NAS Club
Q Two years ago I invested in a QNAP NAS as a way to store and back up my archive of family history, photographs, videos, and to generally back up the computers in the house. Our daughter and granddaughter live in Germany so having access over the web to the NAS seemed like a good idea.
Everything was fine until last summer when I noticed that I was getting attempted logins from Russian IP addresses. I moved to two-stage verification using Google Authenticator, a very complex password and put blocks on IP addresses used within the NAS box settings. The attacks continued unsuccessfully over eight weeks, each with a different IP address and all coming from a small city in eastern Siberia and were hosted by Rostelecom. Then it stopped until a few days ago when it restarted from a different city in central Russia. I now back up all data three-fold, including a large USB drive which is normally disconnected from everything.
I presume that they’re either looking to use my NAS box as part of a DDoS attack or to infect it with ransomware. Is there anything else I should be doing to protect my system, for example using a FIDO U2F? For obvious reasons I don’t want my name or email address published. John Doe, via self-destructing pigeon (thanks in anticipation) A The problem with making any service available online is that sooner or later bots will find it. I’ve just had a look at the auth.log on a VPS I run – at least one failed login every five mins, and that’s with fail2ban blocking persistent offenders.
It’s hard to see what value your family archive would be to shady Russian hackers, beyond, as you point out, encrypting it and charging you a ransom. Having an offline backup of your photos is thus a good idea. I completely understand that it’s disturbing seeing “people” try and get in, though. If your backups contain passwords/keys or other personal info then I’d definitely look at storing those offline, or at least encrypting it before putting it on the NAS. It could just be a coincidence that the login attempts are coming from the same place. It’s possible that the same malware has infected lots of people in that region.
There have been a number of high-profile DDoS attacks that have co-opted appliances such as NASes and surveillance cameras, but these tend to use vulnerabilities or hard-coded credentials to gain access rather than guessing passwords. Are the attempts you’re seeing going after the same username?
If you know that the people you want to be able to access your NAS are going to be doing so from a particular IP address, then you can just use a whitelist, rather than playing whacka-mole blacklisting IP blocks. Unfortunately, not everyone has a static IP, and you’ll find that most ISPs have a bunch of discontiguous blocks that make it hard to whitelist dynamic IPs effectively.
It seems like you’ve taken adequate precautions, though. Bots are dumb so they
won’t give up even though two-factor auth is enabled. The SSH server on my VPS is configured to only accept key-based logins, but still they keep trying. Do keep up to date with security updates, too. QNAP has fail2ban-type protections against brute-force attempts, which you can configure in the Network Access Protection tab, but if you have Google Authenticator set up for all your users you probably don’t have anything to worry about.
Using a hardware token or U2F in general is a good idea, but it might be overkill, especially if it complicates access for your Deutschlanddwelling relatives. If bandwidth and disk space at the other end isn’t a problem, one solution would be to get them to copy all the photos over and then you can take the NAS offline until you need to share something else. It’s crude, but effective.
What is the password?
Q I have an old computer with Ubuntu on it. The problem that I have is one that seems fairly common. I’ve forgotten the password, but would like to get the data off the drive. I seem to remember a prior issue where someone wrote in with the same issue. You had a fix along the lines of: enter six spaces for the username; enter seven spaces for the password and that would enable you to get into the machine. This will make it possible for me to carry out repairs as needed. Tim, California A Yep, us humans really aren’t username and password type creatures. To my knowledge there’s never been a ‘backdoor’ into Ubuntu involving a hidden account such as you describe. There isn’t really much point in having passwords if we can work around them so easily. That said, there was an embarrassing bug where the lock screen would crash if you mashed enough keys for about 30 seconds: ( https://bugs.launchpad.net/ ubuntu/+source/unity/+bug/1308572).
If all you want to do is access data, then so long as the drive itself, or the data that you’re interested in, isn’t encrypted (recent versions of Ubuntu make it easy to encrypt the home directory), then it’s pretty easy. You just boot using a live distro and access the drive straight from the file manager.
If you want to actually reset the password so you can use the original OS, this isn’t too tricky either (but it won’t help you access an encrypted home folder, since that will still need the old password to unlock). Look up chroot-ing from a live medium.