Securing WAN Access to NAS

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
jaysona
Easy as a breeze
Posts: 292
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Securing WAN Access to NAS

Post by jaysona » Wed Aug 19, 2020 3:48 am

Moogle Stiltzkin wrote:
Tue Aug 18, 2020 9:28 am
....

- 32400 is a known port for plex. so you can instead use a custom external port, then redirect it to internal 32400. you are basically obfuscating the port somewhat.

....
:roll: :roll: :roll:

What a useless and extremely misleading pieces of advice. Security by obscurity is absolutely useless today. All such advise does is perpetuate a myth and provide people with a false sense of security, which ultimately does more harm than good.

Before providing security related information, maybe you should learn a little more about security and hacking. ;)
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
jaysona
Easy as a breeze
Posts: 292
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Securing WAN Access to NAS

Post by jaysona » Wed Aug 19, 2020 4:16 am

sallysensation wrote:
Tue Aug 18, 2020 9:06 am
My NAS: QNAP TS-251+ Running Firmware Version 4.4.3.1381

I use my NAS to store my files and access them locally and remotely. I also run several apps on the NAS that I would like to securely access from the WAN (ex. Home Assistant, and transmission). I currently use MYDDNS and MyQNAPCloud Link to connect remotely using a domain name. I open the required ports on my router. It works, but it does not use SSL and I don't know how secure it is. When I start to read about TLS/SSL certificates I quickly give up because it seems like I don't have the time to invest in that -- it seems incredibly complex. I have also been advised to connect only through a VPN. I use some of the other security features like blocking IP address with several failed login attempts. This is somewhat of an open ended question. I want to make sure my NAS is secure. What steps are most important?

Should I only allow secure TLS/SSL connection? How should I do that without spending weeks learning about network security?

How can I set up VPN access and still be able to quickly access all the apps remotely from my phone or other device? How would that affect things like my plex server which I connect to from several devices locally and from the WAN.

I'm not even sure I'm thinking about this right. Any thoughts and suggestion?
1. If you do not have the time to invest in learning how to securely access your NAS from the Internet, then do not expose your NAS to the Internet.
2. Properly securing the crippled Linux and the insecure QTS user environment (QTS is not an OS) that QNAP provides can be a somewhat complex affair, depending on what you want to do the NAS.
3. PKI is indeed complex, even people that work solely in PKI have trouble sometimes (I manage several aviation related public Certificate Authorities) but generating and installing TLS certificates on a QNAP is not all that complicated, it is just that the steps are very specific for each use case.
4. TLS connections do not protect the NAS from security risks. In this context, TLS is about keeping prying eyes from seeing the username/password combination, that is all, nothing more. The insecure QTS .php files are available whether TLS is used or not.

As for securing your nas, there are a few simple but surprisingly significant (eliminates majority of the security risk) things that need to be done.

1. Disabled UPnP on your router.
2. Disable UPnP on the NAS -- just do not use it!
3. Do not expose the QTS Web Admin login page and any of the QTS applications to the Internet. QTS is just plain insecure!
4. Enable the Network Access protection and block all failed access attempts after 5 times within in one minute.
5. If you must access the QTS Admin webpage and QTS apps from the Internet, then do so only using a VPN. It is preferable that the the VPN endpoint be something other than your Router or NAS, I use a Raspberry Pi as my VPN enpoint (in addition to other things).

As for plex, just install the qpkg (get the latest one from plex.tv, not the QNAP App Centre).

Once installed, you will need to forward tcp port 32400 from your WAN to the NAS. This is the only port forward you will need to do. The Plex server already has its own TLS certificate so secure connections (protects your login info, not the server) are possible as long as secure connections are enforced in plex. To this date, there has been no successful hack against a plex server. Most plex servers are compromised due to poor security practices, such as people installing Tautulli and not securing the web access properly, or having some other insecure pythin app running on the same server as plex and using privilege escalation.

There are a couple of things you can do to secure your plex account.
1. Set a PIN
2. Do not configure your players for auto-login, they should require a PIN every-time the player is started.
3. Periodically check the list of Authorized Devices, clear out old ones.

If you have any plex related questions, ask them on the plex forums, you will get a quicker response and generally much better answers than you will here.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Wed Aug 19, 2020 5:06 am

jaysona wrote:
Wed Aug 19, 2020 4:16 am

As for securing your nas, there are a few simple but surprisingly significant (eliminates majority of the security risk) things that need to be done.

