[HN Gopher] My NAS exposes itself over the internet without perm... ___________________________________________________________________ My NAS exposes itself over the internet without permission Author : kn100 Score : 267 points Date : 2021-04-03 15:50 UTC (7 hours ago) (HTM) web link (kn100.me) (TXT) w3m dump (kn100.me) | geocrasher wrote: | The article focuses on the security issues surrounding his new | NAS, and that's fine. But the problem isn't security. It's Trust. | | Consumers generally trust that manufacturers will follow Best | Practices and that security is part of the deal: I pay you money, | you give me a quality product that Just Works and is Secure. | | False. | | Products are made to be _sold at a profit_. You can imagine that | some engineer at that company knows about this problem, put in a | Jira bug for it and since it didn 't affect overall | functionality, and because the product needed to be released as | soon as possible, they rejected the bug and sent it off. | | By default, we should NOT trust that things are Good and Secure. | If we are security conscious, then it's on us as consumers to | figure out how to mitigate these problems. Or is it? | | If I was this guy, I'd box that thing up and send it back and | give the company feedback as to why, and then I'd show them this | very blog post. | | The manufacturer probably won't care. They know that until the | average consumer cares about security _and knows how to mitigate | problems_ it won 't matter. And we all know that the average | consumer, even of technical products, has security habits. | | Now if you'll excuse me, I need to go take care of some security | stuff on my boxes, this really got me thinking about it! | sudo passwd root greatnewpassword11 | greatnewpassword11 | alias_neo wrote: | > Unfortunately, disabling uPnP these days is too much of a hit | to convenience, so I looked for other solutions. | | Don't do this, there is no good reason to run UPNP if you care | about security, turn it off and learn to manage a firewall. | | If the author really cares, go one step further and replace the | ISP owned router with something with more control. | | Finally, if one cares about the software one's NAS runs, build or | buy from someone like TrueNAS. | stilisstuk wrote: | So I don't know about routers or networks. I live in a an | apartment. Which router (+ a extra point / 2 hub mesh) is | recommended these days. There seems to be a plethora of | options. But most of always end with ubiquity, which today | feels like a bad choice. Also kind of expensive. Preferable | something Completely local. No cloud service. Preferable opens | source. | | I live in EU. | | (Sorry if it's bad form to ask for product recommendations, but | I am unhappy with/ don't trust, my isp provided router, and gp | explicitly mentions buying a router) | Causality1 wrote: | I'm pretty sure the WRT-54G I had in 2005 was better at | penetrating walls than anything Ubiquiti has ever built. | After dealing with the one my mother was issued for her | remote work I'm convinced that anyone not trying to remote- | admin a hundred-router campus installation would be a fool to | buy one. | | Nothing is where you expect it to be. Getting to the control | panel requires multiple login screens. Changing a port | forwarding rule for devices that are and are not currently | connected not only isn't on the same screen, it's not even in | the same section of the control panel. | | I had no end of problems getting it up and running for her, | despite having paid tech support on the phone. Everything | connected via ethernet would benchmark at exactly 1/2 the | normal download speed of her old router, and anything on wifi | benchmarked at 1/6. For the first three days her IP phone | just rang continuously with nobody there, and neither I nor | the tech support guy have any idea why it started working | correctly. | newsclues wrote: | Mikrotik | katbyte wrote: | The ux is... not good and I wouldn't recommend it for | anyone not experienced | omnimus wrote: | yeah i bought Mikrotik for home and i have no idea what | to do there. I tried to do hairpin nat with it and after | 3 tutorials i somehow managed to get it working and now i | have no clue how does it work or what its it really | doing. | | I think its only for real networking pros | stefan_ wrote: | Can you get rid of your ISP provided router? There are lots | of obstacles there. | stilisstuk wrote: | I don't know to be honest? | alias_neo wrote: | I've replied to a couple of others, normally I would have | recommended Ubiquiti, but I no longer do. Not just because of | their recent breach debackle, but because their software | quality has declined since some of their best developers | left. | | The short but not so useful answer is, run something with | pfSense or similar, I hear PCEngines hardware works well and | is open source from the bootloader up. | | Ubiquiti has hardware offloading using Cavium hardware so you | need to get some throughout tests if you need high bandwidth | in hardware without the offloading hardware. | katbyte wrote: | Pfsense isn't a replacement for ubiquity if you want a | single plane for firewall switch's and aps - I don't know | if any reasonable one sadly | hedora wrote: | I can recommend PC Engines (though a bit pricey, and kind | of a hobby project to set up), and also Ubiquiti (ignoring | the recent debacle). | | Both are generally maintenance free once they're set up. | stilisstuk wrote: | Considering linksys WRT3200ACM. Heard pfsense is not good | with wireless. | aborsy wrote: | Although netgate's recent debacle calls into question the | code quality of pfsense as well: | | https://lists.zx2c4.com/pipermail/wireguard/2021-March/0064 | 9... | rufius wrote: | Honest question - what would I use UPnP for? | | I discovered a similar issue as the blog poster with my QNAP | NAS which was easily remedied by disabling UPnP. | | I've not noticed any issues. We can do all the same things we | did before. My Xbox and Switch still do online multiplayer just | fine. | | I remember hearing Xbox/PS3-4 and UPnP mentioned together but | it's been a while. | rand49an wrote: | UPnP allows devices to open up firewall ports for themselves | to allow traffic to reach them inbound. Games (for example) | that that host a server on the users local machine may | require an open port to allow access inbound so UPnP can help | with this. | | Now-a-days it's not used much and quite frankly it was always | a fairly bad idea. | milleramp wrote: | Yes, the real lesson here is, I learned not to trust random | vendors and turned off upnp. | hh3k0 wrote: | > If the author really cares, go one step further and replace | the ISP owned router with something with more control. | | I wanted to do that for a while now. Do you happen to have a | good suggestion regarding whose products are worthwhile? | alias_neo wrote: | Its muddy right now, I run Ubiquiti EdgeMAX switches and | EdgeRouter at home, but I wouldn't recommend them right now | (see another comment of mine, or check out the subreddit), | for NAS I run TrueNAS, on a home built server. | daniellarusso wrote: | For your NAS, to you have a mobo and case recommendation? | eikenberry wrote: | Not OP, but I built a NAS not that long ago. For the case | I purchased the Fractal Design Node 304 | (https://www.fractal- | design.com/products/cases/node/node-304/...) and am very | happy with it. | | For the Mobo I suggest finding a decent board (AMD based | one if you want ECC RAM) and then use a PCI-e controller | card to support the hard drives you need. It is hard to | find a nice MB with all the SATA ports you need, using an | external card gives you a lot more options. When I | researched it everyone recommended an "LSI Logic | Controller Card LSI00301 SAS 