Totally agree re setting 2FA for login, but to make it more secure I've felt much better since I disabled Qnapcloud and setup VPN only access with Qvpn on the NAS and OpenVPN on my phone/PC.

Thanks Robbie! been looking to buy an 88x series and stopped dead in my tracks after the attack. This video provides some hope : )

Great video thanks Rob. I found the info about Security Counselor particularly useful - I'd never heard of it before! I now feel much happier with the security of my NAS.

Great video! Really appreciate you taking the time to give such helpful advice.

Thank you. Wish I'd seen your recommendations BEFORE the Qlocker attack.

Thank you so much for this. I wish I had known all this ahead of April though as you pointed out, even this may not have prevented the issues.

Please make an updated version of this video

Great video, Ill rewatch it when I get my nas back from repairs to set it up even more secure. Some of the settings Ive used, as far as I can remember, was the use of the Authenticator, ssl certificate and I had also set my nas up as private(Im the only user of it)

@nascompares

3 жыл бұрын

Thanks buddy

Great video with lots of good info. I have had my TS-853 Pro for 9 years now and I have not had any malware. I keep it off of the internet and always keep updates applied.

WOW. Nice find here!! Great video.

This kind of IT server security training really should be QNAP'S responsibility. Think about it, these are servers made for amateurs yet almost as complex as any basic enterprise setups. It is foolish to expect ordinary consumers to effectively secure a NAS. I think QNAP has an opprtunity to become the most secure NAS in the business if they focus on their users security above all else. They should do so through education, easier user interfaces and self explanatory fuctions. That's all I have for now...

@michaelflamingsword3131

3 жыл бұрын

Bro, there are loads of options to set in the Qnap. But if nobody is applying them, it is like a garage door open for a truck to park into it.

@georgeanthony6767

3 жыл бұрын

@@michaelflamingsword3131 The learning curve for a QNAP newbie is crazy steep. To completely secure a new NAS drive AND know what you are doing requires a solid education in Network Server Security. Cybersecurity is a huge field with the best Security Engineers earning six and even seven figures annually. Remember, these NAS drives are 100% insecure out of the box and most basic security settings require basic server knowledge which most people do not have. Might as well walk around with your pants down after buying a NAS drive.

@michaelflamingsword3131

3 жыл бұрын

@@georgeanthony6767 Well I am totally self-taught and with the help of a Qnap guy who answered all my questions, I have been able to bypass this Qlocker thing. But I do admit there are a lot of settings to go through. But they can train online with a demo that is there in learning how to know what settings there are in the firmware and read up on it in the Qnap website. You can't really say there is no information how to do it. You just need to spend time on it. Most people just think this is a Xbox or Sony playstation and that is how they get deceived with it. I love my Qnap. I cannot stop playing around with it and try all things that are there. With trial and error you learn a lot. And if you mess it up. Press the back button and start again or reset the NAS a few times. That is what I did. I think I did reset it at least 5-6 times before I really got the hang of it. Most people just dump the thing in a corner and connect a cable to it and think that is it. Wrong ! This is a highly sophisitcated machine with lots of things and settings. Did you know you can encrypt your SMB and you can put a encryption on the HDD's with a pass word or even with a QR code and even you can encrypt the External drives with 256 encryption and compression as well with mandatory passwords. People are just lazy. With these things come patience, effort and thoughtfulness and when you do you get the best out of it. However I think myqnapcloud needs to be beefed up. Maybe with a Radius server and 2 step Verification. 2 Step verification is already there, but you need to be careful if you put too much trust to the browser you log in with, it just only needs your password. Dual layer entrance is now compulsory to my opinion. And for example I have a bank that gives out a special scanner that scans random colour dots combinations on the website before logging in and I have yet to see if this can be cracked. So far I have not heard any bank that does that kind of security.

@georgeanthony6767

3 жыл бұрын

@@michaelflamingsword3131 I love that you are self-taught. The world is at a level of complexity and abstraction as never before in human history and the world needs people like us more and more. Our modern age requires people to be 'Renaissance' men and women like you and know a little about a lot of things. However, regarding QNAP I think they need to take the lead on this issue because as NAS owners we are collectively insecure and powerless without industry protection, guidance and social engineering from up top.

@damospearzo1032

3 жыл бұрын

Qnap NAS are rubbish. Any usefull apps mostly community supported and has very few truly useful apps for majority of users.

Thanks for the video. I've been through all these menus etc on my Qnap before, what would be useful is to know exactly what to change. Being a total novice I felt this wasn’t much help, but maybe a future video explains what to change to make it secure would be more useful. Fingers crossed

@damospearzo1032

3 жыл бұрын

Throw your Qnap in the bin, or sell it to some poor sucker. I have a QNAP and a Synology and the Synology is better and more user friendly by a country mile .