1. Disabled UPnP on your router.
2. Disable UPnP on the NAS -- just do not use it!
3. Do not expose the QTS Web Admin login page and any of the QTS applications to the Internet. QTS is just plain insecure!
4. Enable the Network Access protection and block all failed access attempts after 5 times within in one minute.
5. If you must access the QTS Admin webpage and QTS apps from the Internet, then do so only using a VPN. It is preferable that the the VPN endpoint be something other than your Router or NAS, I use a Raspberry Pi as my VPN enpoint (in addition to other things).

As for plex, just install the qpkg (get the latest one from plex.tv, not the QNAP App Centre).

Once installed, you will need to forward tcp port 32400 from your WAN to the NAS. This is the only port forward you will need to do. The Plex server already has its own TLS certificate so secure connections (protects your login info, not the server) are possible as long as secure connections are enforced in plex. To this date, there has been no successful hack against a plex server. Most plex servers are compromised due to poor security practices, such as people installing Tautulli and not securing the web access properly, or having some other insecure pythin app running on the same server as plex and using privilege escalation.

Thanks for the clear info! I do have enough time to learn the basics and determine what I'm capable of and what the risks are.

1. Check
2. Check
3. Working on that now. I previously had them exposed by opening ports on my router. I want to maintain remote access of several apps and files. I set up a VPN server using OpenVPN on the NAS, so I will need to close this ports on my router and I'll lose access completely from my work computer (LAN or WAN)which blocks the local IP address of my NAS and won't allow me to install a VPN client. That would take care of #3 though, right?
4. Check
5. Check sort of. The VPN server is on my NAS.

I will open ports for Plex and my VPN server. That's it.

It seems using certificates is a moot point in my case now, with aVPN. Is that true?

User avatar
jaysona
Easy as a breeze
Posts: 292
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Securing WAN Access to NAS

Post by jaysona » Thu Aug 20, 2020 11:56 pm

sallysensation wrote:
Wed Aug 19, 2020 5:06 am
Thanks for the clear info! I do have enough time to learn the basics and determine what I'm capable of and what the risks are.

1. Check
2. Check
3. Working on that now. I previously had them exposed by opening ports on my router. I want to maintain remote access of several apps and files. I set up a VPN server using OpenVPN on the NAS, so I will need to close this ports on my router and I'll lose access completely from my work computer (LAN or WAN)which blocks the local IP address of my NAS and won't allow me to install a VPN client. That would take care of #3 though, right?
4. Check
5. Check sort of. The VPN server is on my NAS.

I will open ports for Plex and my VPN server. That's it.

It seems using certificates is a moot point in my case now, with aVPN. Is that true?
3. Correct. If your only method of remote access to the NAS QTS Admin webpage and QTS apps is by VPN, then there is no need to port forward 8080/443 to the NAS.

As for plex, are you sharing your library with other people, or is it just for yourself when you are away from home?
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Fri Aug 21, 2020 12:18 am

Since my VPN is installed on my NAS, I have to have port 443 (or whatever I change it to) open in order to connect to the VPN server. At least that's what the instructions from QNAP said.

I share my library and I also connect to my library when away from home. For the most common scenario (streaming from my phone), I should be ok connecting through VPN and not opening port 32400, right? Plex is a little less clear to me because it routes through their servers.

The biggest hangup for me is that I predominantly use my work laptop which has ESET Endpoint security on it managed by IT, and I am unable to install software. For some reason with my work VPN disconnected while on my LAN, I cannot access my NAS. The only workaround I was able to find was to install a firefox extension for a VPN service I subscribe to, and route my traffic through that. But I still have to have the port open on my router and connect using my NAS domain name (WAN). This is true for connecting to anything running on my NAS, including Plex. It's all very confusing to me. I don't like having to do that just to use plex on my work laptop, and it's probably only a matter of time before IT notices that I'm using a VPN extension on firefox and have me remove it.

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Mon Aug 24, 2020 8:45 pm

I just realized that I also need my transmission port open if I want to seed torrents. I suppose there is no secure way of doing this, right? It seems like I can download without the port open but I won't be able to accept incoming connections, so I won't be able to upload.

User avatar
OneCD
Ask me anything
Posts: 7969
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Securing WAN Access to NAS

Post by OneCD » Tue Aug 25, 2020 4:04 am

sallysensation wrote:
Mon Aug 24, 2020 8:45 pm
I just realized that I also need my transmission port open if I want to seed torrents. I suppose there is no secure way of doing this, right? It seems like I can download without the port open but I won't be able to accept incoming connections, so I won't be able to upload.
The 'listening' port will help put you in a larger swarm, but isn't completely necessary. You can still share without it. ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Tue Aug 25, 2020 4:12 am

At least one private tracker is telling me that i'm not connectable. Does opening the listening port to transmission result in a significant vulnerability?

