QNAP FTP Security question

[iamgigglz]

I've done some stuff just by following online tutorials and it all works as it should; I just want to know if there are any security holes I should be checking. Please can someone who knows what they're talking about assess my setup?

I have a QNAP TS-431P and a Ubiquiti USG for a router.
I'm running NoIP's DDNS so I have a nice friendly name to use, and I've created users on my NAS with read only access to specific shared folders.

My open ports look like this (202 is my NAS, 10 is my Plex server)

and my firewall settings (all done a long time ago) look like this

Comments?

 

[Nerd101]

I am sure the more knowledgable guys will advise accordingly but what I would advise:
1. Use SFTP as opposed to FTP
2. Avoid using default ports such as 21. I always add a 1 in front of all the default ports that I have opend. So in this instance, I would use 121.
I would also include a rule to block telnet / port 23

 

[glitchfreak]

From above:
1. Agreed, please do not ever use FTP. Traffic is in clear text, including user names and passwords. SFTP is the better option (essentially FTP over SSH)
2. Often, this doesn't help. A port scan on all ports will likely fingerprint the response and allow an attacker to determine the backend process (e.g. FTP, RDP)

Out of interest, why do you need to have file transfer capabilities opened up?

 

[iamgigglz]

@Nerd101 appreciate the comments.

1. Agreed, please do not ever use FTP. Traffic is in clear text, including user names and passwords. SFTP is the better option (essentially FTP over SSH)

Eeesh. I'll dig around and see how I can switch to SFTP.

Out of interest, why do you need to have file transfer capabilities opened up?

To start with I'm sharing...lets say large files that often appear in numbered groups, usually with a new one appearing each week...with the in-laws.
It's also really handy during this work from home thing - like today my colleague's Windows decided to kill itself. I was able to provide him with a one-stop shop for all the software we use, VM images etc.

 

[Nerd101]

Setting up SFTP is easy.... if you managed to set up FTP then you will be able to do SFTP.
Just a heads up - there may not necessarily be an option for SFTP but rather SSH. Enable that and instead of entering ftp://server_name:21 , just enter sftp://server_name:22
In the meantime I would suggest you disable FTP while figuring out how to work SFTP.

 

[souljazk]

Disable UPNP + FTP + telnet + anything not needed IE SIP / VPN etc etc.

Google CVE database & see if your Qnap & router have unpatched vulnerabilities. Also check Nmaps CVE vulnerability scan. To a certain extent a good username + password ( and 2FA if you can) will save plenty of headaches.

If in-laws are using the NAS, force them to use a password on each access, with a timeout of say 10min. Also make sure you have some mitigation from ransomware.