Hacker News new | past | comments | ask | show | jobs | submit login
QNAP ships NAS backup software with hidden credentials (qnap.com)
189 points by criddell 6 days ago | hide | past | favorite | 157 comments





QNAP shipped Hybrid Backup Sync with hardcoded credentials of walter:walter. This was used by ransomware criminals to encrypt photos and videos and demand payment in Bitcoin for the password to decrypt the data.

From that page:

> The code has 27 occurrences of e-mails: waltershao@gmail.com or walterentry20140225@gmail.com in the code.

More information is available here:

https://www.helpnetsecurity.com/2021/04/26/qnap-nas-ransomwa...


Was there any development on if there was an actual investigation or help from Google to identify the fraudsters, given these are @gmail email addresses?

Walter Shao is a qnap employee, and probably not related to the fraudsters.

That really should read 'was' rather than 'is'.

That still wouldn't fix the fact that they don't have a process to prevent this from being possible.

This is a multi-faceted fuck up, and several people are responsible. This includes the management who decide on processes, like QA and security. Someone should have caught this in some kind of review at a company as big as QNAP Systems shipping real hardware to all kinds of businesses and consumers.

Maybe Walter should never have coded this in, but that doesn't mean that it should even be possible for that to reach an end-user.

Other companies and other industries have such processes.

In short, that would just be blame-shifting by the management who are also at fault.


You'll get no disagreement from me on that one, clearly the process is horribly broken. But given that fact it is better not to have 'Walters' on staff.

So instead of fixing the problem just fire walter ? Why not use walter as a test case. What about john, or jane, or fred ?

There's also the fact that Walter will never, ever again in his life make this mistake since the massive fuckup is now burned into his brain (in theory, if that isn't the case, then of course he needs to be fired) -- of course, there are a lot of people who would never have made the mistake to begin with. It's not completely trivial to answer, but again should be impossible by process.

If you want a small NAS in a similar form factor I'd recommend Helios64 5-bay NAS https://kobol.io/. It is an Arm64 board runs mainline Armbian. Also comes with 2.5Gbit networking and a built in UPS battery.

I don't understand why people who care about security and have linux knowledge would use Synology/QNAP. They are both proprietary, often exposed to the internet, and packed full of so many features that they are consistently full of vulnerabilities (SynoLocker/QLocker etc).


I use synology because I tried many alternatives, and none worked out of the box.

I finally got one (SmartOS; I also tried FreeNAS) working, but I used the intel chip with a timebomb clock line for the build.

Then, I gave up. 4 hours after the synology was home, I was much farther along than I’d gotten in a month on the other machine.

I’d definitely pay a premium for a supported open source + hardware NAS combo that supported docker, vm’s and offsite client-side encrypted backup (with dedupe/compression) out of the box. Also, I want it to draw < 10W, excluding disks.

Until then, synology wins, and isn’t a hobby project.


iXSystems, the company that develops FreeNAS (now called TrueNAS), makes their own hardware for it with full support and decent prices. TrueNAS has also come a very long way in the past couple of years, before it used to be a bit rough around the edges but it's now a very solid competitor especially running on their hardware.

The one potential downside is it's not as beginner friendly as Synology or QNAP UI-wise, but I actually like that about it as I'm not a fan of the UI on either.


The major downside to ZFS-based systems like TrueNAS is that for a home or small business user you can't expand the storage with a new drive when you're running low on space. It's designed for data centers where you can afford to build a whole new array when you need more storage.

With Synology you go "oh, I'm down to 1 TB free, well there's this deal on a 10 TB drive, pop it in, now I have 11 TB free"


This isn't really true: you can add new vdevs at any time: when you start running low, you just buy two drives and install them.

Right, 2 drives. Not "a new drive". Now you're buying twice as many disks as you would with a Synology and wasting 50% of your capacity on parity. And you better have set up your initial array with 2 drive vdevs as well or you're going to have a sub-optimal experience.

This is the attitude I see a lot in ZFS support forums. "I don't see the problem, just buy twice as many drives!"


> This is the attitude I see a lot in ZFS support forums. "I don't see the problem, just buy twice as many drives!"

This is incorrect on several levels.

You most certainly can create a vdev with a single drive in it and add it to the zfs pool. So go ahead, buy that single 10TB drive and add it to your pool.

