[HN Gopher] My NAS exposes itself over the internet without perm...
___________________________________________________________________
My NAS exposes itself over the internet without permission
Author : kn100
Score : 267 points
Date : 2021-04-03 15:50 UTC (7 hours ago)
(HTM) web link (kn100.me)
(TXT) w3m dump (kn100.me)
| geocrasher wrote:
| The article focuses on the security issues surrounding his new
| NAS, and that's fine. But the problem isn't security. It's Trust.
|
| Consumers generally trust that manufacturers will follow Best
| Practices and that security is part of the deal: I pay you money,
| you give me a quality product that Just Works and is Secure.
|
| False.
|
| Products are made to be _sold at a profit_. You can imagine that
| some engineer at that company knows about this problem, put in a
| Jira bug for it and since it didn 't affect overall
| functionality, and because the product needed to be released as
| soon as possible, they rejected the bug and sent it off.
|
| By default, we should NOT trust that things are Good and Secure.
| If we are security conscious, then it's on us as consumers to
| figure out how to mitigate these problems. Or is it?
|
| If I was this guy, I'd box that thing up and send it back and
| give the company feedback as to why, and then I'd show them this
| very blog post.
|
| The manufacturer probably won't care. They know that until the
| average consumer cares about security _and knows how to mitigate
| problems_ it won 't matter. And we all know that the average
| consumer, even of technical products, has security habits.
|
| Now if you'll excuse me, I need to go take care of some security
| stuff on my boxes, this really got me thinking about it!
| sudo passwd root greatnewpassword11
| greatnewpassword11
| alias_neo wrote:
| > Unfortunately, disabling uPnP these days is too much of a hit
| to convenience, so I looked for other solutions.
|
| Don't do this, there is no good reason to run UPNP if you care
| about security, turn it off and learn to manage a firewall.
|
| If the author really cares, go one step further and replace the
| ISP owned router with something with more control.
|
| Finally, if one cares about the software one's NAS runs, build or
| buy from someone like TrueNAS.
| stilisstuk wrote:
| So I don't know about routers or networks. I live in a an
| apartment. Which router (+ a extra point / 2 hub mesh) is
| recommended these days. There seems to be a plethora of
| options. But most of always end with ubiquity, which today
| feels like a bad choice. Also kind of expensive. Preferable
| something Completely local. No cloud service. Preferable opens
| source.
|
| I live in EU.
|
| (Sorry if it's bad form to ask for product recommendations, but
| I am unhappy with/ don't trust, my isp provided router, and gp
| explicitly mentions buying a router)
| Causality1 wrote:
| I'm pretty sure the WRT-54G I had in 2005 was better at
| penetrating walls than anything Ubiquiti has ever built.
| After dealing with the one my mother was issued for her
| remote work I'm convinced that anyone not trying to remote-
| admin a hundred-router campus installation would be a fool to
| buy one.
|
| Nothing is where you expect it to be. Getting to the control
| panel requires multiple login screens. Changing a port
| forwarding rule for devices that are and are not currently
| connected not only isn't on the same screen, it's not even in
| the same section of the control panel.
|
| I had no end of problems getting it up and running for her,
| despite having paid tech support on the phone. Everything
| connected via ethernet would benchmark at exactly 1/2 the
| normal download speed of her old router, and anything on wifi
| benchmarked at 1/6. For the first three days her IP phone
| just rang continuously with nobody there, and neither I nor
| the tech support guy have any idea why it started working
| correctly.
| newsclues wrote:
| Mikrotik
| katbyte wrote:
| The ux is... not good and I wouldn't recommend it for
| anyone not experienced
| omnimus wrote:
| yeah i bought Mikrotik for home and i have no idea what
| to do there. I tried to do hairpin nat with it and after
| 3 tutorials i somehow managed to get it working and now i
| have no clue how does it work or what its it really
| doing.
|
| I think its only for real networking pros
| stefan_ wrote:
| Can you get rid of your ISP provided router? There are lots
| of obstacles there.
| stilisstuk wrote:
| I don't know to be honest?
| alias_neo wrote:
| I've replied to a couple of others, normally I would have
| recommended Ubiquiti, but I no longer do. Not just because of
| their recent breach debackle, but because their software
| quality has declined since some of their best developers
| left.
|
| The short but not so useful answer is, run something with
| pfSense or similar, I hear PCEngines hardware works well and
| is open source from the bootloader up.
|
| Ubiquiti has hardware offloading using Cavium hardware so you
| need to get some throughout tests if you need high bandwidth
| in hardware without the offloading hardware.
| katbyte wrote:
| Pfsense isn't a replacement for ubiquity if you want a
| single plane for firewall switch's and aps - I don't know
| if any reasonable one sadly
| hedora wrote:
| I can recommend PC Engines (though a bit pricey, and kind
| of a hobby project to set up), and also Ubiquiti (ignoring
| the recent debacle).
|
| Both are generally maintenance free once they're set up.
| stilisstuk wrote:
| Considering linksys WRT3200ACM. Heard pfsense is not good
| with wireless.
| aborsy wrote:
| Although netgate's recent debacle calls into question the
| code quality of pfsense as well:
|
| https://lists.zx2c4.com/pipermail/wireguard/2021-March/0064
| 9...
| rufius wrote:
| Honest question - what would I use UPnP for?
|
| I discovered a similar issue as the blog poster with my QNAP
| NAS which was easily remedied by disabling UPnP.
|
| I've not noticed any issues. We can do all the same things we
| did before. My Xbox and Switch still do online multiplayer just
| fine.
|
| I remember hearing Xbox/PS3-4 and UPnP mentioned together but
| it's been a while.
| rand49an wrote:
| UPnP allows devices to open up firewall ports for themselves
| to allow traffic to reach them inbound. Games (for example)
| that that host a server on the users local machine may
| require an open port to allow access inbound so UPnP can help
| with this.
|
| Now-a-days it's not used much and quite frankly it was always
| a fairly bad idea.
| milleramp wrote:
| Yes, the real lesson here is, I learned not to trust random
| vendors and turned off upnp.
| hh3k0 wrote:
| > If the author really cares, go one step further and replace
| the ISP owned router with something with more control.
|
| I wanted to do that for a while now. Do you happen to have a
| good suggestion regarding whose products are worthwhile?
| alias_neo wrote:
| Its muddy right now, I run Ubiquiti EdgeMAX switches and
| EdgeRouter at home, but I wouldn't recommend them right now
| (see another comment of mine, or check out the subreddit),
| for NAS I run TrueNAS, on a home built server.
| daniellarusso wrote:
| For your NAS, to you have a mobo and case recommendation?
| eikenberry wrote:
| Not OP, but I built a NAS not that long ago. For the case
| I purchased the Fractal Design Node 304
| (https://www.fractal-
| design.com/products/cases/node/node-304/...) and am very
| happy with it.
|
| For the Mobo I suggest finding a decent board (AMD based
| one if you want ECC RAM) and then use a PCI-e controller
| card to support the hard drives you need. It is hard to
| find a nice MB with all the SATA ports you need, using an
| external card gives you a lot more options. When I
| researched it everyone recommended an "LSI Logic
| Controller Card LSI00301 SAS 9207-8i" (eg.
