Qnap Not Secure

[Nathen Paisley]

Youraccount and device information can only be accessed after your myQNAPcloud user account (QID) is authenticated. In addition, before a user can access files on the device or manage the device via CloudLink, that user is required to enter correct credentials for the device, even if that user has signed in his or her myQNAPcloud account. This enforces two-step authentication for stronger security.

That said, comparing Nextcloud to QNAP, Synology and so on is not completely accurate. Nextcloud is just a web app, you still need a (trustworthy) server to run it on. Synology, QNAP and so on are complete solutions and run a lot of proprietary apps you have no control over next to some Open Source applications/code. Nextcloud is entirely FLOSS compared to that.

Regarding Nextcloud, your best bet would be to set it up on a trusted server/environment and use the (not yet released) E2EE feature in the future. You also need secure client devices for you to work with to minimize any data leakage at least.

With commercial solutions, you have to trust these companies in many ways. You buy a cheap hardware device once, they make it easy to use, and provide a few updates. Your privacy is probably not their major concern, e.g. a hard-coded root access is very practical for support.

In general terms, if a) your NAS still receives regular updates, b) you connect to it in a secure manner (i.e. through a self-hosted VPN) and c) you don't expose any vulnerable services directly to the internet (hence point b) , it has potential to be a very private and secure solution.

a. Yes, my qnap nas receives frequent updates.

b. I do not have a vpn configured.

c. I have ssh, telnet and the admin user disabled. The only service I have published to the outside is the one that enables the ability to use plex from outside the local network.

de0u That's what I was afraid of, I saw some similar headlines a few years ago, and I suffered a ransomware myself. Maybe the best thing to do is not to host my personal photos on my QNAP nas either and try reliable services like filen or internxt. It bugs me to have to resort to paid services after having invested quite a bit of money in my QNAP and good hard drives.

ifman13 I can't talk about QNAP specifically but personally, I would never expose any selfhosted services on my LAN directly to the internet. I would install a VPN on my router*, as an app on the NAS or on a raspberry pi and connect to my services through that.

It's of course a given that you need to practice good security on your LAN like, use the routers firewall, good WiFi security (preferably WPA3) with strong password and only open that one port for your VPN, etc.

'* installing the VPN is the best solution if your router supports it as you wouldn't have to open up any ports but proven VPN protocols like wireguard on a machine on your LAN is a perfectly acceptable solution too.

It could be possible for a very careful and very diligent entity to provide software for securely sharing files, period. But lots of companies believe what people want is a box that shares files, hosts VMs, monitors cameras, controls your furnace, drives your printer, mines Monero, and likes Instagram posts for you while you sleep. Such a box will not be secure, at least not for the foreseeable future.

I just recently purchased an ASUS TUF-AX6000 router and managed to configure it with my ISP's credentials. I have yet to configure it properly with a good firmware (I think the default one is not good in privacy), install and configure OpenWrt. Also, following your advice I should configure a good VPN on it. I have to document myself because in all this they are more limited.

Eirikr70 You mean it could make remote access to plex/jellyfin impossible? I also have a profile set up on wireguard to be able to remotely access my network to upload my photos or use torrent, I guess it would be problematic also if I set up a vpn on the router, although I hope it won't be impossible.

Hi,

@ifman13

I'm also using QNAP, but for privacy reasons I uninstalled all apps that were not necessary and replaced what possible with opensource alternatives. Keep it up to date and behind firewall. If you need to accss it from the Internet use VPN.

You've mentioned Plex, this is data mining software ;), consider using Jellyfin instead.

Recent years have seen countless cybersecurity attacks, demonstrating that the cost of password attacks is lower than ever before, making password systems even more vulnerable. It is complex and error-prone to manage numerous passwords, so it is increasingly urgent to search for alternative solutions.

