Secure Your QNAP NAS - Best Security Settings To Keep Your Data Secure
ฝัง
- เผยแพร่เมื่อ 5 ก.ค. 2024
- This video shows you how to secure your QNAP NAS and what settings I use. I discuss best practices, what services to turn off, as well as go through the basic VPN setup so that you can access your NAS from outside your network. As a bonus, I will walk through a quick configuration of the VPN mobile app.
=======================================
Affiliate Links for products I use in my network
=======================================
Qnap 12 Port unmanaged 10Gbe switch: amzn.to/2QhsDYF
Qnap TVS-951x NAS: amzn.to/2RtEfaX
Qnap TS-453B NAS: amzn.to/2JD9Q7D
Qnap 12 Port unmanaged 10Gbe switch: amzn.to/2QhsDYF
QNAP QSW-M408-2C: amzn.to/35WuxbB
QNAP QSW-308-1C (with combo port): amzn.to/2uVZ8Wf
QNAP QSW-308 (without combo port): amzn.to/38o9Jrk
Netgear 8 Port Switch: amzn.to/2YMkIpG
Netgear 8 Port Switch: amzn.to/2yJucXP
TP -Link 8 Port: amzn.to/31kNfnP
00:00 Intro
00:27 Overview
02:24 Settings
11:22 MyQNAPCloud
12:44 Security Applications
14:05 QVPN
18:46 Windows Client
20:28 IOS Client
22:21 Outro
#QNAP, #security, #mike faucher - วิทยาศาสตร์และเทคโนโลยี
Mike, I've only recently discovered your channel. Your tutorials are excellent - methodical, very clear instructions, and just the right pace. Many thanks, especially regarding QNAP security which I now realised I certainly had not made as secure as I'd have liked. Many thanks.
Awesome and thank you for the feedback it is appreciated.
Nice job of explaining how to make the NAS more secure. Appreciate your time.
Glad it was helpful and thanks for the feedback!
QNAP is definitely not a "open it, fire it up, and use it" type of device because the OS has sooooooo many security holes. A basic user (such as myself) needs to accept the fact that you need to roll up your sleeves, get in the weeds, and learn how to secure your NAS. After being hit by Deadbolt and having to pay a ransom to decrypt and recover all of our business files, I am so thankful for this video. Although we were scared to death of using our QNAP again, we knew the QNAP is critical to the success of our business and therefore we decided to move forward with using our QNAP again. However, this time around, we wanted to take a much more thorough approach towards using our QNAP. Mike's video makes our NAS security goals achievable. Thanks for making this video Mike!
Wow, this ranks amongst the best feedback I have heard. I am very sorry you got hit, but I am glad I can help prevent in the future. Please also check the QuFirewall (2 of them) I did as that is a critical now a days. Thank you for sharing the story. Keep up the malware and the updates. Thanks again and best of luck.
@@MikeFaucher Thank you Mike, I really appreciate our tip!
Really great video Mike. Lots of info, and it's great that you acknowledge there are fringe cases that require less secure settings. Older SONOS units do not like the higher SMB settings. It also relies on DLNA. :-(
Thanks for the input. As long as you are not connected to the internet, sometimes you have to make the call. Thanks
@@MikeFaucher Thanks for the comment. It's scary how few people take securing their home networks seriously. I have a pfSense device between the QNAP and the fiber coming in, so that's a pretty robust firewall protecting everything. The only way in is through the pfSense OpenVPN server (on a non-standard port, of course). I also pay for a static IP from my ISP, so my IP isn't even being published to any DNS servers. I also have my QNAP set to force HTTPS connections only (it looked like you may have been working with an older version of QTS), and even that is on a non-standard port as well. ;-)
@@username-mc7jw Looks like you have everything set up nicely. As I do not have any port forwarding, prevent everything from going out, and use tailscale exclusively, I do not typically force https though it is a good practice. You are right about how many do not secure their networks. Thanks for the feedback and for sharing your configuration.
Thank you so much for all valuable information.
Appreciate the feedback!
You really helped me Mike! Thank you.
Glad to hear, and thanks for the feedback.
Thanks... Lot of things open that didn't need be. Gone from 9000+ attack hits in 3 days to zero
Glad to hear it.
Great video, Mike. I have a couple of these devices deployed with clients and I had always left the Web Server activated because I assumed that's what the QTS desktop runs on but I will certainly disable it now.