| https://www.amazon.com/LSI-Controller-
| LSI00301-9207-8i-Inter...) and it has performed very well
| for me. If you go that way you'll need a SAS to SATA
| cable, they are easy to find as well.
| spockz wrote:
| Up until a week ago I would have suggested the UniFi. Since
| the latest snafu, the handling of the breach not the breach
| itself, I'm not so sure anymore what would be the best
| alternative. Perhaps just their EdgeRouter devices or a
| mikrotik device.
|
| The snafu: https://news.ycombinator.com/item?id=26638145
| bscphil wrote:
| Also, the security report you're talking about came out
| like two days after a huge blow-up on this site because of
| a report they added advertising to a UI for one of their
| products. (The controller I think?)
| daveoc64 wrote:
| People make blanket statements like this without thinking of
| how it is used by popular consumer devices.
|
| As others have said it's really necessary for some consumer
| devices to work properly - especially if you have more than one
| of the same device.
|
| Games consoles are the best example.
|
| If you have one console only, then you can usually forward
| ports manually, but if you have two or more of the same
| console, and want them to go online at the same time, then you
| need to use UPnP.
|
| If you don't have UPnP enabled on one of the consoles, you'll
| see issues like being unable to join some games or being unable
| to do voice chat with certain players.
| bunnyfoofoo wrote:
| Edited: deleted my comment as I was unintentionally offensive.
| crazygringo wrote:
| You mean ignoring the fact that a NAS which claims to not be
| available over the internet is available over the internet?
|
| The correct solution is the NAS manufacturer needs to correct
| the issue and provide a software update.
|
| This article shouldn't be ignored at all. Your supposed
| "correct solution" does nothing to fix the root issue.
| rovr138 wrote:
| Is there a reason why the software claims it's not available
| over the internet but still is because of something it did?
|
| Because that's a bug.
| kn100 wrote:
| To rephrase this somewhat less offensively (I am the author)
| "I realised a potential solution but decided the drawbacks of
| disabling uPnP were larger than the potential risk keeping
| uPnP enabled poses". My household makes use of many different
| services that would need to be port forwarded one by one in
| order to keep everything working, and some games just punch
| whatever port they like using uPnP so it's hard to keep
| playing those with it disabled. Sysadminning at home is only
| fun for a short while, I do this stuff at work, I'd rather
| keep my home setup as simple as I can help it.
|
| As usual, various solutions are available, I described one
| here. Disabling uPnP is an option for some, and I encourage
| those who want to go that route to go that route.
| uberswe wrote:
| I think some people miss the point of the article. That a
| NAS like Terramaster F2-210 shouldn't open ports externally
| and if they do there should be options to turn this feature
| off.
| bunnyfoofoo wrote:
| I'm sorry, I didn't mean to come off as offensive. I agree
| that it would be bothersome to convert from uPnP to non-
| uPnP, but you really only need to set it up once. Then any
| new devices you add to your network don't require
| individual workarounds.
| kn100 wrote:
| It's fine, I wasn't personally offended nor should you
| feel like you need to censor yourself. It's really
| difficult to justify turning uPnP off when you can't
| necessarily control every application that runs on your
| network. My wife is going to get rather annoyed when
| whatever video conferencing software she uses stops
| working, and I'm gonna get mad when the game I want to
| play doesn't work - which is why I engage in a somewhat
| fruitless fight with the stuff I can control to keep the
| uPnP port punching under control somewhat.
|
| It's definitely a bug in the nas that it continues to
| punch ports no matter how it is configured. Plenty of
| software gives you the option of not punching ports.
| alias_neo wrote:
| Try it and see what happens.
|
| I build secure communications solutions for a living, so
| I'm speaking from experience.
|
| Any solution worth its salt doesn't want or need UPnP on
| your network, it doesn't need anything other than for you
| to let it hit the internet and for the traffic to come
| back the other way.
|
| I also run and have run other solutions in my day to day
| working from home and private life, many SIP flavours,
| Teams, Zoom (once, because it was the only option),
| Jitsi, BBB, Google Duo, Hangouts, Houseparty they all
| work with no effort from me.
|
| There is a lot of hypothetical about what will and won't
| work, but take it or leave it when I say that some of us,
| the people building these solutions, have a bit of a clue
| about networking and how to build solutions around
| security best-practice.
|
| I also game online with PC, Nintendo Switch and
| PlayStation 4/5, not one has given me issues, nor have I
| needed any custom firewall rules for the consoles.
|
| My wife works from home on a government issues laptop,
| she's never complained of issues with video conferencing
| or her work VPN.
|
| There may be some exceptions, sure, but it's less of an
| issue than people think.
| zippergz wrote:
| FWIW I have never had upnp enabled and I don't recall any
| cases where it's caused a problem for me. Certainly my
| wife and I are on videoconferences all day and they work
| fine. I am completely with you that I can't have network
| configurations that make the network unusable, confusing,
| or inconvenient for my family, but are you sure that upnp
| falls into that category? I'm sure you have different
| applications than I do, but I think we're pretty
| normal...
| lanstin wrote:
| This article pissed me off so I went to check on uPNP and
| I had disabled it when moving into this home. Never had
| any problem where uPNP was the solution, we have gamers,
| video calls, VPNs, BitTorrent, etc etc. all work fine. We
| even have a printer that works. I think it is calling
| home to Google or HP or whatever.
| rubatuga wrote:
| You keep saying "whatever" software wouldn't work without
| UPnP, but you are failing to give us concrete examples.
| [deleted]
| hluska wrote:
| I agree with bunnyfoofoo's conclusion - maybe not the tone
| but certainly the conclusion. It's tough to trust an
| article that makes security claims while ignoring so many
| self imposed security holes.
| washadjeffmad wrote:
| It was clear you didn't want to disable UPnP support on the
| entire network, but I couldn't tell whether you'd tried
| disabling it on the NAS.
|
| Does the following disable the FS2-210's local UPnP?
|
| Go to TOS Desktop> Control Panel> Network Services>
| Discovery Service> UPnP Discovery > Uncheck "Enable UPnP
| discovery service"
|
| https://help.terra-master.com/TOS/view/?lang/en-
| us/flag/disc...
|
| I assume this won't break anything you don't want broken
| (ie- automatic port forwards), but I'm with you that the
| option is needlessly ambiguous.
| kn100 wrote:
| This option was and is disabled - I should have mentioned
| this in the blog post
| edoceo wrote:
| It's not offensive. But you were offended.
|
| Big difference.
| dxdm wrote:
| I'm wondering what definition of the word "offensive"
| you're using.
| edoceo wrote:
| Offensive as Rude.
|
| Then @kn100 assigns to @bunnyfoofoo the offending
| behaviour.
|
| It's the personal responsibility thing.
|
| "I'm offended" vs "You're offensive".
| adamweld wrote:
| I think it's pretty clear than the author believes he may
| have offended people with his statement, and is
| rephrasing in a more precise manner to avoid confusion.
| vczf wrote:
| To be very exact, being offended is a choice, in that
| nobody can offend you if you don't let them. You can
| always choose to not take offense. (The statement in
| question does seem rude and dismissive to me, however.)