@italnsd

2 жыл бұрын

@JerseyPaul I agree, the video would have been more informational by telling what to change and not just showing where

Super guide. Audio level quite good ;-)

Very good video and very very helpful. So, can I just ask: if the DDNS isn't switched on then you safe. Even if you have back up and syncing to Dropbox and AWS always on.?? Thanks

Thanks for the video. I have yet to see a description of how the attack malware payload was delivered and loaded on the NASs. Fortunately I was not impacted since I was not using the remote access Qnap cloud, had uPNP disabled and a strong admin password. I was alerted when the malware scanner ran and I received notification that the malware was removed.

@JonKino828

2 жыл бұрын

If i don't have QNAP Cloud installed, does that mean that i am not connected to the internet?

Thanks for the great sharing!

Hi, Thanks for the great video! Would you be able.to elaborate on sharing the file process to an external temporary user, please?

Thanks for taking the time to produce these QNAP vids in light of the recent qlocker attacks. At 31:00 you say "it works perfectly fine on the network on its own", but how would I enable that? Surely by attaching it to my LAN (which my router is part of) then isn't my Qnap NAS accessible by the internet by default?

@hiddeninthewires2308

3 жыл бұрын

most basic firewall allow outgoing connections by default block incoming connections by default over the WAN the NAS would have internet access in most cases by default, this would allow it to get virus definition updates, download applications, and download and update firmware. all these connections are initiated by the NAS and are outgoing connections allowed by default by most firewalls with no special configuration required. the NAS would also be hosting server services, for things like administration web interface, any smb shares, iscsi LUN. these are things that get initiated by a client and are incoming connections to the NAS. any connection requests over the WAN would blocked by default by most firewalls (not forwarded to your NAS) without you explicitly defining the port forwarding rules. you definitely wouldnt these services exposed on the internet. the vulnerability is exploiting NAS that have exposed the management interface through the port forwarding rules or have the NAS assigned with public ip with no firewall at all.

Have you done a video on how to set up let's encrypt SSL for secure remote access to a NAS? I'm just a simple Plex user and moved awhile ago, that whole time my Nas was unplugged and unused for 2 years and I recently plugged it back in after setting up a media room. My NAS wouldn't update firmware so I updated it manually with a flashdrive and I needed to make a whole new mycloud account for some reason. It's been a pain getting it all set up but it's currently in sleep mode. Am I still safe? I did manage to set up 2FA on admin and basic user account and I'll see about setting up the X failed password revoking privileges

thank you very much!

My man came through! Saving this video to my favorites

@nascompares

3 жыл бұрын

Glad it's what you want/need. Sorry its a long one, tried scripting/cutting, but it's just to scatty a subject to nail in less time without context on every other part.

@michaelflamingsword3131

3 жыл бұрын

@@nascompares I think you can cover some more on what you have covered. There is more to put for security on the NAS and your network. SMB encryption, External HDD's encryption with passwords. Switching off NFS if you don't use it or do not have Linux. Switch off the Webserver and or change the ports. Only Administrators to empty bins. Guest Acess off. Switch off Plex server access. Use VM's instead of directly on your computer. Deploy a Radius Server to connect. Put only the IP addresses in the Firewall of the computers your use. Change the default DHCP IP address in your router to something different. Use Mac address filtering on WiFi and if your Router supports on your LAN as well. Do not set Teamviewer to a default remote access. Remove access from your computer not to remotely access it. Remove SMB 1.0. Remove all NAS drives that do not support SMB 1.0. Teach us how to use it properly Let's Encrypt and how to activate it by demonstrating it and what you need for it. There are many that are struggling with that. That is your next video, please. ;-)

Can you do a video with the best firewall configuration for a multimedia qnap server like the tvs h674 without using the upnp method?.... thanks again.

I have an older TS-469 Pro running 4.3.4, so I guess my NAS is somewhat obsolete in terms of available applications such as Security Counselor

If Norton or Bitdefender is installed as your main antivirus, will they be able to work on Qnap NAS? Instead of MacAfee, which for instance I don't like.

Lots of things to check. I have noticed in the new version of 5.1.5 QTS. The login options include 2 step verification (password and OTP/authenticator) or passwordless (1 step) - last option is username and authenticator. I am thinking the 2 steps seems safer.

will adding 2step verification change the way using share links work (ie: sending a share link to a shared folder on my nas to friends via email)? I primarily use my NAS as a place to store PDF's/music/videos for friends to download.

Thank you

Is myqnapcloud the only thing that "connects us to the internet." So my question is as long as I disconnect from myqnapcloud then a large majority of my risk goes away?

