Recently QNAP said its NAS units are again under a wave of brute force attacks (see the statement here.) As a result, we are reminding our users to take at least basic steps to protect their NAS units. QNAP ships its NAS units in a relatively insecure manner, and it is up to users to take measures to protect their systems. The company also says the most vulnerable are those directly connecting the NAS units to the Internet, and that is true of most systems. Let us show some examples of basic security steps to take.
Basic Security Steps for Your QNAP NAS
In terms of basic security steps, the first should probably be simply not directly connecting the NAS to the Internet. Most STH readers will use some sort of firewall/ NAT setup, and often a VPN to get to the storage network. One challenge with QNAP NAS units is that they are designed to get updates via repositories on the Internet, meaning they need to have at least some egress access, unlike an IPMI interface. Still, when you get a NAS, it is likely the Security Counselor application will not be installed already.
When you want to install this application, which we recommend, you get asked about sharing results with QNAP.
Still, upon launching the Security Counselor app, you get a short Wizard explaining some of the basic concepts.
QNAP has some pre-set policies for businesses, SMB, and home users.
The app can automatically adjust settings as required.
And there is a dashboard that we are going to show shortly.
The first step is picking a policy. While basic is the default, our sense is that STH readers are going to opt for Intermediate or Advanced.
There are a few items that pop up that are important. QNAP does not actually ship its units with a lot of the security features like the antivirus app pre-installed. Instead, one has to install these from the app store. QuFirewall here has not been installed.
QuFirewall provides basic firewall functionality wrapped in a GUI. Something that seemed strange was that there were only around 350K installs of QuFirewall. Security Counselor has just over 1 million installs in contrast.
Plex is around 2x the Security Counselor figures at around 1.96M installs.
On the funnier side, one of the “medium risk” issues is that License Center is not updated. License Center allows you to manage licenses for the QNAP NAS. This application has over 40M installs. This is a mandatory application, but it seems like the Security Counselor application should not have fewer than 1% of the installs of the License Center. Likewise that the QuFirewall should not be under 3% of the installs.
QuFirewall still has “Basic” but also has more advanced settings.
These profiles have built-in rules to allow/ disallow traffic to the NAS based on interfaces, networks, and so forth.
One other important feature is the ability to ban IP addresses for too many failed login attempts.
One other item you may want to look at is turning off Telnet (just use SSH) and you can also change the SSH port.
For STH readers, many will want to turn off UPnP since that is commonly exploited.
We also suggest staying up-to-date on firmware and malware removal updates on a QNAP NAS. QNAP is constantly patching for new vulnerabilities so it is important to do.
This is one of those pieces that is nowhere near a complete how-to. At the same time, there are some basics that we suggest everyone do. QNAP does as well with the Security Counselor app. At the same time, it seems like there are a lot of NAS users out there not installing firewall features, not running Security Counselor, and so forth.
One area we wish QNAP improved upon is having some kind of baseline security posture for every installation. These units should all have firewalls and it is probably time that Security Counselor becomes standard and part of the initial setup process. Twenty years ago, a small NAS was a cheap box that supported a few protocols to get drives accessible via an Ethernet port. These days, they are becoming full-fledged servers running many services and applications. QNAP already has the tools, we just hope they up the default security setup on their NAS units.
This new security advisory about brute force password attacks on NAS units directly connected to the Internet is a good example of why this needs to change.