| washadjeffmad wrote:
| I believe the eminent feminist and humanitarian, Elanor
| Roosevelt, would have agreed with the fairness of your
| assessment.
|
| https://quoteinvestigator.com/2012/04/30/no-one-inferior/
| bayindirh wrote:
| Actually, I also found grandparent's (bunnyfoofoo) tone
| offensive. It's borderline derogatory, since it
| disregards the situation of the original author in many
| levels, plus everyone fixates on the wrong point.
|
| UPnP has its security implications, but it doesn't mean
| that random appliances can just open ports through it
| without any settings whatsoever.
|
| Everybody has the freedom to have opinions and free to
| express them, however we shouldn't disregard other
| person's situation while expressing our opinion. Talking
| about _theoretical_ best practices is always easy in a
| vacuum.
|
| Addendum: I want to congratulate bunny for trying to
| learn from his/her mistakes, for being honest and
| sincere. I wanted to leave it here since there's no other
| way to contact. I also made a lot of mistakes and HN
| taught me how to discuss this stuff, so you're at the
| right place.
| dijit wrote:
| On the other hand, if you want to play games on your network
| you absolutely must have UPNP. Unless the game has a dedicated
| server infrastructure. But even then you risk higher latency on
| VOIP if it even works at all.
| clajiness wrote:
| I'm gaming on my Xbox right now with specific ports
| forwarded. I guess "absolutely must" is a bit much, huh? UPNP
| has no place in a secure network.
| dijit wrote:
| This is not a reasonable solution for most people, it
| requires intimate knowledge of the games you play (which
| ports they use), a static IP for your console and no more
| than one player/console per household.
|
| Heaven forbid you have a PC game and a Xbox game that have
| conflicting ports.
|
| And, I just have to say: you open arbitrary ports to your
| game console from the internet and talk about security.
| easton wrote:
| n>1, not n=1.
| rubatuga wrote:
| This is completely false. Almost all home networks use port-
| restricted NAT, which allows for STUN for NAT traversal. You
| do not need UPnP to play games, even those that have peer to
| peer multiplayer.
|
| Also STUN for VOIP does not increase latency. It tells you
| your external IP and port.
|
| Edit: Port symmetric --> port restricted
| waffle_ss wrote:
| I get the feeling you've never ran n>1 Xbox Ones connecting
| to Xbox Live at the same time. Without UPnP only one will
| be able to connect.
| eikenberry wrote:
| So is this issue mostly with consoles? I've always kept
| UPnP off and we do lots of gaming here without a problem,
| but pretty much all PC gaming.
| dijit wrote:
| PC also has problems. Truth be told it's all about the
| kinds of games you play.
|
| You can port forward of course, but you have to know
| which ports and obviously it only goes to one static IP
| 7steps2much wrote:
| I can't say for sure, but I have never ever seen a PC
| game using UPnP. That said, I have only ever seen it once
| with a console, a PS3 in this case.
|
| And, don't quote me on this, but most PC games are not
| Peer-To-Peer. They often come with their own server
| software.
| nullify88 wrote:
| Do you mean TURN? STUN does not work over Symmetric NAT as
| the source port is unpredictable.
| birdyrooster wrote:
| If you want to host servers on your network then you need
| firewall rules, but if you are just a client then the
| firewalls implicitly allow the responses to client traffic
| through.
| dijit wrote:
| Only if it's dedicated server infrastructure (as mentioned)
| games like call of duty will not work.
| kalleboo wrote:
| UPnP is also sometimes used to refer to some forms of
| zeroconf/mDNS/Bonjour/DLNA.
|
| Maybe he is under the impression if he turns off UPnP on his
| router (the automatic port forwarding feature), that his LAN
| device discovery features will break?
| atmosx wrote:
| Indeed, UPNP effectively turns on "auto-pilot". The fridge
| running on 10 years old firmware might open ports dynamically.
|
| Networks featuring UPNP should be marked as "open/insecure".
| KozmoNau7 wrote:
| If your fridge has a MAC address, you have much _much_ deeper
| problems than UPnP.
| watermelon0 wrote:
| Sure, UPnP can open ports to the outside world, but that's
| something that might be desired in some cases.
|
| However, devices should default to local access only, and offer
| an option to expose them to the world, with appropriate
| warning.
| zokier wrote:
| > However, devices should default to local access only
|
| Unfortunately we need to act based on what _is_ and not what
| _should be_.
| ryandrake wrote:
| You could also configure your Internet router to only allow
| one or two trusted devices to invoke UPnP to open ports.
| chefkoch wrote:
| Not the ISP supplied ones i guess.
| kn100 wrote:
| This is exactly my opinion and exactly how I use uPnP. I
| can't control exactly what runs on my network since I'm not
| the only one using it, but I can guard certain parts of my
| network more thoroughly.
| rubatuga wrote:
| You have to choose: security or convenience.
| rembicilious wrote:
| "They that would give up a little convenience for a
| little security deserve neither and they shall lose them
| both." -Beenjammin Frankmon
| sdflhasjd wrote:
| UPNP is pretty important for a lot of online games.
| Spivak wrote:
| Yeah, you can't really "manage your firewall" when consumer
| software doesn't open fixed ports and assumes upnp.
| Tepix wrote:
| Which ones? I have it turned off and haven't had any issues
| with games.
| rdudek wrote:
| Ubisoft games come to mind. Without UPnP or specific ports
| forwarded you'll have limited NAT support which many games
| will tell you.
| sdflhasjd wrote:
| Games that use Peer-to-peer lobbies instead of dedicated
| servers, more popular with multiplayer co-op games.
|
| Typically, it can be possible to join another lobby, but
| impossible to host (insofar as other people can't connect
| to it)
| nullify88 wrote:
| Lets not forget about consoles too. Xbox Live and PSN
| complain about obstructive NAT configurations and rely
| upon uPnP to open ports.
|
| Of course they can be opened manually but that assumes
| some technical experience, and that the ISP provided
| hardware gives you access to its configuration.
| testfoobar wrote:
| Agreed.
|
| My router firewall drops all packets from my NAS to my WAN.
| Doesn't matter what software it runs.
| ancarda wrote:
| Do you have a router you recommend? Ideally something running
| free software
| bscphil wrote:
| The PC Engines hardware line is popular here. The firmware is
| coreboot and you can run OPNsense on it for an entirely free
| software solution. It's quite solid, have had no issues at
| all. See e.g. https://www.pcengines.ch/apu4d4.htm
|
| Not aff'd, just a customer.
| alias_neo wrote:
| Hardware wise, I run Ubiquiti EdgeMAX but I wouldn't
| recommend them anymore, their software has gone down hill
| since many of their best developers left.
|
| Software wise, pfSense is where it's at, but I don't have
| experience with their own hardware other than the ones we ran
| at work all failed due to a silicon flaw in the Intel SoCs
| they ran.
| 7steps2much wrote:
| > Ubiquiti EdgeMAX but I wouldn't recommend them anymore
|
| Sadly there isn't exactly a lot of alternatives in the
| hobbyist network setup area ... It's basically just
| ubiquity and mikrotik at this point as far as I know
| zokier wrote:
| I've heard good things about Turris hardware too, but no
| personal experience.