Passwordless authentication is a super convenient solution. No more complex passwords to remember, and the risk of leakage is reduced as well. Using one-time verification codes for login ensures that only you can access your NAS. This approach is almost zero-trust, requiring rigorous identity verification for every login, providing the highest level of protection for your data security.

Passwordless authentication involves rigorous public key and private key encryption techniques. The public key is public, but only the holder of the private key can decrypt it. This ensures that even if the information is intercepted during transmission, it cannot be read by those without the private key. This technology is not only secure, it also makes the login process quick and seamless.

Once passwordless login is enabled on the QNAP NAS, the system generates a corresponding pair of public and private keys. The public key is stored on the NAS, while the private key is saved on your mobile device. Later, when you log in to the NAS, a signature verification request is generated using the public key from the NAS and the private key from your mobile device through an algorithm. The login can only be completed when the signatures from both ends match.

Passwordless authentication for QNAP NAS login is completed by scanning a QR code or entering a verification code. You only need to install the QNAP Authenticator app on your phone, scan the QR code or enter the verification code to log in quickly and securely. This approach not only brings convenience to users but also greatly enhances data security, making it suitable for busy modern peoplewho highly value security.

There are dozen of different kinds of methods to attack. But there are only a few that actually can affect a big number of NAS users. The rest of the attacks are very targeted at a single victim. Something for unique personal benefit. So the most popular attacks will be explained later in this article.

Ports are like doors to different departments in your office. Something like IT office (NAS control panel), The Office Canteen (NAS multimedia apps), HR (NAS email and databases), the dispatch office (file transfer protocols) and so on. Random people pressing buttons on the control panel could cause the company to collapse. In order to keep people out, we use keycards (NAS user authentication).

But it is worth checking those ports. When you log into your NAS as an admin you can tell your router to open ports. This will be called Port Forwarding. Be careful what you click. There is nothing wrong with open ports if you have security set up. I will talk about security configuration later on.

When someone is asked to replace or improve the password people so often simply capitalise the first letter, then add the number 1 and ! mark at the end of the password. Of course, hackers will try all stolen passwords with this modified version of it.

This will be vare rare occasion to get an actual virus. This usually happens with computers when you try to open a suspicious email attachment file. It could be zip or exe file or similar. On a NAS this could happen when manually installing OS or app. Instead of using AppStore or automated updates.

It is humanly impossible to create a strong password that is unique to every account and Still Remember it. So use password generators and save those passwords. One day, when two-step authentication will be required on every system, then weak passwords will not be an issue anymore. And all passwords as you know them will seize to exist.

Protecting ADMIN account with a Very complicated password is the most important thing you have to do. Hackers will be able to access ANYTHING they want on your NAS. If they gained an access to a non-admin user the damage will be very limited.

If you do not trust Google password wallet, you can store your passwords on an encrypted SSD like datashur. You will need to physically have this USB stick around and it can be accessed only with a pin code.

Something similar to a password is a SSH KEY. Instead of having an 8-character string, you can have an entire document filled with random characters. This is called ssh key. You can keep it on a fingerprint-based memory stick. Simple Lexar USB will do the trick.

Hackers will usually deploy robots to use all possible combinations and stolen password lists to hack your account. If you enable autoblock this will stop the robot after a certain number of attempts. You can block an IP or the user account. You will find respective tabs when you open Control panel/ Security. IP Access Protection is for IP based blocks and Account Access Protection is for locking the account for everyone not just that IP. Some advanced robots will be using various IP addresses from the zombie computers they have gained access to before.

Two-step authentication means that you will use a code from another device that only you can have access to. This could be SMS code, email code or Authenticator App code. QNAP only allows Authenticator App that you can install on your Android or iPhone.

Every time there is a notification about new updates indicates that hackers have found a new hole in the software. Not always hackers can get into your system because of this software bug. But in certain circumstances, they can. The chances to attack increase dramatically when you have open ports on your router and have no firewall or any malicious traffic prevention tools enabled.

3a8082e126