After the recent QNAP vulnerabilities and the Qlocker attacks, I'm definitely looking at how best to secure these devices. I've only ever deployed them for file services (sync, share and backup), so I've avoided any exploits but QNAP are not entirely open and honest about how background services operate. For example, they claimed that the HBS3 app had a vulnerability but I believe it was actually the RTRR server, which is used by HBS3 for NASNAS backup and sync jobs?
Will the QNAP client apps (Qsync, Qfile, Qmanager) operate reliably over an OpenVPN connection?
Also, Since I would only want NAS traffic routed via the VPN and not all web traffic, can the OpenVPN profiles be easily configured to do this on Windows, Android and iOS?
Thanks,
Thanks. They certainly have room for improvement when it comes to transparency but I not ready to say they are worse than Synology. As for apps over the VPN they absolutely do and is how I use them. You can modify the OPVN files but to only get NAS traffic just uncheck the gateway option Thanks for the feedback
thanks fam appreciate it! tight ship is good ship for a backup service
Thanks for your input.
Great videos, thanks!
Thank you for the feedback. Appreciate it.
Thanks for the video! For OpenVPN to work, should the port be forwarded? My router just has IPv6 host exposure… is that same as port forwarding? Can I use the same port numbers on ipv4 and ipv6?
You do have to do a port forward but it will be to a IPv4 address as it is internal. Your router may be connected to your ISP via IPV6 but most likely all your internal devices are not. Assuming you have not enabled IPV6 on your NAS, the process of port forwarding should be the same.
I learned so much about this tutorial. My router has OpenVNP feature and I tried to get OpenVPN to work, but no luck. I followed this your tutorial got it to work on the first shot. Thanks for this tutorial videos. By the way, I noticed you have Eufy. Have you set it up to record to QNAP. If you do, would you please make a tutorial video when you time?
Thanks for the feedback. Yes, I do use Eufy but have not tried to record to the QNAP. I do transfer all my Blue Iris security camera footage to the QNAP. This is a great idea and will add it to my list of future videos. Thanks again.
Great video Mike! would love more Open VPN details (if possible including IOS)
Will do. It is on my list. Thanks.
I used openVPN on QNAS to try and connect to Sophox Xg. Buggy as hell. And did not work for some reason if cannot find gateway on Sophos WAN port
Hi Mike, Great and understandable video, but i have a question according to The VPN connection ; If you have several Nas devices, must i setup an open VPN server
for every Nas or is one Nas enough when they are in the same home network ? Thanks for replying on this
Yon only need one VPN server. Having more than one is not recommended. Thanks
Yes, do some more about OpenVPN and make a video.
Thanks it is on my list.
I second the motion!
@@GrumpyOldGeek I would like to third it 😀 also please cater for total novices….like me.
@@GrumpyOldGeek waiting in vein.
thanks a lot ..to the point video :)
Glad it was helpful! Thanks for the feedback.
Thanks Mike.
My pleasure. Thanks for the feedback.
@mikefaucher I stumbled upon this video after subscribing and watching your QuFirewall tutorial, so I'm a bit late to the game as this is 2 years old. Still this was another great video, although the resolution was a bit low for viewing on my laptop for some reason. I would echo some of the other recommendations from comments about disabling the admin account and change default ports.
I do have a question about where is the best option for setting up a VPN. Based on your response to another question, you recommend have only one. I have currently enabled a VPN service directly on my devices, (laptop, phones, desktop). I have an ORBI WiFi router that also supports setting up OpenVPN. And I have a new QNAP NAS. As you recommend only one, would the best option be on the router since that is the entry point for everything in the home. Wouldn't this also protect the NAS? I suppose I would still reserve the option to use the device level VPN service when I'm in a public location, but not connected back to the home network. For example, when traveling and connecting to the internet from an airport or hotel. Your thoughts?
In that time frame i was mainly using OpenVPN but now have been using Tailscale exclusively. As it supports subnet routing, it allows me to securely access all my devices with the use of any other cloud service. If you go to my channel and play list, I have some videos there that may help. As for you question, If you go with OpenVPN, do it on the router so you do not have port forward. Great question and thanks for the sub.
Hi Mike, thanks for the video. If I disable the qnapcloud, will it disallow me to access my Qnap nas over the mobile network?
No, it will isolate it from the internet so you will have use a VPN. I have done a few videos on using OpenVPN on my channel and setting that up is not only more secure but more flexible as well. (th-cam.com/video/bnnwhSfChk0/w-d-xo.html). Hope that helps.
Whoops ... forgot to ask ... what about the QuFirewall App? Should we be using that ... and if so how should we install/configure it? But first, with all the settings you've reviewed is it really needed??
