quite correctly identified:

No product whatsoever can be protected from administrative stupidity!

Unfortunately, your wording in this sentence suggests that it is the Router Admin, that is responsible; while frequently it is the ISP "Firmware Customizations" that have left the Router in the "insecure" state, and the the Router Admin physically can't "fix" the problem, because the ISP Firmware has denied them access to the very menu required to fix it. (Yet another reason to purchase our own Routers, instead of tolerating the potential issues with ISP provided equipment).

I'm lucky, I was able to get my ISP to provide a vanilla "Router" unit, rather than one of their Modem/Router combo units. Sometimes it is "ISP Custom Firmware Stupidity" rather than "Router Admin Configuration Stupidity" that is ultimately responsible for the problem. It is "Stupidity" either way, but we need to be careful to direct such criticism at the "guilty" party, which is frequently the ISP rather than the end-user of the product in question.

[P3R]

Sometimes it is "ISP Custom Firmware Stupidity" rather than "Router Admin Configuration Stupidity" that is ultimately responsible for the problem. It is "Stupidity" either way, but we need to be careful to direct such criticism at the "guilty" party, which is frequently the ISP rather than the end-user of the product in question.

Points 1 and 2 in my list intends to protect the user from stupidity (regardless of type) by external parties.

[scottdavidcarter]

Well, now I am kinda scared. I have a new TS-251 and a wired home network built around an ATT UVerse Motorla 3801 gateway with I have the wifi turned off, using UniFiPro APs for wireless.
I'm hoping to set up VMobile for external access to my new IP cams which store locally on the NAS.

Any advice on how to go about hitting my system to be sure it is secure or which vulnerabilities I should review?