User avatar
OneCD
Ask me anything
Posts: 7969
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Securing WAN Access to NAS

Post by OneCD » Tue Aug 25, 2020 4:19 am

sallysensation wrote:
Tue Aug 25, 2020 4:12 am
Does opening the listening port to transmission result in a significant vulnerability?
Sorry, I don't know. I've not heard of any vulnerability via this port, but I'm not much of a BitTorrent user these days so I don't follow the news. Maybe someone else knows?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
jaysona
Easy as a breeze
Posts: 292
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Securing WAN Access to NAS

Post by jaysona » Wed Aug 26, 2020 3:32 am

sallysensation wrote:
Mon Aug 24, 2020 8:45 pm
I just realized that I also need my transmission port open if I want to seed torrents. I suppose there is no secure way of doing this, right? It seems like I can download without the port open but I won't be able to accept incoming connections, so I won't be able to upload.
I have been running transmission on 7 QNAP devices, seeding more than 7500 torrents for several years and I have never heard of, or experienced any sort of issues security wise.

Even if tracker says your are not connectable, you will still seed a little bit, this happens when transmission contacts the tracker and the tracker will say "hey someone wants a torrent you're seeding" and your client will then connect to the client that wants the torrent. Using transmission this way will make it very difficult to maintain a healthy ratio though. You'll be better off opening just one port for transmission.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
jaysona
Easy as a breeze
Posts: 292
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Securing WAN Access to NAS

Post by jaysona » Wed Aug 26, 2020 3:42 am

sallysensation wrote:
Fri Aug 21, 2020 12:18 am
...

I share my library and I also connect to my library when away from home. For the most common scenario (streaming from my phone), I should be ok connecting through VPN and not opening port 32400, right? Plex is a little less clear to me because it routes through their servers.
When properly configured, Plex does not route anything through their servers (in most cases). The plex player client contacts the plex authentication server, which generates a session authentication token that the player sends to the plex server. So, if you are just playing plex for yourself, then yes using a VPN so your play player looks like it is on your home lan, there is no need to open port 32400. opening port 32400 is only necessary when sharing your plex library with others - I have about 30 people accessing my plex server, so port 32400 is opened for that.
The biggest hangup for me is that I predominantly use my work laptop which has ESET Endpoint security on it managed by IT, and I am unable to install software. For some reason with my work VPN disconnected while on my LAN, I cannot access my NAS. The only workaround I was able to find was to install a firefox extension for a VPN service I subscribe to, and route my traffic through that. But I still have to have the port open on my router and connect using my NAS domain name (WAN). This is true for connecting to anything running on my NAS, including Plex. It's all very confusing to me. I don't like having to do that just to use plex on my work laptop, and it's probably only a matter of time before IT notices that I'm using a VPN extension on firefox and have me remove it.
This does not make sense to me, if the work VPN is disabled, you should be able to reach anything on your LAN. Your laptop will an IP address of (presumably) 192.168.1.#, the plex server wil have an IP address of 192.168.1.# and your router has an address of 192.168.1.1, so if your laptop can connect to your router, it should be able to connect to plex.

What I suspect might be happening, is the VPN software is somehow messing with DNS and might not like the plex.direct DNS entry that plex uses. There are a multitude of plex.diurect and DNS rebinding issues on the plex forum.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Wed Aug 26, 2020 4:24 am

Strangely, it is all working as it should now. I was originally not able to access anything on my LAN from my work PC whether connected to work VPN or not. I did not understand it. It may have been something with my router, or something changing with the security managed by IT. The only other thing I can think of is that I disabled myQNAPcloudlink on my NAS. But I am now able to access my modem, and NAS (and all services on it) from my work PC even if connected to the VPN. SO I currently have only 3 ports open: Plex, transmission listening port, and openVPN port. I'll use the VPN running on my NAS to connect remotely if I need to. I finally feel pretty good about the level of security I have on my NAS. Thanks for your help!

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Thu Aug 27, 2020 5:55 am

Nevermind! It worked yesterday, now today I can no longer connect to my NAS from my work computer whether or not I am connected to my work VPN. I have no idea what changed. Works fine from other devices on my LAN. Not sure what's going on. I can successfully ping my NAS from my work laptop, just not connect through browser.

sallysensation
Getting the hang of things
Posts: 80
Joined: Wed Aug 31, 2016 1:19 am

Re: Securing WAN Access to NAS

Post by sallysensation » Thu Aug 27, 2020 7:43 pm

I figured it out. I tried running qfinder on that laptop so I could map my NAS drives. For some reason it made a bunch of failed login attempts and the local IP of my laptop was banned. I unblocked it and it's working again.

Post Reply

Return to “Miscellaneous”