9207-8i" (eg. | https://www.amazon.com/LSI-Controller- | LSI00301-9207-8i-Inter...) and it has performed very well | for me. If you go that way you'll need a SAS to SATA | cable, they are easy to find as well. | spockz wrote: | Up until a week ago I would have suggested the UniFi. Since | the latest snafu, the handling of the breach not the breach | itself, I'm not so sure anymore what would be the best | alternative. Perhaps just their EdgeRouter devices or a | mikrotik device. | | The snafu: https://news.ycombinator.com/item?id=26638145 | bscphil wrote: | Also, the security report you're talking about came out | like two days after a huge blow-up on this site because of | a report they added advertising to a UI for one of their | products. (The controller I think?) | daveoc64 wrote: | People make blanket statements like this without thinking of | how it is used by popular consumer devices. | | As others have said it's really necessary for some consumer | devices to work properly - especially if you have more than one | of the same device. | | Games consoles are the best example. | | If you have one console only, then you can usually forward | ports manually, but if you have two or more of the same | console, and want them to go online at the same time, then you | need to use UPnP. | | If you don't have UPnP enabled on one of the consoles, you'll | see issues like being unable to join some games or being unable | to do voice chat with certain players. | bunnyfoofoo wrote: | Edited: deleted my comment as I was unintentionally offensive. | crazygringo wrote: | You mean ignoring the fact that a NAS which claims to not be | available over the internet is available over the internet? | | The correct solution is the NAS manufacturer needs to correct | the issue and provide a software update. | | This article shouldn't be ignored at all. Your supposed | "correct solution" does nothing to fix the root issue. | rovr138 wrote: | Is there a reason why the software claims it's not available | over the internet but still is because of something it did? | | Because that's a bug. | kn100 wrote: | To rephrase this somewhat less offensively (I am the author) | "I realised a potential solution but decided the drawbacks of | disabling uPnP were larger than the potential risk keeping | uPnP enabled poses". My household makes use of many different | services that would need to be port forwarded one by one in | order to keep everything working, and some games just punch | whatever port they like using uPnP so it's hard to keep | playing those with it disabled. Sysadminning at home is only | fun for a short while, I do this stuff at work, I'd rather | keep my home setup as simple as I can help it. | | As usual, various solutions are available, I described one | here. Disabling uPnP is an option for some, and I encourage | those who want to go that route to go that route. | uberswe wrote: | I think some people miss the point of the article. That a | NAS like Terramaster F2-210 shouldn't open ports externally | and if they do there should be options to turn this feature | off. | bunnyfoofoo wrote: | I'm sorry, I didn't mean to come off as offensive. I agree | that it would be bothersome to convert from uPnP to non- | uPnP, but you really only need to set it up once. Then any | new devices you add to your network don't require | individual workarounds. | kn100 wrote: | It's fine, I wasn't personally offended nor should you | feel like you need to censor yourself. It's really | difficult to justify turning uPnP off when you can't | necessarily control every application that runs on your | network. My wife is going to get rather annoyed when | whatever video conferencing software she uses stops | working, and I'm gonna get mad when the game I want to | play doesn't work - which is why I engage in a somewhat | fruitless fight with the stuff I can control to keep the | uPnP port punching under control somewhat. | | It's definitely a bug in the nas that it continues to | punch ports no matter how it is configured. Plenty of | software gives you the option of not punching ports. | alias_neo wrote: | Try it and see what happens. | | I build secure communications solutions for a living, so | I'm speaking from experience. | | Any solution worth its salt doesn't want or need UPnP on | your network, it doesn't need anything other than for you | to let it hit the internet and for the traffic to come | back the other way. | | I also run and have run other solutions in my day to day | working from home and private life, many SIP flavours, | Teams, Zoom (once, because it was the only option), | Jitsi, BBB, Google Duo, Hangouts, Houseparty they all | work with no effort from me. | | There is a lot of hypothetical about what will and won't | work, but take it or leave it when I say that some of us, | the people building these solutions, have a bit of a clue | about networking and how to build solutions around | security best-practice. | | I also game online with PC, Nintendo Switch and | PlayStation 4/5, not one has given me issues, nor have I | needed any custom firewall rules for the consoles. | | My wife works from home on a government issues laptop, | she's never complained of issues with video conferencing | or her work VPN. | | There may be some exceptions, sure, but it's less of an | issue than people think. | zippergz wrote: | FWIW I have never had upnp enabled and I don't recall any | cases where it's caused a problem for me. Certainly my | wife and I are on videoconferences all day and they work | fine. I am completely with you that I can't have network | configurations that make the network unusable, confusing, | or inconvenient for my family, but are you sure that upnp | falls into that category? I'm sure you have different | applications than I do, but I think we're pretty | normal... | lanstin wrote: | This article pissed me off so I went to check on uPNP and | I had disabled it when moving into this home. Never had | any problem where uPNP was the solution, we have gamers, | video calls, VPNs, BitTorrent, etc etc. all work fine. We | even have a printer that works. I think it is calling | home to Google or HP or whatever. | rubatuga wrote: | You keep saying "whatever" software wouldn't work without | UPnP, but you are failing to give us concrete examples. | [deleted] | hluska wrote: | I agree with bunnyfoofoo's conclusion - maybe not the tone | but certainly the conclusion. It's tough to trust an | article that makes security claims while ignoring so many | self imposed security holes. | washadjeffmad wrote: | It was clear you didn't want to disable UPnP support on the | entire network, but I couldn't tell whether you'd tried | disabling it on the NAS. | | Does the following disable the FS2-210's local UPnP? | | Go to TOS Desktop> Control Panel> Network Services> | Discovery Service> UPnP Discovery > Uncheck "Enable UPnP | discovery service" | | https://help.terra-master.com/TOS/view/?lang/en- | us/flag/disc... | | I assume this won't break anything you don't want broken | (ie- automatic port forwards), but I'm with you that the | option is needlessly ambiguous. | kn100 wrote: | This option was and is disabled - I should have mentioned | this in the blog post | edoceo wrote: | It's not offensive. But you were offended. | | Big difference. | dxdm wrote: | I'm wondering what definition of the word "offensive" | you're using. | edoceo wrote: | Offensive as Rude. | | Then @kn100 assigns to @bunnyfoofoo the offending | behaviour. | | It's the personal responsibility thing. | | "I'm offended" vs "You're offensive". | adamweld wrote: | I think it's pretty clear than the author believes he may | have offended people with his statement, and is | rephrasing in a more precise manner to avoid confusion. | vczf wrote: | To be very exact, being offended is