Secure Your QNAP NAS Immediately From Latest Wave of Attacks

6
QNAP TS 873A Cover
QNAP TS 873A Cover

Recently QNAP said its NAS units are again under a wave of brute force attacks (see the statement here.) As a result, we are reminding our users to take at least basic steps to protect their NAS units. QNAP ships its NAS units in a relatively insecure manner, and it is up to users to take measures to protect their systems. The company also says the most vulnerable are those directly connecting the NAS units to the Internet, and that is true of most systems. Let us show some examples of basic security steps to take.

Basic Security Steps for Your QNAP NAS

In terms of basic security steps, the first should probably be simply not directly connecting the NAS to the Internet. Most STH readers will use some sort of firewall/ NAT setup, and often a VPN to get to the storage network. One challenge with QNAP NAS units is that they are designed to get updates via repositories on the Internet, meaning they need to have at least some egress access, unlike an IPMI interface. Still, when you get a NAS, it is likely the Security Counselor application will not be installed already.

QNAP Security Counselor Not Installed In App Center
QNAP Security Counselor Not Installed In App Center

When you want to install this application, which we recommend, you get asked about sharing results with QNAP.

QNAP Security Counselor First Launch Security Analytics
QNAP Security Counselor First Launch Security Analytics

Still, upon launching the Security Counselor app, you get a short Wizard explaining some of the basic concepts.

QNAP Security Counselor First Launch Wizard 1
QNAP Security Counselor First Launch Wizard 1

QNAP has some pre-set policies for businesses, SMB, and home users.

QNAP Security Counselor First Launch Wizard 2
QNAP Security Counselor First Launch Wizard 2

The app can automatically adjust settings as required.

QNAP Security Counselor First Launch Wizard 3
QNAP Security Counselor First Launch Wizard 3

And there is a dashboard that we are going to show shortly.

QNAP Security Counselor First Launch Wizard 4
QNAP Security Counselor First Launch Wizard 4

The first step is picking a policy. While basic is the default, our sense is that STH readers are going to opt for Intermediate or Advanced.

QNAP Security Counselor Choose Security Policy
QNAP Security Counselor Choose Security Policy

x

There are a few items that pop up that are important. QNAP does not actually ship its units with a lot of the security features like the antivirus app pre-installed. Instead, one has to install these from the app store. QuFirewall here has not been installed.

QNAP Security Policy
QNAP Security Policy

QuFirewall provides basic firewall functionality wrapped in a GUI. Something that seemed strange was that there were only around 350K installs of QuFirewall. Security Counselor has just over 1 million installs in contrast.

QNAP Install QuFirewall
QNAP Install QuFirewall

Plex is around 2x the Security Counselor figures at around 1.96M installs.

QNAP Install Plex Server
QNAP Install Plex Server

On the funnier side, one of the “medium risk” issues is that License Center is not updated. License Center allows you to manage licenses for the QNAP NAS. This application has over 40M installs. This is a mandatory application, but it seems like the Security Counselor application should not have fewer than 1% of the installs of the License Center. Likewise that the QuFirewall should not be under 3% of the installs.

QNAP Upgrade License Center
QNAP Upgrade License Center

QuFirewall still has “Basic” but also has more advanced settings.

QNAP QuFirewall Setup
QNAP QuFirewall Setup

These profiles have built-in rules to allow/ disallow traffic to the NAS based on interfaces, networks, and so forth.

QNAP QuFirewall Security
QNAP QuFirewall Security

One other important feature is the ability to ban IP addresses for too many failed login attempts.

QNAP QuFirewall IP Failed Login Attempts
QNAP QuFirewall IP Failed Login Attempts

One other item you may want to look at is turning off Telnet (just use SSH) and you can also change the SSH port.

QNAP QuFirewall IP Failed Login Attempts Telnet Even If It Is Not Enabled
QNAP QuFirewall IP Failed Login Attempts Telnet Even If It Is Not Enabled

For STH readers, many will want to turn off UPnP since that is commonly exploited.

QNAP Enable UPnP Discovery Service
QNAP Enable UPnP Discovery Service

We also suggest staying up-to-date on firmware and malware removal updates on a QNAP NAS. QNAP is constantly patching for new vulnerabilities so it is important to do.

