In order to forward the ports that are in use from one device to another device on a network Universal Plug and Play (UPnP) Port forwarding was introduced. This feature automatically forwards the ports from on device to another with only one change in setting. No additional configuration was required.
This feature is now widely used by many devices in a network. It allows the devices to communicate with each other more efficiently. This feature can also create workgroups automatically for sharing data among other applications.
Is it Safe?
Though this feature can help in so many ways, it still remains a protocol that is not secure. This is because UPnP uses UDP multicast and does neither have encryption nor authentication. Due to this, hackers will be able to send malicious files without authentication and can gain control over the system.
QNAP Network Attached Storage (NAS) is a backup hub that stores all important files and media such as photos, videos, and music. This device has one or more hard drives and is constantly online.
QNAP recommended that this device must be behind a route and firewall. In addition to that, this device must not have a public IP. Other instructions include the disabling of manual port forwarding and UPnP auto port forwarding option in the route configuration.
QNAP provides a service called as myQNAPcloud Link. This is one of the better ways for users to access their QNAP NAS devices.
Note: Transmission speed might be slower due to the relay of traffic through QNAP’s servers.
Since this service is a web application, users can access their QNAP NAS devices through a web browser.
For additional protection, QNAP recommended the use of a VPN server function on the router. By enabling this function, QNAP NAS can be accessed through the internet but only after connecting to the router VPN.
What to do if NAS Must Open a Port to the Internet?
For users who want to connect QNAP NAS to the internet, QNAP has provided certain precautionary advices to decrease getting exposed.
- QNAP NAS must be behind firewall and router
- QNAP must not have a public IP
- Disable Telnet, SSH, web server, SQL Server, phpMyAdmin, and PostgreSQL if they are not being used
- Change internet-facing port numbers such as 21, 22, 80, 443, 8080, and 8081 to custom numbers. Eg., 8080 to 9527
- Use only encrypted connections such as HTTPS, SSH, etc
- Install QuFirewall and limit allowed IP to a specific region on the subnet.
- Disable the default admin account and set up a new one.
- A strong password policy must be enforced on all NAS users including the admin account.
- Enable MFA on QNAP NAS
- Automatic OS and app updates must be enabled. The update can also be scheduled to avoid interruption of backup, sync, or any other tasks.
- Block IP addresses that have too many logins failed attempts and enable IP access protection.