That's not a wise thing to do though, so I don't understand why you'd want to. You'll have no redundancy at all, as soon as the drive dies everything is lost. Which pretty much completely defeats the point of having a NAS. So don't do that. But if you really want to, you can.


> I don't understand why you'd want to

I want to add a single drive since I can't afford more than a single drive. But I still want to keep the data security of one or more parity drives. Synology lets me do that. ZFS doesn't.

On a Synology NAS (which just uses Linux mdraid underneath the hood so this part isn't exactly some proprietary magic) if you have an array with parity (the equivalent of raid-z/z2), you can add a drive, and it expands the array with that one drive, keeping the parity and recalculating it for the new configuration of drives.

So I can go from an array of 3 x 10 TB disks where one is parity (20 TB usable storage), and then just pop in one more disk and now I have an array with 4 x 10 TB disks (30 TB usable storage) with the same one-disk parity. I can lose any one disk, and lose no data.

ZFS can't do that, since it does't support modifying vdevs. So if I want to be able to add a single drive and expand my storage at any time while keeping the same level of redundancy, ZFS makes no sense.

Synology's configuration of mdraid+BTRFS makes way more sense than ZFS. Unfortunately they haven't contributed it to free software so nobody else can have it (specifically the part of passing through the parity data so that checksum errors in BTRFS can be fixed with mdraid knowledge). I would prefer to not have to rely on Synology's cost-cutting hardware and raft of probably not very secure software. But for the use case of me and the small businesses I support, ZFS has been a non-starter due to the costs.


> So I can go from an array of 3 x 10 TB disks where one is parity (20 TB usable storage), and then just pop in one more disk and now I have an array with 4 x 10 TB disks (30 TB usable storage) with the same one-disk parity. I can lose any one disk, and lose no data

Based on those numbers and https://www.synology.com/en-us/support/RAID_calculator I'm guessing you're using RAID-5?

RAID-5 is fragile. You can lose only one disk as you say, but the odds of succesful rebuild are not so great (assuming you have a NAS for data reliability in the first place).

https://www.digistor.com.au/the-latest/Whether-RAID-5-is-sti...

> expand my storage at any time while keeping the same level of redundancy

But you don't keep the same level of redundancy when adding a drive. The more drives you add in RAID-5, the lower your probability of a successful rebuild after the loss of one drive.


It was just an example with easy to reason about numbers. You could do the same thing with 2-disk redundancy.

> https://www.digistor.com.au/the-latest/Whether-RAID-5-is-sti...

I've seen a lot of articles and blog posts like this, but their numbers never seem to make sense. It says that reading through a 4-disk 8 TB array you only have a 15% chance of success. I have full-array BTRFS scrubbing scheduled monthly, according to this my array should have reported errors many times a year...

And of course, no matter what, no form of RAID/ZFS is a backup.


But doesn’t that come back to their point? With syno you pop in a new disk and it rebuilds the array with the new disk and you have more space and the same redundancy? Raid 5/6 whichever

With btrfs, you can add one or however many new devices you want to a storage pool, then rebalance to ensure redundancy across the whole pool. If the device you add is already btrfs formatted, its contents get added to the storage pool, rather than requiring a reformat.

It really surprises me that zfs apparently cannot do this.

The main reason I use btrfs is the flexibility. Subvolumes instead of partitions, and easy expandability. Storage should be dynamic, not static.


> It really surprises me that zfs apparently cannot do this.

Likewise. I really want to like ZFS, but with the 'buy twice the drives or risk your data' approach as above really deters me as a home user.

ZFS has been working on developing raidz expansion for a while now at https://github.com/openzfs/zfs/pull/8853 but I feel that it's a one-man task with no support from the overall project due to that prevailing attitude.

BTRFS is becoming more appealing, even though it has rough edges around RAID write holes that really isn't a big deal, and reporting of free space. I can see my home storage array going to BTRFS in the near future.


They have dRAID, but last I checked RAID 5/6 is basically asking for data loss with modern drive sizes.

> last I checked RAID 5/6 is basically asking for data loss with modern drive sizes

This is a debate I would love to see with people who have experience. Since I've seen individuals speak with authority on both sides.

I get that if you have a basic array of disks humming along with a big-ass ext4 partition, once one drive dies, the risk of the other drives being riddled with errors is huge.

But what if your array is both (1) using ZFS or BTRFS (with data checksumming) and (2) has scheduled full-disk data scrubs once a month or so? Wouldn't you catch the initial recoverable errors quick enough?