Final Words

This is one of those pieces that is nowhere near a complete how-to. At the same time, there are some basics that we suggest everyone do. QNAP does as well with the Security Counselor app. At the same time, it seems like there are a lot of NAS users out there not installing firewall features, not running Security Counselor, and so forth.

One area we wish QNAP improved upon is having some kind of baseline security posture for every installation. These units should all have firewalls and it is probably time that Security Counselor becomes standard and part of the initial setup process. Twenty years ago, a small NAS was a cheap box that supported a few protocols to get drives accessible via an Ethernet port. These days, they are becoming full-fledged servers running many services and applications. QNAP already has the tools, we just hope they up the default security setup on their NAS units.

This new security advisory about brute force password attacks on NAS units directly connected to the Internet is a good example of why this needs to change.

6 COMMENTS

  1. It looks like NASes, or at least QNAP, are due for the same reckoning that(to a degree at least) forced vendors to shove the default security settings of consumer desktop OSes from ‘dire’ to ‘more or less sane, though not hardcore paranoid corporate lockdown’.

    Shipping things in ‘on your own head be it’ mode is one thing if your firmware is total techhead stuff with a learning curve you can ski down, or fairly strictly for enterprise customers with sophisticated admins or consultants on hand. It’s still not a virtue; but those markets can handle it.

    QNAP, though, ships a fairly shiny, friendly, ez-GUI which very much gives the impression that you can bring it online and use it without getting too deep into the weeds: and that’s true if you count only ease of getting it into a state where you can access its features; but dangerously misleading if you(as you should) only count it as ‘working’ if it’s in a reasonably secure state.

    Making the product more secure but harder to use is certainly a thankless task; but the alternative is people’s data being vastly less safe than it appears, potential beachheads for lateral movement further in, botnets; and all that delightful stuff.

  2. This article answered the reasons why in the SOHO NASes segment, more and more frequent attacks are happening and will happen. The vast majority of these box owners have believed in marketing in terms of ease of use for home users, even those who have no experience. As a result, prices have fallen, and sales of these devices are skyrocketing. The pandemic only helped to spread such devices across the SOHO segment.

    Tens of millions of NASs (we have other vendors here with the same problem) are literally provided with their content for darknet, which needs just an average knowledge to abuse them. I’ve been writing about it for years. The NAS is not a smartphone where a single click is enough, and it’s done. Unless the NAS vendors change the behaviour of the so-called security autopilots and remain in the same behaviour as in the present article, then nothing will change.

    The problem is much more complex. Because these users have believed that a cheap modem/router from an ISP is a regular choice for home internet. The vast majority of such network appliances are below average in terms of security, and again, the average educated hacker can break them if you name them that.

    So here’s the behaviour:
    – cheap data boxes
    – cheap network appliances
    and regular reports of data misuse in the hundreds of thousands a year from this segment.
    This civilization will die out “cheaply” or “free” once.

    On the other hand, we have users of such boxes who prefer to buy a new overpriced laptop, desktop computer or mobile phone. Best once a year. To be in. But I will refuse to give even 300 Euros to network and data security. This is not to be liked on social networks. And no one understands that.

    So the only thing you can think of vendor and others is to recommend – disconnect your devices from the Internet. Great advice.

    And there is another fire – I can start writing about the topic of using docker containers with copy/paste settings from dubious sources that spread these bad habits. After all, it’s great to have a free “server” at home that works with my data.

  3. I didn’t know that security counselor existed. You’re right it should be part of the standard setup process.

    I can’t believe they just let you connect this to the open Internet without a firewall. Then people wonder why they’ve gotten a bad reputation for security.

  4. I’m wondering what sorts of ISPs people have that they can connect a device directly to the internet with a public IP. I do get a public IPv6 prefix but even the Router provided by the ISP filters out any traffic unless explicitly allowed.

  5. Businesses with working at home employees need to pick the best product with the best security. Not all businesses have NAS or any know how.
    Security is a selling point.

  6. My Qnap Nas was attacked by translate recently. I have tried to scan the nas using malware remover but it gave me an error message. I have no idea what to do next.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.