Great question. I am looking into that now and it's on my list of things to cover. I need to spend some time with it as it is not what it appears to be by the name. Not sure if it is needed or exactly what tools it offers. Thanks a again for the all the input and great questions.
First of all thanx for this fantastic video. Security should be the number one when installing a nas. Is there a way to play music of digital content via HDMI to your tv of wifi speakers within your LAN without activating the DNLA server ? Can Kodi or google chromecast help out there ?
Sure. You can use the native music player in the QNAP or Plex or Kodi. Personally I am a Plex guy and have been for years. Thanks for the feedback.
Speaking as someone who has been looking into buying my first NAS and looking at both the QNAP and SYNOLOGY brands... knowing all these vulnerabilities shouldn't I just go with a Synology since they clearly take security more seriously?
I have 4 QNAP at home and over 12 Synology units at work. There are several other things to consider such as value, features, and cost. One thing I can say for sure is that there have been far more hardware failures with Synology. We have had 4 units fail in a 12 month period. I think you will be happy with either one but it is a clear choice. Good luck and great question.
You should also consider disabling admin account, to significantly increase brute force atack protection. I know that Qnap working for option to change admin username, but as for now this is the best option.
Great point. Thank you.
actually i found out as of QTS version 5, the smart wizard forces you create a different account for that added security.
I don't mind that personally being forced, but my counter argument works better :) if you have a secure password there is no need for a another account.. That 's basically the same as people changing their passwords every month (from a business point-of-view) just because THEY thin k its more secure only because they can't get people to write down secure passwords from the beginning.
Hi Mike, great video. With regard to OpenVPN, I have perhaps an unusual set up. A modem from my ISP and an Netgear ORBI router. I have this set up because modem had an issue with supporting so many devices and to give better wifi coverage. My Orbi allocates the IP addresses as its set up as a router as well rather than in AP mode. My QNAP NAS is connected to the ORBI. My question then is on which router do I set up the portforwarding rules. My ISP router hasn't assigned the NAS IP address. Not very competent in networking and NAS etc so I find your tutorials very handy, many thanks!
PS I should say I have been using myQNAPcloud and would like to move to more secure VPN.
So this is a bit more challenging but it can be done. For this to work you will need two port forwarding rules assuming your Orbi is connected to the ISP router and everything else/NAS is connected to Orbi. The first rule will be created in your ISP router which will route the WAN IP (public IP) with Port 1194 to the port that the ORBI is connected to 192.168.XXX.XXX (the LAN side of the ISP router), The next is in the ORBI which will route from that same port 192.168.XXX.XXX to the actual NAS IP. I posted a clip of a video below where I actually talk about this but with different devices and for a different reason but the concept is the same. To simplify, in your configuration the LAN side of the ISP and the WAN side of ORBI is the same IP as the ORBI is plugged into one of the ports of the ISP router. I hope that helps.
th-cam.com/video/MOfwt_AO-CU/w-d-xo.html @25:27
@@MikeFaucher thank you so much for taking the time to reply! very much appreciated. Just had my NAS crash and not sure how the drives and data are, so will definitely come back to this when I get back to square 1, again many thanks.
@@ShayFarrelly Sorry to hear. Good luck.
Thanks Michael, got my QNAP sorted and OpenVPN working!
Mike Faucher you disable myQnapcloud app, do you use alternative ddns service?
Currently no, but ddns services are available through most routers. I have not had a need for one in many, many years. Thanks for the question.
Hi Mike a further question on QVPN and OpenVPN. I got mine working and I can connect using OpenVPN through my mobile phone over the mobile network. I'm currently on holiday abroad (Spain) and I can still connect via the mobile network here with Vodafone. My apartment has broadband with a local provider but I can't get a connection over the apartment broadband and router. Is this an unusual issue and do I need to do something with the local router. Many thanks again.
If I understand correctly, you are talking about two locations, is that correct? If that is true, you need two different config files (OPVN) and can only use one at time. Let me know if I miss understood?
@@MikeFaucher hi let me try explain. My QNAP is at home and I'm abroad in an apartment and I'm trying to access my QNAP at home. In the apartment I'm accessing the internet via a modem/router, but OpenVPN won't work going through the apartment modem. If I turn off WiFi and access using the mobile network it connects fine. I hope that makes sense
@@ShayFarrelly yeah because you can't change the hotel's router to port forward through the open vpn, just use your phone for security, don't connect through some third party, the vpn protects you from this, but you can't control the hotel's router so.