I don't have the QuFirewall and the SSecurity Counselor available sadly, at least it just doesn't want to install. Probably because my NAS is way too old, running QTS 4.2.6

I know it would be a lot of repeating, but could you do this for a Synology NAS as well? Although we are not affected by recent QNAP issues, it has created awareness to tighten settings with our systems as well. Especially, how to use a NAS on the home network (for in house users), so its plugged into the modem/router ... but is OFFLINE from the internet. Thats quite confusing to set up. thx And secondly ... and its a bit odd, but interesting. Would you be willing to 'infect' one of your QNAS (a 2drive maybe, with non critical files) with the ransom ware, and actually show people, step by step what you did to fix, or at least limit the damage?

@nascompares

3 жыл бұрын

Hey dude. 1, yep, working on the Synology one later this week. And 2, Yes, I would definitely be happy to create a controlled ransomware experiment to show it happening... But the honest truth is that I have no idea where to 'get' one in a conclusive and controlled way!

I wish I saw this video before 🥺 apparently Qnap got hit with a massive ransomware attack this year and I had no idea. My files are all encrypted by some hacker asking for Bitcoin in exchange for passwords 🤬

Thank you for the video. Do you know if there is a way to span storage across multiple NAS units so that you can see all your storage as a virtual volume across your network? IE if I have 3 NAS units can the individual volumes be combined as logical volume?

@nascompares

2 жыл бұрын

I believe vJBOD and/or Hybrid Mount are what you are looking for here. Cheers for watching

hello sir your videos is so helpfull for me but i am confuse with how to configure alnet ssystem software with qnap nas storage i have configure qnap nas storage raid 6 with 4tb *12 hdd 1 hdd in spare but i am able to see live video but not able save nas storage so can you help me how to add path in qnap nas storage for save recording. Thanks,Jerry Upadhyay

Forgive that this may be a stupid question. But - if you have a QNAP NAS plugged in to your computer - and your computer is connected to the internet - does that mean your NAS is connected to the internet also? Or - is the hacking security risk purely for if you choose to directly connect the NAS to the internet (and therefore if you don't, you risk free)?

@Tech-geeky

Жыл бұрын

mostly risk puley when you connect "directly" If you connect NAS to your computer, it wouldn't be on same network , it would be 169.x.x.x IP. where as your LAN may be 192.168. eg NAS by default would have DHCP which would be pointing to router

you are the best 👌

Love the brooklyn accent!

If i don't have QNAP Cloud installed, does that mean that i am not connected to the internet? Is sending email notification not a good idea, considering i don't want to link my NAS to the internet?

@Tech-geeky

Жыл бұрын

No.. You don't need QNAP cloud, only if your accessing NAS from remote location.

just a quick question: is it possible to change the name of the admin account on a QNAP NAS? because if this isn't possible it is a security issue (by design), too.

@jorgr.schr.351

3 жыл бұрын

Renaming it is not possible. But the recommended way is to create a second user with admin privileges and disable the "admin" user. I've done this like a week ago after I've got hours of failed login attempts from various IP addresses.

@Teilzeitotaku

3 жыл бұрын

thanks :)

@jorgr.schr.351

3 жыл бұрын

@@Teilzeitotaku no problem. Please google the official FAQ article by QNAP in order to not end up with a system with no admin user at all accidentally ;-)

BOOM! - QuTS hero h4.5.3.1670 build 20210515 just dropped. Some hardening/best practie being done :) *Snippet* Control Panel - To enhance device security, QuTS hero now automatically checks SQL Server password and disables the service if users still use the default password. - Modified various HTTP header default configurations to enhance device security. - Added support for customizing the HTTP response header "Server". - QuTS hero now automatically installs recommended firmware updates by default. Administrators can specify a schedule to check for and perform updates. - Web Server service is now disabled by default. - Users can now specify the community name when using UPS with SNMP connection.

You didn't mention running a VPN. :( That saves so much complexity.

I like the video, great content, very knowledgeable and informative. Constructive criticism - at the beginning you are too long winded. Most of the first 3 min could be said in about 30-45 seconds. Keep producing and keep improving 👍

This was a bit of a skimmy. Overviews are one thing, but you did say you would show how to set this up securely. That wasn't delivered here.

I would use 2-step verification if my NASes(a 4-bay and a 8-bay) kept good time. I use macOS. I can not get them to synch with an internet time server. The NASes are not on 24/7. They can be turned off days, if not weeks. I turn one on and its clock is more than 30 seconds off. It will not accept the current authenticator codes. I have to use an email address to get the QNAP verification code. I don't need to be locked out. So I do without the added security of 2-step verification. [When I set up the new 8-bay with a 64 character passcode, the NAS would not accept the passcode. I had to factory reset the NAS{paper clip on a hole on the back of the NAS for n secs}. 2 hours of configuration down the drain. I've had this happen at a website. Only the first n characters are accepted. I have to whittle down the passcode, dropping another character at the end of the passcode until I enter the length the site accepts. A length that is not stated when making the passcode.]