| https://www.turris.com/en/omnia/overview/
| JoshTriplett wrote:
| > Software wise, pfSense is where it's at
|
| Recent events suggest that the people behind pfSense are
| not especially responsible stewards; see
| https://arstechnica.com/gadgets/2021/03/buffer-overruns-
| lice... and https://opnsense.org/opnsense-com/ .
| Iolaum wrote:
| Look at the range of devices from GL.inet. They run a custom
| version of openwrt with a nice UI on top. But most are
| upstreamed and you can flash vanilla openwrt on them. They re
| quite cheap as well. I m not affiliated with them but I have
| bought devices from them. I use one between the router s ISP
| and my home network.
| alias_neo wrote:
| This is a safe bet if you don't need advanced hardware
| features, I have several gl.inet devices, you can build
| your own OpenWRT for and turn off the phone home
| functionality.
| stilisstuk wrote:
| The 2 hub valica mesh model is a contender :)
| annoyingnoob wrote:
| OPNsense or pfSense
| anonymousiam wrote:
| I have used both OPNsense and pfSense. I currently OpenWRT
| which I find to be full featured, secure, and lightweight.
| bytearray64 wrote:
| I like Mikrotik for routers. They're cheap and have a lot of
| knobs in the SW (maybe too many if you just want NAT). They
| do run linux, but their SW isn't open. I've been pairing my
| Mikrotik hEX with a Unifi AP. Not sure what I'll do going
| forward, as I've heard Mikrotik's APs aren't as good as their
| routing and switching hardware.
|
| If I was going the "dedicated machine" route, I'd probably go
| with OPNsense nowadays.
| kaylynb wrote:
| OPN/pfSense have been mentioned.
|
| Don't waste time with WiFi on the gateway itself as most WiFI
| chips you can buy are crippled in firmware for regulatory
| reasons. Just use a dedicated commercial AP hooked up
| directly or VLANed.
|
| Once you get comfortable with something like pfSense I highly
| recommend switching to regular Free/OpenBSD, or Linux
| depending on what you're comfortable with. I find it much
| easier to manage a gateway with the entire configuration in
| version control than a GUI. There aren't that many services
| that a gateway needs to run.
|
| If you feel like you'll miss pf on the *BSDs check out
| nftables on Linux. It's not as well documented but it's much
| less painful than iptables.
|
| To loop this into the UPnP discussion: when you build your
| own gateway from scratch you have to _add_ a UPnP daemon and
| configure it yourself, instead of forgetting to disable it
| and exposing poorly configured IOT stuff.
| deburo wrote:
| I also found this weird, and this got me to check if it was
| enabled on my business firewall devices: turns out they don't
| even support UPnP. Is it just consumer routers that support it
| nowadays? Shouldn't that feature just be nuked?
|
| EDIT: Well it sounds like a feature for pro users that know
| what they are doing and control all devices on the network.
| Even then, security appliances (eg. from SonicWall) don't
| support it. I don't know, this is probably a niche feature for
| a few occasions.
| my123 wrote:
| Far from only a feature for pro users. Notably, it is a must
| for VoIP (without going through a relay) and BitTorrent when
| you don't want to manually configure a firewall. (allows to
| create holes in a controlled way for a NATted network)
|
| Without UPnP, you specifically have to configure your NAT for
| this...
| ShroudedNight wrote:
| > Notably, it is a must for VoIP
|
| Wouldn't making STUN work be a better alternative?
| rubatuga wrote:
| Yes, it's a feature supported by many VOIP clients, and
| this comments section is filled with UPnP apologists
| my123 wrote:
| As I said, "without going through a relay".
|
| And TURN is one of those relays.
|
| (I host a STUN and TURN relay myself, because I had to
| for my personal VoIP server for enough people to be able
| to connect on it. Downside is more use of bandwidth.)
|
| edit: replaced STUN with TURN where appropriate, I did
| confuse both as they were provided as a single package.
| rubatuga wrote:
| STUN is not a relay.
| dasyatidprime wrote:
| STUN is not a relay, but TURN is, and STUN/TURN is a
| common combo for when STUN doesn't manage to holepunch
| reliably, falling back to the relay when the direct
| connection fails.
|
| What's also true, and what I think the GP was trying to
| get at, is that STUN requires an external _coordination_
| server. UPnP (I think--I am far less familiar with it)
| does not, because in UPnP you 're negotiating the
| holepunching with the local router directly, whereas STUN
| is sort of using a loophole.
| my123 wrote:
| With TURN, all the traffic to the clients is routed
| through the TURN server indeed. That makes hosting a
| discussions server more traffic-heavy than otherwise...
|
| (and it turns out that the server software that I use
| implements TURN and STUN in the same daemon)
| [deleted]
| daniellarusso wrote:
| What STUN relay software do you use, or is it a hardware
| device?
| my123 wrote:
| I use https://github.com/coturn/coturn, provided as the
| coturn package on Ubuntu 20.04.
| [deleted]
| nobody9999 wrote:
| >Without UPnP, you specifically have to configure your NAT
| for this...
|
| While I realize that configuring nftables/iptables is
| beyond most folks, there are many firewalls out there that
| have a GUI/webui which makes this dead simple.
|
| Not sure why this should be an issue in 2021, except for
| users' trained-in helplessness.
| benlivengood wrote:
| > Not sure why this should be an issue in 2021, except
| for users' trained-in helplessness.
|
| Kids hosting games on random ports (terraria, etc.)
| benefit from UPnP. I'd rather enable it than manually
| enter firewall rules for each game or give them admin
| access to the firewall.
|
| UPnP is only an additional risk if you have malware
| inside your network already and then it mostly allows
| malware to host services in a simpler way, but capable
| malware will be able to use TCP hole punching to
| establish arbitrary connections between infected
| networks.
| hluska wrote:
| Ugh, users trained in helplessness. I just had an utterly
| annoying conversation with my cell phone provider whose
| reps have been trained in helplessness and thus fail to
| follow really simple security procedures.
|
| This phrase is a thing of nightmares now. Stay tuned for
| a really scary Haunted House full of users trained in
| helplessness...coming Halloween 2021.
| gsich wrote:
| That sounds like he didn't even try.
| xyst wrote:
| also dont buy Ubiquiti gear :)
| rdudek wrote:
| Nothing wrong with uPnP. If you're worried about something
| opening up ports on your network, you're already compromised.
| takeda wrote:
| I find it amusing that many people are convinced that IPv6 is
| less safe, because there is no NAT, and at the same time use
| UPnP. No, NAT isn't designed for security, the blocking of
| incoming traffic is just side effect, you should use a firewall
| for security.
| rubatuga wrote:
| Yep, the author depends on NAT as a security feature, when it
| was never designed to be one. UPnP is a convenience feature,
| and is disabled in all security focused networks. If you want
| convenience and security, set up two VLANs, one for your
| insecure UPnP devices, and one for your more sensitive
| devices.
| kaylynb wrote:
| This is the way to do it.
|
| NAT is not really security and UPnP doesn't really do much
| to prevent malicious software already on your network from
| doing malicious things except perhaps hosting itself on
| your WAN to spread further.
|
| What disabling it does help is prevent improperly
| configured or flawed devices from accidentally exposing
| themselves to your WAN. IOT devices? Put them on a network
| with no UPnP. Workstations and video game consoles with up-
| to-date patches? UPnP is probably fine.