My qnap doesn't look anything like yours, or the others i've been seeing with tutorial videos online for that matter. I don't have storage "and snapshots", and i don't have the option regarding QTS embedding. There's other things i seem to be missing as well. I'm sure i did the latest firmware update. But mine seems simplified compared to others. I can't seem to find any option to set quotes for specific user groups either, only individual users.
Has qnap overhauled their design and simplified things, or is it just my version that is different?
Strange. What version are you using and what is the model number.
@@MikeFaucher I'm not sure how to find out the version, but the model is a TS-412
@@IntiArtDesigns look at system status from your control panel.
You also missed out the OpenVPN client link
I am interested in learning more about the open VPN on qnap NAS
Currently working on it based on feedback. Thank you!
I've got the open VPN connected to my Qnap NAS but still can't see the NAS files from either my mobile or PC did I miss something? Great video it's increased my NAS security a lot, thanks.
Assuming you successfully connected, you may have to browse your files using the IP from the file explorer. As their is no name resolution in your local network, you typically have browse with the IP. I should have cleared that up. Great question.
@@MikeFaucher I've tried the IP as shown on the the local network, the IP as shown on the QVPN Ovpn set up page, the IP used by Ovpn GUI and still can't see it. I'm definitely connected via the VPN but can't see the NAS. Still looking.
@@stickulari For me, I'm connecting to Sophos running locally but if I pull up an SSH session, and type "route print" (with no quote), then the problem lies with the VPN gateway.. For me its times out (*)
I've spoken to two QNAP guys now who say completely different things... even though I can access QNAP just fine without QVPN over WAN..
Upon logging in this evening QNAP presented me with an update for the MyQNAPcloud App. I try to stay current on all Apps and Firmware so I dutifully updated the App. But I checked and found the update also automatically switches the App to "Enabled". I disabled it per your recommendation. But I'm letting you know that this might be another "hole" in the QNAP security design. Many folks might not know the Apps/functions they disabled or switched "Off" for security reasons will be automatically enabled or switched back to "On" during an App update? Isn't this a bad update design ? Shouldn't the App/functions stay as originally set by the User during any App update? Or am I misunderstanding something here?
Also ... perhaps you might think of covering "Snapshots" in a video as part of Security? I only keep pics and videos on my NAS so I'm not sure the Snapshot function is at all useful for me? And if I do start keeping Snapshots won't they eat up a lot of my storage space? It's a confusing topic for novice users.
Good practice on your part and you are right it should have not enabled itself. It should have kept prior settings. Thanks for pointing that out. I am planning a video on snapshots but I have a few things ahead of it. As always thanks for the input.
Thought you might want to know it just happened to me. It turned back on without my consent.
Thx Mike. I do appreciate knowing my experience wasn't unique.
Another subject suggestion: "Best practices for NAS storage of pics and videos". I bought my TS-251+ for exactly that reason. And I'm sure that there's a HUGE audience out there like me. But beyond the security and preservation of my pics I'm not using the potential advantages of a QNAP NAS. I'm not using any Indexing because I don't know what the advantages might be ... and I'm a bit anxious about using any Apps that might mess up my pics in a way I can't control? Example - I have a very simple naming convention (YY-MM-DD - Subject Name - specify Pics or Videos) that seems to work for me ... but perhaps there are far better systems that I'm ignorant of? I'm guessing there are lots of folks like me that would like to know what "Best practices" are for organizing our pics and videos. Also - I use my naming convention to keep pics and videos of the same event, like a canoe trip, in different folders because the 'media players' I use, VLC or the Windows Pics App, only handle their specialty. Is there a better way. I'm sure there's lot more issues for Pics and Videos ... many of us 'novice' users would appreciate your insights on this important topic.
Hello,
In my country, we aren't offered a fixed IP for home internet, thus, connecting to my NAS through open VPN won't be possible?
There are several options. If you already have it setup, then you can a service like Dynamic DNS or DynDNS. You can modify your configuration to use the domain that you create instead on an IP address. The option is if you have not started is to look at Tailscale. I have done several videos on my channel and it works seamlessly with dynamic IP addresses. Hope that helps.
@@MikeFaucher I'll check it out, thank you
Mike - disaster
I followed your video, and got as far as changing IP Access list which I activated having been deactivated, now I cannot access the device at all. The QFinder - and while it is seeing the NAS it cannot connect, only getting:
Cannot connect to device. Please check if the device and your computer are on the same subnet.
Click 'OK' to open the web browser and try to connect to device, or click 'Cancel' to return.
Anyway I can get around this?
PS Using Macbook Air, so don't have a chordn connection
This is very strange. If the IP of your MAC was put incorrect is should not block you unless your IP is changing. Are you using a:8080 after the IP address? Do you have another device you can use to access the NAS? To avoid major issues I would contact QNAP support (www.qnap.com/en/support-ticket/) as most likely you will have reset settings (you will not lose data but will have to create users and permissions again). Since it is impossible to know every network configuration, there is something unique with yours. Once you regain access leave that setting off. Sorry, you are having issues and would reach out to them right away as it is recoverable with a reset but you have to do it right to avoid losing data. You can look at the manual for more information on the different reset options.
Nice video. I use a qnap as a plex server. Is it a bad idea to use the admin account for daily use.? Is it better to create a user account . My qnap gives warning about it.
Always best practice not to use the admin account. If credentials get compromised it will do less damage and you will not lose control of your files.
@@MikeFaucher We always say that, because we come from the aspect, it WILL be hacked at some stage... Truth is,, I think its a tad over the top to treat everyone the same..
If you secure your admin account, just like with Windows PC account, then it will be just fine..
BUT reducing privilage access is usually, and unfortunately, the only thin g we think off..
To me, that is bad practice to narrow it down... There is much more than that.
@@Tech-geeky Thanks for your input. It is good to hear counterarguments.
The best practice is to change the admin account for any device even if you create a user account. For me, I do both on my device. Thanks.
If I only use for plex can I shut off all ports except the plex port.
Disable all the services I did except for Plex and you should be fine.
Can you post a link for the security counselor, please
It's in the Qnap. You can install it in the APPs. Then run it in the different settings and check what you can do to set for securities. It will also show Antivirus, AntiMalware and the Firewall.
The security counselor is in the QNAP app center. Just launch the app center from your main screen and search for the security counselor and you should find it. Thank you.
I use PIA vpn can i use this account?
Usually not to directly connect to the NAS.
I have open NAS from Another PC by inputting Password, But Next time it is automatically opened without password, how can I Recall the previous openning process of NAS from the Same pc from which I opened it by inputting password...
Not sure I understand the question. Sorry.
@@MikeFaucher Sir I WANT TO access NAS from another pc EVERY TIME WITH PASSWORD....Thanks
@@satyajitchatterjee3713 Goto the windows credential manager on the PC and erase the entry and clear the password and also go to the browser password. I should then prompt you every time
You also didn't disable the default Admin account
I covered all the items you mentioned on different videos. I did not want to put everything on one video as it would be to long. If you search QNAP on my channel you see just about every topic. Thanks for the feedback.
Tip: Never use default ports.... This goes for software firewalls too. not just hardware devices. Also, regarding TLS version, its fine stating "to be sure make sure you use the best versions" or such and such, but it fails in reality, because one size does not fit all..What works for one won't be ok for others.. For eg, if someone needs access to shares from Windows XP system, you won't use the best TLS versions for Windows networking , because you won't be able to connect.. Ya, who users Windows XP anymore right ??
You skipped over UPnp by the way :)
Thanks for the detailed feedback. Thanks for pointing out the skipped UPnP.
Who uses *Windows* anymore??? The Windows OS is your home's biggest security hole, and it needs to be plugged with Linux. If you really need Windows for something, run it in a VM on a Linux machine.
Qnap is Qcrap
Thanks for the feedback.
In short: don't use qnap applications and use VPN. Nahhhh c'mon! That can't be the solution. I will use all multimedia and cloud funktions. The basic answere is change ports, pay for Antivirus Lizens, use Firewall(s), doo backup and snapshots.
There are other solutions like talescale but antivirus will not catch everything. You have to decide your comfort level go with that but if security is your primary concern than VPN is your best option. Thanks for the comment
Secure your QNAP: buy a synology
Having 9 Synology units at work I could not disagree with you more. To prone to failures Thanks for the comment.
@@MikeFaucher I am a small MSP and manage around 70 of them. Aside from occasional drive-failures that are the drives fault, but easily replaced and background rebuilt, never had one single unit fail on me. I use them for VM deduplication backups in RAID-6. They are my peace and sleep - comfort.
@@TheDesertsweeper Assuming we are talking about the Synology units that is great to hear. Don't get me wrong I like Synology but out of the 9 units, 3 have had power supplies die and 1 has had a motherboard failure. I am not saying this will happen to everyone and all these units were bought around the same time frame so it could be a lot of related issues, but that has been my experience with them. So far some of the new units we have purchased have been pretty reliable so time will tell. s I also think that QNAP got a bad rap for largely improper configurations. If you point any device such as a QNAP, Synology, or UNRAID directly to the internet on default ports, you will have issues at some point. Thanks for your input and comments.