Dude. Just a side note after watching 150+ videos. I have NEVER heard "noise in the background" so please stop apologizing for it. Not. Once. Ever.

@Tech-geeky

Жыл бұрын

noise? what noise ??

Simplest way to be secure is to not buy qnap. I'm totally disapointed. This company sucks and Qlocker case proves it clearly.

how do I disconnect my Qnap from the internet?

@michaelflamingsword3131

3 жыл бұрын

Remove myqnapcloud if you have activated it.

@vskal

3 жыл бұрын

Use a router with openVPN. QNAP's openVPN application is not recommended because it needs port forwarding (which should be avoided).

not gonna lie I wasn't thinking 20 minutes later all i'd hear is change password and scan for malware, that hardly keeps the NAS secure, if I had a good password to begin with my security isn't increased by changing it constantly. and doing a malware scan isn't keeping me secure, stopping malware get on my system would be. and being notified of the lack of security is moot and not keeping me secure. password, update and scan malware. that takes 20 seconds. I thought you were going to show us how to disable certain ports, etc.

Changing the default port does not enhance security. Security by obscurity. Port scanners can detect open ports it might fool some scripts. Most people who serious about securing administrative interfaces dont expose them directly to the internet period. Thats terrible terrible terrible security pratice. A seperate vpn server with a dedicated vlan for admin is what you should be using to secure the admin interface and remotely managing the nas. Example Setup vlan 100 for management Setup vlan 201 for cifs Setup vlan 202 for iscsi Setup vlan 300 for public network (internet) Setup vpn server in dmz with one arm into the public network (300) another arm into vlan 100. Setup logging and auditing. Ensure 2fa exists for vpn service. The qnap should have ports trunked with vlan 100,201,202 or dedicated ports. Assign the services ip addresses in each of the ranges. I never ever bother changing port numbers it simply offers very little security and may just elude some scripts scanning on certain ports

@DavidM2002

3 жыл бұрын

No problem... if you have an IT degree. Perhaps you could do your own video and show us how to do all of that good stuff ?

@hiddeninthewires2308

3 жыл бұрын

@@DavidM2002 no need to show all this stuff anyone starting from scratch and wants to implement network zoning has very good documentation to work from. first off, start with reviewing existing best practices and security recommendations for example this gives a good write up look at, www.sans.org/reading-room/whitepapers/networkdevs/securing-out-of-band-device-management-906 seriously, none of this is unique to qnap and all security starts with a good foundation, NEVER EVER directly expose management interfaces to the internet period. flaws and security vulnerable every vendor has them please always zone your network for the management interface to be accessible on a dedicated network. like switch 1 - management network - ilo. syslog, admin interfaces etc switch 2&3 - production network - smb, ad, web etc router/firewall - internal arm - acl flows from the dmz to internal servers example vpn admin client address pool can access ilo interface on port 443 switch 4&5 - dmz devices - vpn server. proxy servers, load balancers etc router/firewall - external arm - acl flows from the dmz to the internet example vpn server is accessible on port 443 for remote connections if you dont have the expertise or knowledge to secure your devices please hire someone who does. these tips and tricks do not overcome the foundational security polices and standards that should be in place.

This video needs an update and to go a bit more in depth

Very BASIC security settings but the best security for QNAP is to keep all services OFFLINE completely so I absolutely NEVER use QNAP Cloud! As of January 2023 QNAP still has major online security issues so I will not trust QNAP online servers, nor cloud services and especially not email notifications handled by QNAP. For email notifications to be sent...QNAP needs QNAP email servers. Today QNAP products are still vectors for ransomware so please Do NOT connect to QNAP servers! Novice QNAP users should be offline ONLY, therefore should not be using notifications nor QNAP Cloud.

i was going to buy a nas--- im not now

The more secure you make things, the harder it will be to manage and jump through to get what your after. You could use 2FA, and encrypt volumes, for single person or two, all of that really is not required.. as long as you have good passwords for each user., and just gets in the way anyway. encrypted volumes also slow down you NAS as well, but depends on the CPU/RAM your NAS has. eg TS-451 would better than TS-251 I would prefer user-based folder access for security than 2FA just because 2FA and volume encryption works as a "whole" where as user password and permissions are "per-user" Much more simple to manage. Many people may disagree, but its my NAS so... 😛 Just make sure you use strong passwords and that's it.. Also, its bad practice to keep changing passwords every 180 days,, Companies used to do this in the past ,thinking it was more secure changing regularly, but all it REALLY did was ****** off employees. Sorry, i manage my own security

I miss the most important step, formatting and throwing away the QNAP.

QNAP has garbage software, Synology is killing it with theirs. Qnaps software and usability has degraded substantially over the years.

Found the presentation very irritating. Why keep wizzing the cursor around the screen. Why not use a large black cursor. Don't do everything so quickly.