a choice, in that | nobody can offend you if you don't let them. You can | always choose to not take offense. (The statement in | question does seem rude and dismissive to me, however.) | washadjeffmad wrote: | I believe the eminent feminist and humanitarian, Elanor | Roosevelt, would have agreed with the fairness of your | assessment. | | https://quoteinvestigator.com/2012/04/30/no-one-inferior/ | bayindirh wrote: | Actually, I also found grandparent's (bunnyfoofoo) tone | offensive. It's borderline derogatory, since it | disregards the situation of the original author in many | levels, plus everyone fixates on the wrong point. | | UPnP has its security implications, but it doesn't mean | that random appliances can just open ports through it | without any settings whatsoever. | | Everybody has the freedom to have opinions and free to | express them, however we shouldn't disregard other | person's situation while expressing our opinion. Talking | about _theoretical_ best practices is always easy in a | vacuum. | | Addendum: I want to congratulate bunny for trying to | learn from his/her mistakes, for being honest and | sincere. I wanted to leave it here since there's no other | way to contact. I also made a lot of mistakes and HN | taught me how to discuss this stuff, so you're at the | right place. | dijit wrote: | On the other hand, if you want to play games on your network | you absolutely must have UPNP. Unless the game has a dedicated | server infrastructure. But even then you risk higher latency on | VOIP if it even works at all. | clajiness wrote: | I'm gaming on my Xbox right now with specific ports | forwarded. I guess "absolutely must" is a bit much, huh? UPNP | has no place in a secure network. | dijit wrote: | This is not a reasonable solution for most people, it | requires intimate knowledge of the games you play (which | ports they use), a static IP for your console and no more | than one player/console per household. | | Heaven forbid you have a PC game and a Xbox game that have | conflicting ports. | | And, I just have to say: you open arbitrary ports to your | game console from the internet and talk about security. | easton wrote: | n>1, not n=1. | rubatuga wrote: | This is completely false. Almost all home networks use port- | restricted NAT, which allows for STUN for NAT traversal. You | do not need UPnP to play games, even those that have peer to | peer multiplayer. | | Also STUN for VOIP does not increase latency. It tells you | your external IP and port. | | Edit: Port symmetric --> port restricted | waffle_ss wrote: | I get the feeling you've never ran n>1 Xbox Ones connecting | to Xbox Live at the same time. Without UPnP only one will | be able to connect. | eikenberry wrote: | So is this issue mostly with consoles? I've always kept | UPnP off and we do lots of gaming here without a problem, | but pretty much all PC gaming. | dijit wrote: | PC also has problems. Truth be told it's all about the | kinds of games you play. | | You can port forward of course, but you have to know | which ports and obviously it only goes to one static IP | 7steps2much wrote: | I can't say for sure, but I have never ever seen a PC | game using UPnP. That said, I have only ever seen it once | with a console, a PS3 in this case. | | And, don't quote me on this, but most PC games are not | Peer-To-Peer. They often come with their own server | software. | nullify88 wrote: | Do you mean TURN? STUN does not work over Symmetric NAT as | the source port is unpredictable. | birdyrooster wrote: | If you want to host servers on your network then you need | firewall rules, but if you are just a client then the | firewalls implicitly allow the responses to client traffic | through. | dijit wrote: | Only if it's dedicated server infrastructure (as mentioned) | games like call of duty will not work. | kalleboo wrote: | UPnP is also sometimes used to refer to some forms of | zeroconf/mDNS/Bonjour/DLNA. | | Maybe he is under the impression if he turns off UPnP on his | router (the automatic port forwarding feature), that his LAN | device discovery features will break? | atmosx wrote: | Indeed, UPNP effectively turns on "auto-pilot". The fridge | running on 10 years old firmware might open ports dynamically. | | Networks featuring UPNP should be marked as "open/insecure". | KozmoNau7 wrote: | If your fridge has a MAC address, you have much _much_ deeper | problems than UPnP. | watermelon0 wrote: | Sure, UPnP can open ports to the outside world, but that's | something that might be desired in some cases. | | However, devices should default to local access only, and offer | an option to expose them to the world, with appropriate | warning. | zokier wrote: | > However, devices should default to local access only | | Unfortunately we need to act based on what _is_ and not what | _should be_. | ryandrake wrote: | You could also configure your Internet router to only allow | one or two trusted devices to invoke UPnP to open ports. | chefkoch wrote: | Not the ISP supplied ones i guess. | kn100 wrote: | This is exactly my opinion and exactly how I use uPnP. I | can't control exactly what runs on my network since I'm not | the only one using it, but I can guard certain parts of my | network more thoroughly. | rubatuga wrote: | You have to choose: security or convenience. | rembicilious wrote: | "They that would give up a little convenience for a | little security deserve neither and they shall lose them | both." -Beenjammin Frankmon | sdflhasjd wrote: | UPNP is pretty important for a lot of online games. | Spivak wrote: | Yeah, you can't really "manage your firewall" when consumer | software doesn't open fixed ports and assumes upnp. | Tepix wrote: | Which ones? I have it turned off and haven't had any issues | with games. | rdudek wrote: | Ubisoft games come to mind. Without UPnP or specific ports | forwarded you'll have limited NAT support which many games | will tell you. | sdflhasjd wrote: | Games that use Peer-to-peer lobbies instead of dedicated | servers, more popular with multiplayer co-op games. | | Typically, it can be possible to join another lobby, but | impossible to host (insofar as other people can't connect | to it) | nullify88 wrote: | Lets not forget about consoles too. Xbox Live and PSN | complain about obstructive NAT configurations and rely | upon uPnP to open ports. | | Of course they can be opened manually but that assumes | some technical experience, and that the ISP provided | hardware gives you access to its configuration. | testfoobar wrote: | Agreed. | | My router firewall drops all packets from my NAS to my WAN. | Doesn't matter what software it runs. | ancarda wrote: | Do you have a router you recommend? Ideally something running | free software | bscphil wrote: | The PC Engines hardware line is popular here. The firmware is | coreboot and you can run OPNsense on it for an entirely free | software solution. It's quite solid, have had no issues at | all. See e.g. https://www.pcengines.ch/apu4d4.htm | | Not aff'd, just a customer. | alias_neo wrote: | Hardware wise, I run Ubiquiti EdgeMAX but I wouldn't | recommend them anymore, their software has gone down hill | since many of their best developers left. | | Software wise, pfSense is where it's at, but I don't have | experience with their own hardware other than the ones we ran | at work all failed due to a silicon flaw in the Intel SoCs | they ran. | 7steps2much wrote: | > Ubiquiti EdgeMAX but I wouldn't recommend them anymore | | Sadly there isn't exactly a lot of alternatives in the | hobbyist network setup area ... It's basically just | ubiquity and mikrotik at this point as far as I know | zokier wrote: | I've heard good things about Turris hardware too, but no | personal experience. | https://www.turris.com/en/omnia/overview/ | JoshTriplett wrote: | > Software wise, pfSense is where it's at | | Recent events suggest that the people behind pfSense are | not especially responsible stewards; see | https://arstechnica.com/gadgets/2021/03/buffer-overruns- | lice... and https://opnsense.org/opnsense-com/ . | Iolaum wrote: | Look at the range of devices from GL.inet. They run a custom | version of openwrt with a nice UI on top. But most are | upstreamed and you can flash vanilla openwrt on them. They re | quite cheap as well. I m not affiliated with them but I have | bought devices from them. I use one between the router s ISP | and my home network. | alias_neo wrote: | This is a safe bet if you don't need advanced hardware | features, I have several gl.inet devices, you can build | your own OpenWRT for and turn off the phone home | functionality. | stilisstuk wrote: | The 2 hub valica mesh model is a contender :) | annoyingnoob wrote: | OPNsense or pfSense | anonymousiam wrote: | I have used both OPNsense and pfSense. I currently OpenWRT | which I find to be full featured, secure, and lightweight. | bytearray64 wrote: | I like Mikrotik for routers. They're cheap and have a lot of | knobs in the SW (maybe too many if you just want NAT). They | do run linux, but their SW isn't open. I've been pairing my | Mikrotik hEX with a Unifi AP. Not sure what I'll do going | forward, as I've heard Mikrotik's APs aren't as good as their | routing and switching hardware. | | If I was going the "dedicated machine" route, I'd probably go | with OPNsense nowadays. | kaylynb wrote: | OPN/pfSense have been mentioned. | | Don't waste time with WiFi on the gateway itself as most WiFI | chips you can buy are crippled in firmware for regulatory | reasons. Just use a dedicated commercial AP hooked up | directly or VLANed. | | Once you get comfortable with something like pfSense I highly | recommend switching to regular Free/OpenBSD, or Linux | depending on what you're comfortable with. I find it much | easier to manage a gateway with the entire configuration in | version control than a GUI. There aren't that many services | that a gateway needs to run. | | If you feel like you'll miss pf on the *BSDs check out | nftables on Linux. It's not as well documented but it's much | less painful than iptables. | | To loop this into the UPnP discussion: when you build your | own gateway from scratch you have to _add_ a UPnP daemon and | configure it yourself, instead of forgetting to disable it | and exposing poorly configured IOT stuff. | deburo wrote: | I also found this weird, and this got me to check if it was | enabled on my business firewall devices: turns out they don't | even support UPnP. Is it just consumer routers that support it | nowadays? Shouldn't that feature just be nuked? | | EDIT: Well it sounds like a feature for pro users that know | what they are doing and control all devices on the network. | Even then, security appliances (eg. from SonicWall) don't | support it. I don't know, this is probably a niche feature for | a few occasions. | my123 wrote: | Far from only a feature for pro users. Notably, it is a must | for VoIP (without going through a relay) and BitTorrent when | you don't want to manually configure a firewall. (allows to | create holes in a controlled way for a NATted network) | | Without UPnP, you specifically have to configure your NAT for | this... | ShroudedNight wrote: | > Notably, it is a must for VoIP | | Wouldn't making STUN work be a better alternative? | rubatuga wrote: | Yes, it's a feature supported by many VOIP clients, and | this comments section is filled with UPnP apologists | my123 wrote: | As I said, "without going through a relay". | | And TURN is one of those relays. | | (I host a STUN and TURN relay myself, because I had to | for my personal VoIP server for enough people to be able | to connect on it. Downside is more use of bandwidth.) | | edit: replaced STUN with TURN where appropriate, I did | confuse both as they were provided as a single package. | rubatuga wrote: | STUN is not a relay. | dasyatidprime wrote: | STUN is not a relay, but TURN is, and STUN/TURN is a | common combo for when STUN doesn't manage to holepunch | reliably, falling back to the relay when the direct | connection fails. | | What's also true, and what I think the GP was trying to | get at, is that STUN requires an external _coordination_ | server. UPnP (I think--I am far less familiar with it) | does not, because in UPnP you 're negotiating the | holepunching with the local router directly, whereas STUN | is sort of using a loophole. | my123 wrote: | With TURN, all the traffic to the clients is routed | through the TURN server indeed. That makes hosting a | discussions server more traffic-heavy than otherwise... | | (and it turns out that the server software that I use | implements TURN and STUN in the same daemon) | [deleted] | daniellarusso wrote: | What STUN relay software do you use, or is it a hardware | device? | my123 wrote: | I use https://github.com/coturn/coturn, provided as the | coturn package on Ubuntu 20.04. | [deleted] | nobody9999 wrote: | >Without UPnP, you specifically have to configure your NAT | for this... | | While I realize that configuring nftables/iptables is | beyond most folks, there are many firewalls out there that | have a GUI/webui which makes this dead simple. | | Not sure why this should be an issue in 2021, except for | users' trained-in helplessness. | benlivengood wrote: | > Not sure why this should be an issue in 2021, except | for users' trained-in helplessness. | | Kids hosting games on random ports (terraria, etc.) | benefit from UPnP. I'd rather enable it than manually | enter firewall rules for each game or give them admin | access to the firewall. | | UPnP is only an additional risk if you have malware | inside your network already and then it mostly allows | malware to host services in a simpler way, but capable | malware will be able to use TCP hole punching to | establish arbitrary connections between infected | networks. | hluska wrote: | Ugh, users trained in helplessness. I just had an utterly | annoying conversation with my cell phone provider whose | reps have been trained in helplessness and thus fail to | follow really simple security procedures. | | This phrase is a thing of nightmares now. Stay tuned for | a really scary Haunted House full of users trained in | helplessness...coming Halloween 2021. | gsich wrote: | That sounds like he didn't even try. | xyst wrote: | also dont buy Ubiquiti gear :) | rdudek wrote: | Nothing wrong with uPnP. If you're worried about something | opening up ports on your network, you're already compromised. | takeda wrote: | I find it amusing that many people are convinced that IPv6 is | less safe, because there is no NAT, and at the same time use | UPnP. No, NAT isn't designed for security, the blocking of | incoming traffic is just side effect, you should use a firewall | for security. | rubatuga wrote: | Yep, the author depends on NAT as a security feature, when it | was never designed to be one. UPnP is a convenience feature, | and is disabled in all security focused networks. If you want | convenience and security, set up two VLANs, one for your | insecure UPnP devices, and one for your more sensitive | devices. | kaylynb wrote: | This is the way to do it. | | NAT is not really security and UPnP doesn't really do much | to prevent malicious software already on your network from | doing malicious things except perhaps hosting itself on | your WAN to spread further. | | What disabling it does help is prevent improperly | configured or flawed devices from accidentally exposing | themselves to your WAN. IOT devices? Put them on a network | with no UPnP. Workstations and video game consoles with up- | to-date patches? UPnP is probably fine. | nemosaltat wrote: | This is what I did a couple years ago. The documentation | for OpenWRT is great, and Luci/LDE makes it approachable if | you don't feel comfortable managing from the CLI. I have | one VLAN for my "privileged" devices and one for the | "IO(shi)T" devices. | bscphil wrote: | Aren't these two points slightly contradictory? | | > the author depends on NAT as a security feature, when it | was never designed to be one | | > UPnP is a convenience feature, and is disabled in all | security focused networks. | | uPnP punches holes in a NAT. If you shouldn't be trusting | NAT to protect you anyway, why bother disabling a feature | that's designed to punch holes in it? Just set up your | firewall to protect your network, and it's not an issue. | | (I suppose some routers might automatically add a firewall | exception when doing uPnP hole punching, but if so that's | an issue with those routers, not with the idea of relying | on a firewall.) | cbsks wrote: | > I suppose some routers might automatically add a | firewall exception when doing uPnP hole punching | | Every consumer router I've ever had will open up a port | in the firewall when uPnP is enabled and a request is | received. Is that not standard? | netflixandkill wrote: | UPNP doesn't "punch holes in NAT." It is dynamically | configuring NAT to provide a specific translation. The | same kind of dynamic translation happens the other way | for any allowed outgoing traffic, and lots of old NAT | traversal tricks made use of that before UPNP was a | thing. | | The hole was always there. People get this topic confused | all the time because the majority of network devices | doing NAT are also acting as firewalls of varying | efficacy. There are basically no non-firewall routers | anymore, they all have at least simple network address | ACLs. | | The purpose of upnp is touchless configuration. If you | care about security, that is orthogonal to your goals, | and so it must be restricted by some other policy | enforcement. | rubatuga wrote: | Ah that's fair, but it's the combination of both that is | the worst | DarkmSparks wrote: | IMHO IPv6 is an ISP problem, I don't need every (any, really) | of my devices accessible from outside my personal VPN, and | IPV4 private space is more than sufficient for that. | | IPv6 is overly complex, therefore insecure. Thanks to the US | Patriot Act I dont even trust the VPN stuff tbh. | yesco wrote: | > IPv6 is overly complex | | I'm being a bit pedantic about this since you're right that | in practice, setting up stuff for IPv6 is in-fact complex | since support for it is all over the place. | | But I want to stress that IPv6 as a protocol is much | simpler, more intuitive and much more versatile than IPv4. | I'd even go so far as to say that it's actually | fantastically suited for local networks, especially so in | complicated setups with multiple subnets (in an alternate | reality where everything supports it). | | It's really, truly, a genuine shame that it never gained | the momentum it could have. | DarkmSparks wrote: | The basics of the client side are simple. | | But the routing is not simple. | | I'm pretty well versed in networking generally - even | IPv6, but a quick glance over something like: | http://ipv6now.com.au/primers/IPv6RoutingSecurity.php | | Makes it obvious why it still hasn't gotten anywhere, _no | one_ wants to dig through all that unless they really | really have to. | | Security depends on securing the routing and address | allocation. So it is hardly surprising very few were/are | willing to step up a declare IPv6 installations safe for | service. | | Combine that with most users being happy and comfortable | with 1 IP address and there was no mass market appeal for | IPv6 hardware or software. | | I'd go so far as saying the vast majority of people do | not even realise their machines can be accessed from the | outside world when they only have one public address | behind their "firewalled super safe ISP router", and | would be terrified to find out they can. | kaliszad wrote: | Usually, inbound IPv6 are firewalled by the ISP router | just fine. As far as I know, there is UPnP with IPv6 | though there seems to be some work into that direction. | Also, current CGNAT setups tend to close connections | before they should according to RFCs: | https://anderstrier.dk/2021/01/11/my-isp-is-killing-my- | idle-... | | All the IPv6 routing security has to be done with IPv4 as | well. ARP -> NDP, prevent source address spoofing, DHCP | guard/ RA guard are basically two sides of the same coin. | Serious networking hardware supports this for years or | there are firmware updates supporting it. For about the | last 5 years, supporting IPv6 became much easier, almost | as easy as supporting IPv4 for most of the real world use | cases. Anyway, the reality is, we don't really have much | choice other than to migrate to IPv6 sooner or later. | eqvinox wrote: | > http://ipv6now.com.au/primers/IPv6RoutingSecurity.php | | Everything listed there either also applies/transfers to | IPv4 or is not applicable at all to the situation you're | evaluating. | | > Makes it obvious why it still hasn't gotten anywhere | | Uh.... | | https://www.google.com/search?q=google+ipv6+traffic+perce | nta... | | 44.44% | | https://www.google.com/search?q=google+global+ipv6+traffi | c+p... | | 34.15% | | [EDIT: sibling post by minimaul has the better link:] htt | ps://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6 | ... | minimaul wrote: | > Combine that with most users being happy and | comfortable with 1 IP address and there was no mass | market appeal for IPv6 hardware or software. | | The mass market appeal for IPv6 is the fact that we do | not have enough IPv4 to actually give one internet | connection a unique IP. CGNAT is getting ever more | present in the marketplace as a result of this. | | Major providers _are_ rolling out IPv6. eg in the USA, | several major cable /fibre providers provide v6, several | mobile networks provide IPv6 using things like 464xlat. | It's the same in the UK - BT for example provide IPv6 on | consumer internet connections, EE (a major phone carrier) | provide v6 and use 464xlat to provide v4 connectivity to | handsets. | | India and Germany are further ahead still, generally. | Google's IPv6 stats are a good indicator of just how much | v6 is in use now: https://www.google.com/intl/en/ipv6/sta | tistics.html#tab=ipv6... | kaliszad wrote: | @yesco is right that practice is all over the place for | IPv6 if it works at all. But in general, IPv6 as a protocol | is just fine, at least equally secure as IPv4 and not more | complex than IPv4 in many practical cases. I would even go | so far to say it is way easier to do a clean address plan | with IPv6. Usually, IPv6 inbound access is blocked by | default on the ISP routers firewall. | | In practical networks, IPv4 tends to be set up in some way | and usually seems to work correctly - until you discover | all the atrocious hacks people have commited over the ~ 25 | years of practical, widespread use. Quite often multiple | levels of NAT without much reason for it, UPnP where it | shouldn't be, payment for even single IP addresses (great, | we are paying for numbers other people got basically for | free) and more - IPv4 are often handled like pets. Compared | to IPv6, it is much harder to do a simple split into | security groups based on prefix with IPv4. (In IPv6, you | can usually just give every broadcast domain a /64 and will | not do a huge mistake - they are a single security group. | Sometimes, you might want to hand out a /64 or even shorter | prefix to every client though.) | | There are some great resources for modern and practical | IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in | Czech by Pavel Satrapa, but can be translated using Google | Translate and is more or less ok as a translation: https:// | docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...) | there are older books in English that are also mostly | relevant still. The free IPv6 course by RIPE NCC is also a | good way to get up to speed and avoid (spreading) FUD. | netflixandkill wrote: | This sort of thinking is endemic in industrial networks; they | finally internalized basic ipv4 concepts in the late 00s and | never considered maybe the stateful tracking required for | UPNP and other NAT tricks also might exist without it. | | I've set up several private v6 networks to deal with | renewable energy projects in which the integrator used the | same ipv4 address blocks on every single one, and the whole | 6to4 translation explanation landed like they had just seen a | devil sorcerer graft a goat head onto a human. | kaliszad wrote: | There are many, many networking and originally UNIX tools | tricks (e.g. SSH) you can show to the poor people | supporting industrial networks/ hardware. I have written | some of my tricks down in this OrgPage: | https://www.orgpad.com/s/UHUor4 there are screenshots for | Linux and Windows for some things related to SSHFS, SOCKS | Proxy and more. Click units with shadows to open them. From | time to time, I update it to reflect new tricks. | | This knowledge saved at least 2 companies hundreds if not | thousands of euros in on-site support, hardware and other | expenses. Funnily, while these things are quite hacky, they | tend to work better than most of the dedicated hardware I | have seen in practice, while keeping you/ the technician/ | engineer in control. With any kind of working | infrastructure, you can estimate how good your solutions | are because you don't get called at random times and from | monitoring/ explicit contact you just see/ hear the things | work fine. | alias_neo wrote: | IPv6 can be a privacy issue, sure, but it's no less secure, | my firewall is still blocking all incoming IPv6 traffic. | | The issues with IPv6, in my experience come from its relative | complexity, compared to IPv4, and also from forgetting to | manage it at all, as it often uses different tools, | firewalls, e.g. ip6tables vs iptables, or the fact that | Ubiquiti EdgeRouters don't expose ANY IPv6 firewall | configuration in the GUI at all. | posguy wrote: | Ubiquiti's router offerings are rather poor, VPNs can't | roll over to WAN2 automatically, redundant tunnels are hard | to configure, IPv6 support is a mess, asking Ubiquiti for | support gets you an unhelpful chat that redirects you to | help articles you've already read. | | Other players in this space have had these capabilities for | over a decade, and you can call to get help. Ubiquiti might | be inexpensive, but its still more than double the price of | Grandstream's SoHo/SMB router and access point offerings | while offering equivalent support and features. | | Really neither of these offerings are good outside the SoHo | and single location business space. I wish for OpenWRT, | OPNsense or WatchGuard's configurability wrapped in a | single interface that lets you see the router, switches and | access points performance live while letting you alter | their settings, without seriously kneecapped router | capabilities. | mavhc wrote: | NAT can mean 2 things, 1 to 1, and 1 to many. Firewall is a | concept not a thing. | | IPv6 could be set up so every computer has an internal | address and you choose to map external to internet using 1 to | 1 NAT. | KozmoNau7 wrote: | The issue is letting untrusted or badly behaved devices on the | network. UPnP works great, _if you control which devices get on | your network_. | | Static port forwarding combined with DHCP gets annoying | quickly, you end up having to set up static assignments for | every device that may need a port forwarded, which can be a | lot, with modern multiplayer gaming and p2p. | | And for applications that select a random port on startup, such | as some bittorrent clients, you either have to manually forward | the port every time or select a static port. | | UPnP serves a purpose and is extremely convenient, as long as | you trust the devices on your network. | lostlogin wrote: | > And for applications that select a random port on startup, | such as some bittorrent clients, you either have to manually | forward the port every time or select a static port. | | What if you run them over a VPN? I don't use torrents much | but have a client containerised with OpenVPN. I'm not a | networking expert but I had assumed (with all the dangers | that comes with) that this moved the problem to the VPN | provider? | mercora wrote: | it will work as long as you are the one initiating the | connection. if some peer suspects you have a wanted piece | available i.e. from another peer in the swarm it can not | communicate the intent to get that piece from you to your | client directly. i think BitTorrent can relay messages | through intermediate peers to make your client establish | the connection to that other peer (reversing the | initiator). Otherwise peers will exchange other peers that | are visible to them so that your client might eventually | learn how the other peer that wanted that piece is | reachable and connects to it. So it actually will work | without port forwarding but reaching your client will be | harder and thus less peers inside the swarm will be | available to you or them, likely making it slower. | daniellarusso wrote: | So, keeping track of which device on your network belongs to | which MAC address, and reserving an address for each, is that | what you mean by 'annoying' - the administration of that? | KozmoNau7 wrote: | That's the easy part. Plenty of applications (such as | bittorrent clients) use randomized ports. So you have to | either disable that, manually add the port forward every | time you start the client, or let UPnP handle it, because | you don't let any untrusted devices or apps onto your | network. | procombo wrote: | Doesn't TrueNAS (was FreeNAS) connect to iXsystem servers from | the NAS and from the NAS web interface? | the8472 wrote: | Opening ports for a specific machine with dynamic IPv6 | addresses can be difficult though. | | If the suffix stays stable then with iptables you can use | netmasks where you mask out the prefix rather than the suffix. | | If both prefix and suffix are dynamic you need a solution that | takes dhcp or host names into account. Not all router firmwares | support something like that. | | Another alternative is to use UPnP or PCP with authentication. | mnd999 wrote: | Suffix should always be static with SLAAC because it's your | MAC address. Even if you're using privacy extensions (and you | should) you should still be able listen on the MAC address | one. | | If you're using DHCPv6 then the DHCP server should take care | of DNS as it would for v4. | the8472 wrote: | > Suffix should always be static with SLAAC because it's | your MAC address. | | Except for devices that randomize mac addresses. Normally | even those that do that only try do so when connecting to a | new network but that's not always reliable. | | > Even if you're using privacy extensions (and you should) | you should still be able listen on the MAC address one. | | I'm doubtful that all applications make that distinction | and advertise the right address. If they just use some | external "what is my IP" service to determine their address | because that's what they did for IPv4 then they'll get the | privacy address and advertise that to peers because that'll | be picked by default for outgoing connections. | | Being able to allow incoming connections to a port for any | address belonging to a particular machine would be less | error-prone. | annoyingnoob wrote: | I'd argue that the right approach is to replace the ISP router | with your own and disable uPnP, for your own security. Otherwise | its only a matter of time before you see this again. You cannot | count on having only trusted devices on your network. | rkagerer wrote: | I've never enabled uPnP, and get by just fine. | sandreas wrote: | Once more a sad story about so called plug and play devices doing | weird stuff. I prefer getting my hands a bit dirty using: | - FreeNAS / NAS4free / OpenMediaVault (for Home-NAS) - | OpenWRT / OPNsense / PFSense (for Home-Firewall) | | Nearly Plug and play with this Hardware: - Dell | T20 / T30 / T40 - HP Microserver N54L / Gen8 / Gen10 | - Linksys WRT 1200 / 1900 / 3200 / 32X (https://dc502wrt.org/) | - Alix APU | canada_dry wrote: | +1 for FreeNAS. | | Its use of ZFS and ability to easily manage multiple "jails" | and vms is perfect for a reliable home automation platform! | | The only major downside I've found thus far it that you cannot | pass USB devices selectively to a jail/vm. | ziml77 wrote: | I really wish it could do USB passthrough. I need that for | home automation to run in a VM under TrueNAS. The solution | I've been running for a few years now is to have TrueNAS and | Home Assistant running under VMWare ESX. Required getting an | HBA that I could pass through to the VM instead of using the | ports on the mobo but it works nicely. | | Having Home Assistant as a guest under TrueNAS would be nicer | though. Right now there's no data redundancy for Home | Assistant. | kitsunesoba wrote: | Been running a T20 w/4x 4TB HDs with plain FreeBSD for a few | years now and it works pretty well. I'm barely even competent | when it comes to sysadmin sorts of things, but it was pretty | easy to get set up following a blog post I found years ago. | | The consistency of FreeBSD is a real benefit here -- it's well | documented to begin with, and since things change so little | between releases, bits and pieces you find online are largely | still relevant even if they're a little old. | ryandrake wrote: | First thing I did when I got my Buffalo Terastation was look | up how to install plain Debian Linux on it and set it up | myself. There is usually very little benefit to using the | manufacturer's neutered, cobbled-together firmware. | | Same thing with my Internet router. Flash it with non- | manufacturer firmware so I can configure it properly. | dbeley wrote: | I also had good experience with mini-PCs like Chuwi's. They are | pretty cheap, have a good amount of ports and have the | advantage of having newer CPUs with very little power | consumption. | CrLf wrote: | > Unfortunately, disabling uPnP these days is too much of a hit | to convenience | | I've disabled UPnP on every router I owned. Never did I notice | any problems from doing it. | tyingq wrote: | _" CAN USER NAME AND PASSWORD OF TNAS ADMINISTRATOR BE CHANGED? | | Administrator's username is admin and the initial password is | admin as well. "_ | | https://www.terra-master.com/us/faq/category/detail/?id=3303 | | Oy. | lostlogin wrote: | "Users can change the password of administrator but cannot | change the administrator's username. | | Is this article helpful? Yes / No" | | At least you change the password... | Hnrobert42 wrote: | What does the author mean that the NAS punched a hole through the | firewall? They say it several times. Do they mean enabled port | forwarding on the router? If so, that seems like a router issue. | tyingq wrote: | Welcome to uPnP. | | https://en.wikipedia.org/wiki/Universal_Plug_and_Play | rovr138 wrote: | UPnP is added to the NAS that allows it to request ports to be | open and mapped. | | There is software needed on the router side too to make it | work. They don't want to disable this. | | This is covered in the article. | IceWreck wrote: | Routers have this thing called universal plug and play which | enables applications to enable port forwarding on their own | without the user having to dive into router firewall settings. | breakingcups wrote: | > Upon SSHing into the NAS and having a dig around the file | system, I discovered a file that could be modified. | /etc/upnp.json seems to contain a list of port forwarding rules. | Thank you to Terramaster for providing root access to these at | least. Simply change bEnable to 0 for whatever ports you don't | want exposed, reboot the NAS, and check the port forwarding | rules. | | And don't forget to do all this each time the NAS updates. And | pray to whatever entity you wish that auto-updates don't get | enabled. | | Seriously, after a blunder like this, why not return the device | and find a manufacturer you _can_ trust? | starky wrote: | Interesting, I have the 4 bay version of this NAS (F4-210) and I | don't see anything along the lines of what the author is showing. | im_down_w_otp wrote: | I'm confused. Some significant length was gone to in attempting | to interrogate the device and modify it in such a way that it | wouldn't try to open uPnP ports anymore. Further, a lot of | devices try to leverage uPnP by default, and many of them are | significantly more opaque than this NAS proved to be. However, | the author doesn't want to just disable uPnP in their router and | manage forwarding directly due to a perceived loss of | convenience. | | Surely, first discovering by happenstance that a devices is doing | this in the first place, then trying to figure out how to go | through idiosyncratic & unsupported means to change the device's | behavior, is significantly less convenient than updating a | router/firewall config rules in supported standard predictable | ways on occasion? | bscphil wrote: | Given this: | | > My router is an ISP provisioned one so the feature-set there | is somewhat limited | | My assumption was that their router doesn't support disabling | uPnP for a single client, so it's 100% on or 100% off. If they | play a significant number of p2p games or use p2p applications | with non-predictable ports, it might well be more difficult to | do manual port-forwarding when needed than to leave uPnP | enabled (or even impossible, depending on what the router can | do). | kotsec wrote: | You should NOT have any terramaster NAS internet facing right | now. I disclosed a bug last month to Terramaster that still | hasn't been fixed. | | Go to http://NAS_IP/module/api.php?wap/ and it will give your | admin password out as an md5crypt hash. Why? I assume it's some | sort of backdoor/dev code but I don't know. | IceWreck wrote: | > Unfortunately, disabling uPnP these days is too much of a hit | to convenience | | Why ? Its only used for torrents and some games, just note down | their port numbers and enable those in your firewall once, thats | it. | KozmoNau7 wrote: | You mean "enable them all over again for every new DHCP | assignment, unless you insist on static IP assignments". | iso1210 wrote: | Why wouldn't I use static dhcp? | KozmoNau7 wrote: | Forwarded ports are not always static, we're not in the | world of just web servers and SSH. | | Different devices may need to use VoIP, P2P, games and | other applications that cannot be strictly mapped to just | one system or even just one port. UPnP handles dynamic | mappings, so you don't have to update your port forwards | every time. | Zombieball wrote: | What's wrong with static IP assignments? Doesn't this | solve the issue? | stonesweep wrote: | Story time: It depends on the hardware at your disposal. | I'm now on the new T-Mobile Home Internet service, the | router+wifi device supplied (a Nokia 5G LTE based unit | with a SIM on one side) firmware has basically no | configuration - you cannot assign static DHCP, no bridge | mode, no port forwarding - it has UPNP on or off, that's | it. A truly sparse webUI, frustrating no-config device at | 1.0 firmware level that doesn't even show you what the | DHCP ranges in use are. My G-Shock