| nemosaltat wrote:
| This is what I did a couple years ago. The documentation
| for OpenWRT is great, and Luci/LDE makes it approachable if
| you don't feel comfortable managing from the CLI. I have
| one VLAN for my "privileged" devices and one for the
| "IO(shi)T" devices.
| bscphil wrote:
| Aren't these two points slightly contradictory?
|
| > the author depends on NAT as a security feature, when it
| was never designed to be one
|
| > UPnP is a convenience feature, and is disabled in all
| security focused networks.
|
| uPnP punches holes in a NAT. If you shouldn't be trusting
| NAT to protect you anyway, why bother disabling a feature
| that's designed to punch holes in it? Just set up your
| firewall to protect your network, and it's not an issue.
|
| (I suppose some routers might automatically add a firewall
| exception when doing uPnP hole punching, but if so that's
| an issue with those routers, not with the idea of relying
| on a firewall.)
| cbsks wrote:
| > I suppose some routers might automatically add a
| firewall exception when doing uPnP hole punching
|
| Every consumer router I've ever had will open up a port
| in the firewall when uPnP is enabled and a request is
| received. Is that not standard?
| netflixandkill wrote:
| UPNP doesn't "punch holes in NAT." It is dynamically
| configuring NAT to provide a specific translation. The
| same kind of dynamic translation happens the other way
| for any allowed outgoing traffic, and lots of old NAT
| traversal tricks made use of that before UPNP was a
| thing.
|
| The hole was always there. People get this topic confused
| all the time because the majority of network devices
| doing NAT are also acting as firewalls of varying
| efficacy. There are basically no non-firewall routers
| anymore, they all have at least simple network address
| ACLs.
|
| The purpose of upnp is touchless configuration. If you
| care about security, that is orthogonal to your goals,
| and so it must be restricted by some other policy
| enforcement.
| rubatuga wrote:
| Ah that's fair, but it's the combination of both that is
| the worst
| DarkmSparks wrote:
| IMHO IPv6 is an ISP problem, I don't need every (any, really)
| of my devices accessible from outside my personal VPN, and
| IPV4 private space is more than sufficient for that.
|
| IPv6 is overly complex, therefore insecure. Thanks to the US
| Patriot Act I dont even trust the VPN stuff tbh.
| yesco wrote:
| > IPv6 is overly complex
|
| I'm being a bit pedantic about this since you're right that
| in practice, setting up stuff for IPv6 is in-fact complex
| since support for it is all over the place.
|
| But I want to stress that IPv6 as a protocol is much
| simpler, more intuitive and much more versatile than IPv4.
| I'd even go so far as to say that it's actually
| fantastically suited for local networks, especially so in
| complicated setups with multiple subnets (in an alternate
| reality where everything supports it).
|
| It's really, truly, a genuine shame that it never gained
| the momentum it could have.
| DarkmSparks wrote:
| The basics of the client side are simple.
|
| But the routing is not simple.
|
| I'm pretty well versed in networking generally - even
| IPv6, but a quick glance over something like:
| http://ipv6now.com.au/primers/IPv6RoutingSecurity.php
|
| Makes it obvious why it still hasn't gotten anywhere, _no
| one_ wants to dig through all that unless they really
| really have to.
|
| Security depends on securing the routing and address
| allocation. So it is hardly surprising very few were/are
| willing to step up a declare IPv6 installations safe for
| service.
|
| Combine that with most users being happy and comfortable
| with 1 IP address and there was no mass market appeal for
| IPv6 hardware or software.
|
| I'd go so far as saying the vast majority of people do
| not even realise their machines can be accessed from the
| outside world when they only have one public address
| behind their "firewalled super safe ISP router", and
| would be terrified to find out they can.
| kaliszad wrote:
| Usually, inbound IPv6 are firewalled by the ISP router
| just fine. As far as I know, there is UPnP with IPv6
| though there seems to be some work into that direction.
| Also, current CGNAT setups tend to close connections
| before they should according to RFCs:
| https://anderstrier.dk/2021/01/11/my-isp-is-killing-my-
| idle-...
|
| All the IPv6 routing security has to be done with IPv4 as
| well. ARP -> NDP, prevent source address spoofing, DHCP
| guard/ RA guard are basically two sides of the same coin.
| Serious networking hardware supports this for years or
| there are firmware updates supporting it. For about the
| last 5 years, supporting IPv6 became much easier, almost
| as easy as supporting IPv4 for most of the real world use
| cases. Anyway, the reality is, we don't really have much
| choice other than to migrate to IPv6 sooner or later.
| eqvinox wrote:
| > http://ipv6now.com.au/primers/IPv6RoutingSecurity.php
|
| Everything listed there either also applies/transfers to
| IPv4 or is not applicable at all to the situation you're
| evaluating.
|
| > Makes it obvious why it still hasn't gotten anywhere
|
| Uh....
|
| https://www.google.com/search?q=google+ipv6+traffic+perce
| nta...
|
| 44.44%
|
| https://www.google.com/search?q=google+global+ipv6+traffi
| c+p...
|
| 34.15%
|
| [EDIT: sibling post by minimaul has the better link:] htt
| ps://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6
| ...
| minimaul wrote:
| > Combine that with most users being happy and
| comfortable with 1 IP address and there was no mass
| market appeal for IPv6 hardware or software.
|
| The mass market appeal for IPv6 is the fact that we do
| not have enough IPv4 to actually give one internet
| connection a unique IP. CGNAT is getting ever more
| present in the marketplace as a result of this.
|
| Major providers _are_ rolling out IPv6. eg in the USA,
| several major cable /fibre providers provide v6, several
| mobile networks provide IPv6 using things like 464xlat.
| It's the same in the UK - BT for example provide IPv6 on
| consumer internet connections, EE (a major phone carrier)
| provide v6 and use 464xlat to provide v4 connectivity to
| handsets.
|
| India and Germany are further ahead still, generally.
| Google's IPv6 stats are a good indicator of just how much
| v6 is in use now: https://www.google.com/intl/en/ipv6/sta
| tistics.html#tab=ipv6...
| kaliszad wrote:
| @yesco is right that practice is all over the place for
| IPv6 if it works at all. But in general, IPv6 as a protocol
| is just fine, at least equally secure as IPv4 and not more
| complex than IPv4 in many practical cases. I would even go
| so far to say it is way easier to do a clean address plan
| with IPv6. Usually, IPv6 inbound access is blocked by
| default on the ISP routers firewall.
|
| In practical networks, IPv4 tends to be set up in some way
| and usually seems to work correctly - until you discover
| all the atrocious hacks people have commited over the ~ 25
| years of practical, widespread use. Quite often multiple
| levels of NAT without much reason for it, UPnP where it
| shouldn't be, payment for even single IP addresses (great,
| we are paying for numbers other people got basically for
| free) and more - IPv4 are often handled like pets. Compared
| to IPv6, it is much harder to do a simple split into
| security groups based on prefix with IPv4. (In IPv6, you
| can usually just give every broadcast domain a /64 and will
| not do a huge mistake - they are a single security group.
| Sometimes, you might want to hand out a /64 or even shorter
| prefix to every client though.)
