Is a QNAP NAS safe?

ifman13

Hi, I have had a QNAP NAS for years mainly to set up my plex server, but I also have hosted my personal photos there synchronized with photoprism.

Should I be concerned about security or privacy? Is there a better alternative?

Thank you very much

de0u

ifman13 I have had a QNAP NAS for years mainly to set up my plex server, but I also have hosted my personal photos there synchronized with photoprism.

Should I be concerned about security or privacy?

QNAP has been in the news recently: https://www.theregister.com/2024/02/13/qnap_latest_vulnerabilities/

spiral

ifman13

Jellyfin > Plex

trilogy6202

You need to provide more context for anyone to be able to answer that question.

In general terms, if a) your NAS still receives regular updates, b) you connect to it in a secure manner (i.e. through a self-hosted VPN) and c) you don't expose any vulnerable services directly to the internet (hence point b) , it has potential to be a very private and secure solution.

ifman13

trilogy6202 You are absolutely right, your approach is the right one, I was perhaps focusing more on the company behind QNAP itself.

Answering your questions:

a. Yes, my qnap nas receives frequent updates.
b. I do not have a vpn configured.
c. I have ssh, telnet and the admin user disabled. The only service I have published to the outside is the one that enables the ability to use plex from outside the local network.

I must put solution to point b

mmmm

ifman13 If you want an extremely easy option, although not perfect perhaps, depending on your threat model, take a look at Tailscale for VPN

ifman13

de0u That's what I was afraid of, I saw some similar headlines a few years ago, and I suffered a ransomware myself. Maybe the best thing to do is not to host my personal photos on my QNAP nas either and try reliable services like filen or internxt. It bugs me to have to resort to paid services after having invested quite a bit of money in my QNAP and good hard drives.

Maybe I investigate the possibility of migrating to another device from more reliable companies like Synology.

trilogy6202

ifman13 I can't talk about QNAP specifically but personally, I would never expose any selfhosted services on my LAN directly to the internet. I would install a VPN on my router*, as an app on the NAS or on a raspberry pi and connect to my services through that.

That way, you are far less likely to be affected by vulnerabilities on your NAS (or any of the services hosted on it) as it would require thread actors to breach your LAN.

Of course that will make it less convenient for friends to access your plex but well...

It's of course a given that you need to practice good security on your LAN like, use the routers firewall, good WiFi security (preferably WPA3) with strong password and only open that one port for your VPN, etc.

'* installing the VPN is the best solution if your router supports it as you wouldn't have to open up any ports but proven VPN protocols like wireguard on a machine on your LAN is a perfectly acceptable solution too.

Eirikr70

ifman13 It bugs me to have to resort to paid services after having invested quite a bit of money in my QNAP and good hard drives.

If you have some time and like tinkering, you can set up on a server pretty everything you now have on your Qnap system.

de0u

ifman13 Maybe I investigate the possibility of migrating to another device from more reliable companies like Synology.

It could be possible for a very careful and very diligent entity to provide software for securely sharing files, period. But lots of companies believe what people want is a box that shares files, hosts VMs, monitors cameras, controls your furnace, drives your printer, mines Monero, and likes Instagram posts for you while you sleep. Such a box will not be secure, at least not for the foreseeable future.

Eirikr70

trilogy6202 Of course that will make it less convenient for friends to access your plex but well...

That might in many cases be so inconvenient that you would have set up your whole system for nothing.

ifman13

trilogy6202 First, thank you very much for your detailed message, you are absolutely right.

I just recently purchased an ASUS TUF-AX6000 router and managed to configure it with my ISP's credentials. I have yet to configure it properly with a good firmware (I think the default one is not good in privacy), install and configure OpenWrt. Also, following your advice I should configure a good VPN on it. I have to document myself because in all this they are more limited.

ifman13

Eirikr70 You mean it could make remote access to plex/jellyfin impossible? I also have a profile set up on wireguard to be able to remotely access my network to upload my photos or use torrent, I guess it would be problematic also if I set up a vpn on the router, although I hope it won't be impossible.

Eirikr70

ifman13 No, I mean that no one would use it.

grphnOsUsr

Hi,
@ifman13
I'm also using QNAP, but for privacy reasons I uninstalled all apps that were not necessary and replaced what possible with opensource alternatives. Keep it up to date and behind firewall. If you need to accss it from the Internet use VPN.
You've mentioned Plex, this is data mining software ;), consider using Jellyfin instead.