It looks like NASes, or at least QNAP, are due for the same reckoning that(to a degree at least) forced vendors to shove the default security settings of consumer desktop OSes from ‘dire’ to ‘more or less sane, though not hardcore paranoid corporate lockdown’. This new security advisory about brute force password attacks on NAS units directly connected to the Internet is a good example of why this needs to change. QNAP already has the tools, we just hope they up the default security setup on their NAS units. These days, they are becoming full-fledged servers running many services and applications. Twenty years ago, a small NAS was a cheap box that supported a few protocols to get drives accessible via an Ethernet port. These units should all have firewalls and it is probably time that Security Counselor becomes standard and part of the initial setup process. One area we wish QNAP improved upon is having some kind of baseline security posture for every installation. At the same time, it seems like there are a lot of NAS users out there not installing firewall features, not running Security Counselor, and so forth. QNAP does as well with the Security Counselor app. At the same time, there are some basics that we suggest everyone do. This is one of those pieces that is nowhere near a complete how-to. QNAP is constantly patching for new vulnerabilities so it is important to do. We also suggest staying up-to-date on firmware and malware removal updates on a QNAP NAS. QNAP QuFirewall IP Failed Login Attempts Telnet Even If It Is Not Enabledįor STH readers, many will want to turn off UPnP since that is commonly exploited. One other item you may want to look at is turning off Telnet (just use SSH) and you can also change the SSH port. One other important feature is the ability to ban IP addresses for too many failed login attempts. These profiles have built-in rules to allow/ disallow traffic to the NAS based on interfaces, networks, and so forth. QuFirewall still has “Basic” but also has more advanced settings. Likewise that the QuFirewall should not be under 3% of the installs. This is a mandatory application, but it seems like the Security Counselor application should not have fewer than 1% of the installs of the License Center. License Center allows you to manage licenses for the QNAP NAS. On the funnier side, one of the “medium risk” issues is that License Center is not updated. Plex is around 2x the Security Counselor figures at around 1.96M installs. Security Counselor has just over 1 million installs in contrast. Something that seemed strange was that there were only around 350K installs of QuFirewall. QuFirewall provides basic firewall functionality wrapped in a GUI. Instead, one has to install these from the app store. QNAP does not actually ship its units with a lot of the security features like the antivirus app pre-installed. There are a few items that pop up that are important. QNAP Security Counselor Choose Security Policy While basic is the default, our sense is that STH readers are going to opt for Intermediate or Advanced. QNAP Security Counselor First Launch Wizard 4 QNAP Security Counselor First Launch Wizard 3Īnd there is a dashboard that we are going to show shortly. The app can automatically adjust settings as required. QNAP Security Counselor First Launch Wizard 2 QNAP has some pre-set policies for businesses, SMB, and home users. QNAP Security Counselor First Launch Wizard 1 Still, upon launching the Security Counselor app, you get a short Wizard explaining some of the basic concepts. QNAP Security Counselor First Launch Security Analytics When you want to install this application, which we recommend, you get asked about sharing results with QNAP. QNAP Security Counselor Not Installed In App Center Still, when you get a NAS, it is likely the Security Counselor application will not be installed already. One challenge with QNAP NAS units is that they are designed to get updates via repositories on the Internet, meaning they need to have at least some egress access, unlike an IPMI interface. Most STH readers will use some sort of firewall/ NAT setup, and often a VPN to get to the storage network. In terms of basic security steps, the first should probably be simply not directly connecting the NAS to the Internet. Let us show some examples of basic security steps to take. The company also says the most vulnerable are those directly connecting the NAS units to the Internet, and that is true of most systems. QNAP ships its NAS units in a relatively insecure manner, and it is up to users to take measures to protect their systems. Recently QNAP said its NAS units are again under a wave of brute force attacks (see the statement here.) As a result, we are reminding our users to take at least basic steps to protect their NAS units.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |