sallysensation wrote: ↑
Tue Aug 18, 2020 9:06 am
My NAS: QNAP TS-251+ Running Firmware Version 126.96.36.1991
I use my NAS to store my files and access them locally and remotely. I also run several apps on the NAS that I would like to securely access from the WAN (ex. Home Assistant, and transmission). I currently use MYDDNS and MyQNAPCloud Link to connect remotely using a domain name. I open the required ports on my router. It works, but it does not use SSL and I don't know how secure it is. When I start to read about TLS/SSL certificates I quickly give up because it seems like I don't have the time to invest in that -- it seems incredibly complex. I have also been advised to connect only through a VPN. I use some of the other security features like blocking IP address with several failed login attempts. This is somewhat of an open ended question. I want to make sure my NAS is secure. What steps are most important?
Should I only allow secure TLS/SSL connection? How should I do that without spending weeks learning about network security?
How can I set up VPN access and still be able to quickly access all the apps remotely from my phone or other device? How would that affect things like my plex server which I connect to from several devices locally and from the WAN.
I'm not even sure I'm thinking about this right. Any thoughts and suggestion?
1. If you do not have the time to invest in learning how to securely access your NAS from the Internet, then do not expose your NAS to the Internet.
2. Properly securing the crippled Linux and the insecure QTS user environment (QTS is not an OS) that QNAP provides can be a somewhat complex affair, depending on what you want to do the NAS.
3. PKI is indeed complex, even people that work solely in PKI have trouble sometimes (I manage several aviation related public Certificate Authorities) but generating and installing TLS certificates on a QNAP is not all that complicated, it is just that the steps are very specific for each use case.
4. TLS connections do not protect the NAS from security risks. In this context, TLS is about keeping prying eyes from seeing the username/password combination, that is all, nothing more. The insecure QTS .php files are available whether TLS is used or not.
As for securing your nas, there are a few simple but surprisingly significant (eliminates majority of the security risk) things that need to be done.
1. Disabled UPnP on your router.
2. Disable UPnP on the NAS -- just do not use it!
3. Do not expose the QTS Web Admin login page and any of the QTS applications to the Internet. QTS is just plain insecure!
4. Enable the Network Access protection and block all failed access attempts after 5 times within in one minute.
5. If you must access the QTS Admin webpage and QTS apps from the Internet, then do so only using a VPN. It is preferable that the the VPN endpoint be something other than your Router or NAS, I use a Raspberry Pi as my VPN enpoint (in addition to other things).
As for plex, just install the qpkg (get the latest one from plex.tv, not the QNAP App Centre).
Once installed, you will need to forward tcp port 32400 from your WAN to the NAS. This is the only port forward you will need to do. The Plex server already has its own TLS certificate so secure connections (protects your login info, not the server) are possible as long as secure connections are enforced in plex. To this date, there has been no successful hack against a plex server. Most plex servers are compromised due to poor security practices, such as people installing Tautulli and not securing the web access properly, or having some other insecure pythin app running on the same server as plex and using privilege escalation.
There are a couple of things you can do to secure your plex account.
1. Set a PIN
2. Do not configure your players for auto-login, they should require a PIN every-time the player is started.
3. Periodically check the list of Authorized Devices, clear out old ones.
If you have any plex related questions, ask them on the plex forums, you will get a quicker response and generally much better answers than you will here.