|
| There are some great resources for modern and practical
| IPv6 too: https://knihy.nic.cz/#IPv6-2019 (4th edition in
| Czech by Pavel Satrapa, but can be translated using Google
| Translate and is more or less ok as a translation: https://
| docs.google.com/document/d/10CRjSRBLcdqtGjJgaW5Sct5h...)
| there are older books in English that are also mostly
| relevant still. The free IPv6 course by RIPE NCC is also a
| good way to get up to speed and avoid (spreading) FUD.
| netflixandkill wrote:
| This sort of thinking is endemic in industrial networks; they
| finally internalized basic ipv4 concepts in the late 00s and
| never considered maybe the stateful tracking required for
| UPNP and other NAT tricks also might exist without it.
|
| I've set up several private v6 networks to deal with
| renewable energy projects in which the integrator used the
| same ipv4 address blocks on every single one, and the whole
| 6to4 translation explanation landed like they had just seen a
| devil sorcerer graft a goat head onto a human.
| kaliszad wrote:
| There are many, many networking and originally UNIX tools
| tricks (e.g. SSH) you can show to the poor people
| supporting industrial networks/ hardware. I have written
| some of my tricks down in this OrgPage:
| https://www.orgpad.com/s/UHUor4 there are screenshots for
| Linux and Windows for some things related to SSHFS, SOCKS
| Proxy and more. Click units with shadows to open them. From
| time to time, I update it to reflect new tricks.
|
| This knowledge saved at least 2 companies hundreds if not
| thousands of euros in on-site support, hardware and other
| expenses. Funnily, while these things are quite hacky, they
| tend to work better than most of the dedicated hardware I
| have seen in practice, while keeping you/ the technician/
| engineer in control. With any kind of working
| infrastructure, you can estimate how good your solutions
| are because you don't get called at random times and from
| monitoring/ explicit contact you just see/ hear the things
| work fine.
| alias_neo wrote:
| IPv6 can be a privacy issue, sure, but it's no less secure,
| my firewall is still blocking all incoming IPv6 traffic.
|
| The issues with IPv6, in my experience come from its relative
| complexity, compared to IPv4, and also from forgetting to
| manage it at all, as it often uses different tools,
| firewalls, e.g. ip6tables vs iptables, or the fact that
| Ubiquiti EdgeRouters don't expose ANY IPv6 firewall
| configuration in the GUI at all.
| posguy wrote:
| Ubiquiti's router offerings are rather poor, VPNs can't
| roll over to WAN2 automatically, redundant tunnels are hard
| to configure, IPv6 support is a mess, asking Ubiquiti for
| support gets you an unhelpful chat that redirects you to
| help articles you've already read.
|
| Other players in this space have had these capabilities for
| over a decade, and you can call to get help. Ubiquiti might
| be inexpensive, but its still more than double the price of
| Grandstream's SoHo/SMB router and access point offerings
| while offering equivalent support and features.
|
| Really neither of these offerings are good outside the SoHo
| and single location business space. I wish for OpenWRT,
| OPNsense or WatchGuard's configurability wrapped in a
| single interface that lets you see the router, switches and
| access points performance live while letting you alter
| their settings, without seriously kneecapped router
| capabilities.
| mavhc wrote:
| NAT can mean 2 things, 1 to 1, and 1 to many. Firewall is a
| concept not a thing.
|
| IPv6 could be set up so every computer has an internal
| address and you choose to map external to internet using 1 to
| 1 NAT.
| KozmoNau7 wrote:
| The issue is letting untrusted or badly behaved devices on the
| network. UPnP works great, _if you control which devices get on
| your network_.
|
| Static port forwarding combined with DHCP gets annoying
| quickly, you end up having to set up static assignments for
| every device that may need a port forwarded, which can be a
| lot, with modern multiplayer gaming and p2p.
|
| And for applications that select a random port on startup, such
| as some bittorrent clients, you either have to manually forward
| the port every time or select a static port.
|
| UPnP serves a purpose and is extremely convenient, as long as
| you trust the devices on your network.
| lostlogin wrote:
| > And for applications that select a random port on startup,
| such as some bittorrent clients, you either have to manually
| forward the port every time or select a static port.
|
| What if you run them over a VPN? I don't use torrents much
| but have a client containerised with OpenVPN. I'm not a
| networking expert but I had assumed (with all the dangers
| that comes with) that this moved the problem to the VPN
| provider?
| mercora wrote:
| it will work as long as you are the one initiating the
| connection. if some peer suspects you have a wanted piece
| available i.e. from another peer in the swarm it can not
| communicate the intent to get that piece from you to your
| client directly. i think BitTorrent can relay messages
| through intermediate peers to make your client establish
| the connection to that other peer (reversing the
| initiator). Otherwise peers will exchange other peers that
| are visible to them so that your client might eventually
| learn how the other peer that wanted that piece is
| reachable and connects to it. So it actually will work
| without port forwarding but reaching your client will be
| harder and thus less peers inside the swarm will be
| available to you or them, likely making it slower.
| daniellarusso wrote:
| So, keeping track of which device on your network belongs to
| which MAC address, and reserving an address for each, is that
| what you mean by 'annoying' - the administration of that?
| KozmoNau7 wrote:
| That's the easy part. Plenty of applications (such as
| bittorrent clients) use randomized ports. So you have to
| either disable that, manually add the port forward every
| time you start the client, or let UPnP handle it, because
| you don't let any untrusted devices or apps onto your
| network.
| procombo wrote:
| Doesn't TrueNAS (was FreeNAS) connect to iXsystem servers from
| the NAS and from the NAS web interface?
| the8472 wrote:
| Opening ports for a specific machine with dynamic IPv6
| addresses can be difficult though.
|
| If the suffix stays stable then with iptables you can use
| netmasks where you mask out the prefix rather than the suffix.
|
| If both prefix and suffix are dynamic you need a solution that
| takes dhcp or host names into account. Not all router firmwares
| support something like that.
|
| Another alternative is to use UPnP or PCP with authentication.
| mnd999 wrote:
| Suffix should always be static with SLAAC because it's your
| MAC address. Even if you're using privacy extensions (and you
| should) you should still be able listen on the MAC address
| one.
|
| If you're using DHCPv6 then the DHCP server should take care
| of DNS as it would for v4.
| the8472 wrote:
| > Suffix should always be static with SLAAC because it's
| your MAC address.
|
| Except for devices that randomize mac addresses. Normally
| even those that do that only try do so when connecting to a
| new network but that's not always reliable.
|
| > Even if you're using privacy extensions (and you should)
| you should still be able listen on the MAC address one.
|
| I'm doubtful that all applications make that distinction
| and advertise the right address. If they just use some
| external "what is my IP" service to determine their address
| because that's what they did for IPv4 then they'll get the
| privacy address and advertise that to peers because that'll
| be picked by default for outgoing connections.
|
| Being able to allow incoming connections to a port for any
| address belonging to a particular machine would be less
| error-prone.
| annoyingnoob wrote:
| I'd argue that the right approach is to replace the ISP router
| with your own and disable uPnP, for your own security. Otherwise
| its only a matter of time before you see this again. You cannot
| count on having only trusted devices on your network.