watch has more | configuration options than this thing does. :-/ | Klwohu wrote: | You "agreed" and gave your permission when you bought a product | with mystery functions. Look at all the Einstein's who buy smart | TVs and then become baffled when they start showing ads. | SMAAART wrote: | What.The.Actual.Fuck. | TerminalSystem3 wrote: | Can someone ELI5 on what a NAS is and why someone would need a | NAS? | notamy wrote: | Adding on to what others have said, I have one set up that's | also used as part of my backup strategy for the important stuff | on all the other boxes around here. | skizm wrote: | Just a computer with a bunch of hard drives so you can store | your media all in one place. Most of the time people expose | this to their home network so they can access the files from | all their devices while on the same wifi, but you can also | expose it to the internet so you can access the files anywhere. | xyst wrote: | It stands for "network attached storage", it's basically a | standalone disk drive that is accessible to all devices within | the local network (or public internet, if the device is setup | that way). | | In home setups, it's often used as a way to store terabytes of | digital media (movies, videos, locally hosted wikipedia) | cibyr wrote: | When there's a typo is the message telling you "Tt is only | available on the local network" that might be a sign of how much | care was taken with regard to it. | diarrhea wrote: | The JSON config is strange, the keys contain type information. | But any JSON parser worth its salt should not require that since | JSON is natively typed, no? | tyingq wrote: | Where? I don't see that. What type info is below? Do you mean | "mapList"? I suspect it's just what they chose to name the key. | "triestimes": 3, "mapList": [ { | "desc": "ftp", "nExternalPort": 6221, | "nInternalPort": 21, "sProtocol": "TCP", | "bEnable": 0 },... | philo23 wrote: | I suspect they mean the letter prefixes: _n_ExternalPort + | _n_InternalPort for number, _s_Protocol for string and | _b_Enable for boolean. | | It's probably just a convention they use in the source code | that's made its way into the JSON by serializing something? | Either that or old habits die hard. | cerved wrote: | probably serialization of some object which uses hungarian | notation | tyingq wrote: | Oh, ok, that makes sense. I assumed that was from some | cargo culted code on how to name members of a struct. | Wolfenstein98k wrote: | Who hasn't exposed themselves over the internet without | permission once or twice? | [deleted] | aborsy wrote: | Is there an app to comprehensively test the security of a router? | | One usually runs Nmap or similar from WAN side to check for open | ports. | | How to test if a router permits UPnP? | | Checking that UPnP is disabled in router's GUI is not sufficient. | An app should try to punch holes, and run tests for various | things. | | Also, what else needs to be checked? | BlackiceNetwork wrote: | Trust but verify. Just wanted to add that in my opinion it is | best practice to schedule a recurrent task for scanning the | network using tools like nmap. | | On top, add. | | After done (re)configuring a (new)device on you network, scan and | document baseline. Verify baseline recurrently. | rahimnathwani wrote: | 9091 might be for the transmission web UI | lostlogin wrote: | There is a distinct whiff of Docker to the ports it's using. | But maybe I've been too far down that hole and am just seeing | things though Docker tinted spectacles. | LeanderK wrote: | I use a lot of software/devices which I think is using UPnP | (airplay, airdrop, pioneer dj pro link, maybe the printer etc.). | There's talk here about disabling UPnP but does that mean that | the devices wouldn't be able to find each other? I don't want to | babysit my router. | | Or aren't they using UPnP? Quick googling wasn't successful. I | thought most of those autodiscover-services use UPnP. | kalleboo wrote: | There are 2 parts to UPnP. | | One is service discovery, in cooperation with zeroconf (aka | bonjour/mDNS). This is handled 100% by devices themselves. | | The other is the port forwarding protocol, where devices can | ask your router to open a port in the NAT to the wide internet | forwarded to them. This is done in the router. It's also a | potential massive security hole. | | If you disable UPnP on your router, you only disable the second | thing. The first thing keeps working. | ryandrake wrote: | The service discovery isn't really the security hole though, | is it? I mean I have mDNS configured on my LAN. It's the port | forwarding, and specifically, configuring it so that any | rando device on the network can set up port forwarding, which | is the security problem. | | If you really want the dubious convenience of UPnP port | forwarding, at least limit it to the one or two devices on | your LAN that need it. | daniellarusso wrote: | No, mDNS it is not really the issue. | | Even most VPNs won't, by default, allow mDNS packets | across, without adding a relay server and some additional | configuration. | | But, yeah, letting any application basically go into | 'server' mode on your home network at-will is not the most | secure setup. | kalleboo wrote: | Right, service discovery is fine. | | It's just that two things with wildly different security | profiles get referred to with the same name | stonesweep wrote: | "It depends" as not all the names you listed as examples use | the same technology, but in general "UPNP is more useful for | thins which need an incoming connection" (kinda sorta). This | might be, say, a bittorrent client needing to allow other | clients in on a port to share the file... sharing. To share. :) | If you understand how Active vs Passive FTP works and how the | incoming connections might need to be tracked (nf_conntrack for | Linux folks), UPNP is more like that - apps which handle bi- | directional conversations with the outside world beyond your | router. | | Airdrop uses an ad-hoc WiFi network (peer-to-peer) with TLS, as | does I think (Android) Beam. If I'm not mistaken some other | devices in this area (Chromecast, Roku, etc.) use similar | techniques, and sometimes leverage bluetooth ad-hoc networks. | Discovery services like printers and fileshares tend to use | (I'm assuming you're macOS) Bonjour (Rendezvous, renamed awhile | back), which is sort of like an ad-hoc multicast (mDNS) | solution if I understand it. On Windows it would use something | like Netbios - conceptually the same. I just set a static IP on | my wifi printer and call it a day, it's trivial stuff being a | printer. | vidarh wrote: | Don't know if it's true for this model, but at least some | Terramaster NAS's are just x86 computers [EDIT: I see the model | in the article is an ARM box, but also that it's already running | a Terramaster specific Linux distro, so just nuking most of the | Terramaster specific stuff might be easier than trying to find a | way to do a clean reinstall]. | | For at least some of the x86 ones, you just need the right cable | to connect to a suitable monitor, and it can boot from a USB | drive. You don't need the VGA cable to replace the OS, but it | helps a lot. You may have to dismantle the whole thing to get at | the boot drive, but they're pretty easy to take apart. | | First I did with mine was to install Open Media Vault. | a-dub wrote: | aren't all these prosumer nas devices just out of date foss with | a clunky webgui that ultimately is sufficiently limited such that | you spend more time working around limitations then you would | have just setting up foss yourself or are they actually getting | good now? | lgats wrote: | CVE Assigned https://cve.report/CVE-2021-30127 ___________________________________________________________________ (page generated 2021-04-03 23:00 UTC)