| rkagerer wrote:
| I've never enabled uPnP, and get by just fine.
| sandreas wrote:
| Once more a sad story about so called plug and play devices doing
| weird stuff. I prefer getting my hands a bit dirty using:
| - FreeNAS / NAS4free / OpenMediaVault (for Home-NAS) -
| OpenWRT / OPNsense / PFSense (for Home-Firewall)
|
| Nearly Plug and play with this Hardware: - Dell
| T20 / T30 / T40 - HP Microserver N54L / Gen8 / Gen10
| - Linksys WRT 1200 / 1900 / 3200 / 32X (https://dc502wrt.org/)
| - Alix APU
| canada_dry wrote:
| +1 for FreeNAS.
|
| Its use of ZFS and ability to easily manage multiple "jails"
| and vms is perfect for a reliable home automation platform!
|
| The only major downside I've found thus far it that you cannot
| pass USB devices selectively to a jail/vm.
| ziml77 wrote:
| I really wish it could do USB passthrough. I need that for
| home automation to run in a VM under TrueNAS. The solution
| I've been running for a few years now is to have TrueNAS and
| Home Assistant running under VMWare ESX. Required getting an
| HBA that I could pass through to the VM instead of using the
| ports on the mobo but it works nicely.
|
| Having Home Assistant as a guest under TrueNAS would be nicer
| though. Right now there's no data redundancy for Home
| Assistant.
| kitsunesoba wrote:
| Been running a T20 w/4x 4TB HDs with plain FreeBSD for a few
| years now and it works pretty well. I'm barely even competent
| when it comes to sysadmin sorts of things, but it was pretty
| easy to get set up following a blog post I found years ago.
|
| The consistency of FreeBSD is a real benefit here -- it's well
| documented to begin with, and since things change so little
| between releases, bits and pieces you find online are largely
| still relevant even if they're a little old.
| ryandrake wrote:
| First thing I did when I got my Buffalo Terastation was look
| up how to install plain Debian Linux on it and set it up
| myself. There is usually very little benefit to using the
| manufacturer's neutered, cobbled-together firmware.
|
| Same thing with my Internet router. Flash it with non-
| manufacturer firmware so I can configure it properly.
| dbeley wrote:
| I also had good experience with mini-PCs like Chuwi's. They are
| pretty cheap, have a good amount of ports and have the
| advantage of having newer CPUs with very little power
| consumption.
| CrLf wrote:
| > Unfortunately, disabling uPnP these days is too much of a hit
| to convenience
|
| I've disabled UPnP on every router I owned. Never did I notice
| any problems from doing it.
| tyingq wrote:
| _" CAN USER NAME AND PASSWORD OF TNAS ADMINISTRATOR BE CHANGED?
|
| Administrator's username is admin and the initial password is
| admin as well. "_
|
| https://www.terra-master.com/us/faq/category/detail/?id=3303
|
| Oy.
| lostlogin wrote:
| "Users can change the password of administrator but cannot
| change the administrator's username.
|
| Is this article helpful? Yes / No"
|
| At least you change the password...
| Hnrobert42 wrote:
| What does the author mean that the NAS punched a hole through the
| firewall? They say it several times. Do they mean enabled port
| forwarding on the router? If so, that seems like a router issue.
| tyingq wrote:
| Welcome to uPnP.
|
| https://en.wikipedia.org/wiki/Universal_Plug_and_Play
| rovr138 wrote:
| UPnP is added to the NAS that allows it to request ports to be
| open and mapped.
|
| There is software needed on the router side too to make it
| work. They don't want to disable this.
|
| This is covered in the article.
| IceWreck wrote:
| Routers have this thing called universal plug and play which
| enables applications to enable port forwarding on their own
| without the user having to dive into router firewall settings.
| breakingcups wrote:
| > Upon SSHing into the NAS and having a dig around the file
| system, I discovered a file that could be modified.
| /etc/upnp.json seems to contain a list of port forwarding rules.
| Thank you to Terramaster for providing root access to these at
| least. Simply change bEnable to 0 for whatever ports you don't
| want exposed, reboot the NAS, and check the port forwarding
| rules.
|
| And don't forget to do all this each time the NAS updates. And
| pray to whatever entity you wish that auto-updates don't get
| enabled.
|
| Seriously, after a blunder like this, why not return the device
| and find a manufacturer you _can_ trust?
| starky wrote:
| Interesting, I have the 4 bay version of this NAS (F4-210) and I
| don't see anything along the lines of what the author is showing.
| im_down_w_otp wrote:
| I'm confused. Some significant length was gone to in attempting
| to interrogate the device and modify it in such a way that it
| wouldn't try to open uPnP ports anymore. Further, a lot of
| devices try to leverage uPnP by default, and many of them are
| significantly more opaque than this NAS proved to be. However,
| the author doesn't want to just disable uPnP in their router and
| manage forwarding directly due to a perceived loss of
| convenience.
|
| Surely, first discovering by happenstance that a devices is doing
| this in the first place, then trying to figure out how to go
| through idiosyncratic & unsupported means to change the device's
| behavior, is significantly less convenient than updating a
| router/firewall config rules in supported standard predictable
| ways on occasion?
| bscphil wrote:
| Given this:
|
| > My router is an ISP provisioned one so the feature-set there
| is somewhat limited
|
| My assumption was that their router doesn't support disabling
| uPnP for a single client, so it's 100% on or 100% off. If they
| play a significant number of p2p games or use p2p applications
| with non-predictable ports, it might well be more difficult to
| do manual port-forwarding when needed than to leave uPnP
| enabled (or even impossible, depending on what the router can
| do).
| kotsec wrote:
| You should NOT have any terramaster NAS internet facing right
| now. I disclosed a bug last month to Terramaster that still
| hasn't been fixed.
|
| Go to http://NAS_IP/module/api.php?wap/ and it will give your
| admin password out as an md5crypt hash. Why? I assume it's some
| sort of backdoor/dev code but I don't know.
| IceWreck wrote:
| > Unfortunately, disabling uPnP these days is too much of a hit
| to convenience
|
| Why ? Its only used for torrents and some games, just note down
| their port numbers and enable those in your firewall once, thats
| it.
| KozmoNau7 wrote:
| You mean "enable them all over again for every new DHCP
| assignment, unless you insist on static IP assignments".
| iso1210 wrote:
| Why wouldn't I use static dhcp?
| KozmoNau7 wrote:
| Forwarded ports are not always static, we're not in the
| world of just web servers and SSH.
|
| Different devices may need to use VoIP, P2P, games and
| other applications that cannot be strictly mapped to just
| one system or even just one port. UPnP handles dynamic
| mappings, so you don't have to update your port forwards
| every time.
| Zombieball wrote:
| What's wrong with static IP assignments? Doesn't this
| solve the issue?
| stonesweep wrote:
| Story time: It depends on the hardware at your disposal.
| I'm now on the new T-Mobile Home Internet service, the
| router+wifi device supplied (a Nokia 5G LTE based unit
| with a SIM on one side) firmware has basically no
| configuration - you cannot assign static DHCP, no bridge
| mode, no port forwarding - it has UPNP on or off, that's
| it. A truly sparse webUI, frustrating no-config device at
| 1.0 firmware level that doesn't even show you what the
| DHCP ranges in use are. My G-Shock watch has more
| configuration options than this thing does. :-/
| Klwohu wrote:
| You "agreed" and gave your permission when you bought a product
| with mystery functions. Look at all the Einstein's who buy smart
| TVs and then become baffled when they start showing ads.
| SMAAART wrote:
| What.The.Actual.Fuck.
| TerminalSystem3 wrote:
| Can someone ELI5 on what a NAS is and why someone would need a
| NAS?
| notamy wrote:
| Adding on to what others have said, I have one set up that's
| also used as part of my backup strategy for the important stuff
| on all the other boxes around here.
| skizm wrote:
| Just a computer with a bunch of hard drives so you can store
| your media all in one place. Most of the time people expose
| this to their home network so they can access the files from
| all their devices while on the same wifi, but you can also
| expose it to the internet so you can access the files anywhere.
| xyst wrote:
| It stands for "network attached storage", it's basically a
| standalone disk drive that is accessible to all devices within
| the local network (or public internet, if the device is setup
| that way).
|
| In home setups, it's often used as a way to store terabytes of
| digital media (movies, videos, locally hosted wikipedia)
| cibyr wrote:
| When there's a typo is the message telling you "Tt is only
| available on the local network" that might be a sign of how much
| care was taken with regard to it.
| diarrhea wrote:
| The JSON config is strange, the keys contain type information.
| But any JSON parser worth its salt should not require that since
| JSON is natively typed, no?
| tyingq wrote:
| Where? I don't see that. What type info is below? Do you mean
| "mapList"? I suspect it's just what they chose to name the key.
| "triestimes": 3, "mapList": [ {
| "desc": "ftp", "nExternalPort": 6221,
| "nInternalPort": 21, "sProtocol": "TCP",
| "bEnable": 0 },...
| philo23 wrote:
| I suspect they mean the letter prefixes: _n_ExternalPort +
| _n_InternalPort for number, _s_Protocol for string and
| _b_Enable for boolean.
|
| It's probably just a convention they use in the source code
| that's made its way into the JSON by serializing something?
| Either that or old habits die hard.
| cerved wrote:
| probably serialization of some object which uses hungarian
| notation
| tyingq wrote:
| Oh, ok, that makes sense. I assumed that was from some
| cargo culted code on how to name members of a struct.
| Wolfenstein98k wrote:
| Who hasn't exposed themselves over the internet without
| permission once or twice?
| [deleted]
| aborsy wrote:
| Is there an app to comprehensively test the security of a router?
|
| One usually runs Nmap or similar from WAN side to check for open
| ports.
|
| How to test if a router permits UPnP?
|
| Checking that UPnP is disabled in router's GUI is not sufficient.
| An app should try to punch holes, and run tests for various
| things.
|
| Also, what else needs to be checked?
| BlackiceNetwork wrote:
| Trust but verify. Just wanted to add that in my opinion it is
| best practice to schedule a recurrent task for scanning the
| network using tools like nmap.
|
| On top, add.
|
| After done (re)configuring a (new)device on you network, scan and
| document baseline. Verify baseline recurrently.
| rahimnathwani wrote:
| 9091 might be for the transmission web UI
| lostlogin wrote:
| There is a distinct whiff of Docker to the ports it's using.
| But maybe I've been too far down that hole and am just seeing
| things though Docker tinted spectacles.
| LeanderK wrote:
| I use a lot of software/devices which I think is using UPnP
| (airplay, airdrop, pioneer dj pro link, maybe the printer etc.).
| There's talk here about disabling UPnP but does that mean that
| the devices wouldn't be able to find each other? I don't want to
| babysit my router.
|
| Or aren't they using UPnP? Quick googling wasn't successful. I
| thought most of those autodiscover-services use UPnP.
| kalleboo wrote:
| There are 2 parts to UPnP.
|
| One is service discovery, in cooperation with zeroconf (aka
| bonjour/mDNS). This is handled 100% by devices themselves.
|
| The other is the port forwarding protocol, where devices can
| ask your router to open a port in the NAT to the wide internet
| forwarded to them. This is done in the router. It's also a
| potential massive security hole.
|
| If you disable UPnP on your router, you only disable the second
| thing. The first thing keeps working.
| ryandrake wrote:
| The service discovery isn't really the security hole though,
| is it? I mean I have mDNS configured on my LAN. It's the port
| forwarding, and specifically, configuring it so that any
| rando device on the network can set up port forwarding, which
| is the security problem.
|
| If you really want the dubious convenience of UPnP port
| forwarding, at least limit it to the one or two devices on
| your LAN that need it.
| daniellarusso wrote:
| No, mDNS it is not really the issue.
|
| Even most VPNs won't, by default, allow mDNS packets
| across, without adding a relay server and some additional
| configuration.
|
| But, yeah, letting any application basically go into
| 'server' mode on your home network at-will is not the most
| secure setup.
| kalleboo wrote:
| Right, service discovery is fine.
|
| It's just that two things with wildly different security
| profiles get referred to with the same name
| stonesweep wrote:
| "It depends" as not all the names you listed as examples use
| the same technology, but in general "UPNP is more useful for
| thins which need an incoming connection" (kinda sorta). This
| might be, say, a bittorrent client needing to allow other
| clients in on a port to share the file... sharing. To share. :)
| If you understand how Active vs Passive FTP works and how the
| incoming connections might need to be tracked (nf_conntrack for
| Linux folks), UPNP is more like that - apps which handle bi-
| directional conversations with the outside world beyond your
| router.
|
| Airdrop uses an ad-hoc WiFi network (peer-to-peer) with TLS, as
| does I think (Android) Beam. If I'm not mistaken some other
| devices in this area (Chromecast, Roku, etc.) use similar
| techniques, and sometimes leverage bluetooth ad-hoc networks.
| Discovery services like printers and fileshares tend to use
| (I'm assuming you're macOS) Bonjour (Rendezvous, renamed awhile
| back), which is sort of like an ad-hoc multicast (mDNS)
| solution if I understand it. On Windows it would use something
| like Netbios - conceptually the same. I just set a static IP on
| my wifi printer and call it a day, it's trivial stuff being a
| printer.
| vidarh wrote:
| Don't know if it's true for this model, but at least some
| Terramaster NAS's are just x86 computers [EDIT: I see the model
| in the article is an ARM box, but also that it's already running
| a Terramaster specific Linux distro, so just nuking most of the
| Terramaster specific stuff might be easier than trying to find a
| way to do a clean reinstall].
|
| For at least some of the x86 ones, you just need the right cable
| to connect to a suitable monitor, and it can boot from a USB
| drive. You don't need the VGA cable to replace the OS, but it
| helps a lot. You may have to dismantle the whole thing to get at
| the boot drive, but they're pretty easy to take apart.
|
| First I did with mine was to install Open Media Vault.
| a-dub wrote:
| aren't all these prosumer nas devices just out of date foss with
| a clunky webgui that ultimately is sufficiently limited such that
| you spend more time working around limitations then you would
| have just setting up foss yourself or are they actually getting
| good now?
| lgats wrote:
| CVE Assigned https://cve.report/CVE-2021-30127
___________________________________________________________________
(page generated 2021-04-03 23:00 UTC)