> Wouldn't you catch the initial recoverable errors quick enough?

Not always no.

I've had drives reporting failures for months that zfs scrub keeps fixing, tons of time to get a spare.

But drives also fail suddenly with no history of zfs or SMART errors.


> The main reason I use btrfs is the flexibility. I agree, and I as a small home user, I really like the RAID using different sized disks. E.g. running a raid 1 on three disks: 2TB+4TB+6TB. It also offers the possibility to increase the storage size over time when drives fail by replacing them with a larger disk.

User of both QNAP devices and one of the iX systems devices here.

ZFS is sexy, but it requires planning and understanding and (as stated by another poster) adding storage in pairs of drives if you want to increase storage incrementally and maintain drive redundancy.

One of the perks of something like a QNAP or a Synology is the support for simply adding a single new drive to an existing RAID5 or RAID6 array, and having the storage box add it transparently while data is migrated to the new, larger RAID array. You pop in another 10TB drive in your RAID6 array and you increase the size of the array 10TB as you'd expect.

Or, if you've finally outgrown your 6-bay device which is full of 3TB drives, you can replace the existing drives with 12TB drives, then once they've all been replaced increase the size of the array to match the new drive sizes. This is done while the device is running and serving data - no downtime, though things may slow down as you would expect during migration operations.

From an end-user perspective this is a very different experience. Yes, FreeNAS/TrueNAS is cool, but I put a Synology at my dad's house.


The scenario you mention can easily be done with ZFS as well. I run a raidz1 and recently migrated from 3x4TB drives to 3x10TB. I bought one drive at a time and gradually expanded the pool. For each new drive I added I simply had to resilver the pool and I was done.

You most certainly can add drives to a zfs pool to expand it.

I've been running zfs on my file servers for ~17 years, have expanded the pool many times. In all that time I've only built a new machine once. Currently still running on my 2009 file server build. I've swapped and added drives to it over the years though.


You can add drives to a ZFS pool, but you need to either replace or add them in massive chunks (or smaller chunks if you're happy buying 2x as many disks as you actually need).

If I want one disk redundancy.

Today I can afford 2 10 TB disks.

Next year I need more than 10 TB capacity and I can afford one more disk.

Two years from now I need another 10 TB capacity and I can afford one more disk.

How can I perform this migration with ZFS? Going from 10 TB - 20 TB - 30 TB of capacity, adding one disk at a time, without losing redundancy.

Or say next year and two years from now 12 TB drives are cheaper. So with (10TB+10TB) + (12TB) + (12TB), Synology will give me 32 TB of usable space and I will have one drive redundancy throughout the whole time.

Honestly curious, this is a real-life situation that me and several of my friends have done with Synology NAS. For this use case, I would love to use cheaper and more performant used hardware, and not have to rely on proprietary software that phones home. ZFS requires upgrading your disks all at once, unRAID has single-disk performance, straight-up Linux BTRFS is "unstable".


> Honestly curious, this is a real-life situation that me and several of my friends have done with Synology NAS.

I guess I don't understand why optimize for the cost of a single drive, above all criteria?

Between this and the other comments, you've mentioned that Synology is over-priced, lower quality, lower performance, proprietary and phones home. Are you really better off vs. building a higher-quality more performant lower-cost ZFS server that's fully open source and has better reliability?

If Synology is higher cost, maybe take that difference in price to buy an extra drive or two?

To me a NAS is all about reliability.

> and I will have one drive redundancy throughout the whole time

Mentioned in the other comment, but that's not a good way of looking at it. What matters is the probability of loss of data while rebuilding the data after one drive has died. The more drives you have in that set, the larger the probability of loss. Your risk is increasing with every drive you add.


Synology hardware is overpriced for what it is, but in the home-sized NAS segment, it's still way cheaper than buying drives.

I simply can't afford to buy a whole array upfront. I can just afford to expand it every other year or whatever.


If you're comfortable with the large and ever increasing risk of loss (by adding drives without adding redundancy) then Synology is probably indeed a better match for your use case then ZFS.

I don't really understand why pay for dedicated NAS hardware if reliability isn't priority #1, but that's me.

Personally, for stuff that I care about but not quite that much, I just keep on the SSD on my laptop. It'll very probably be fine but there is risk of loss (same as Synology).

For the things I care deeply about, they go on the ZFS server with tons of redundancy, snapshots and backups. I'd never trust the truly precious data to anything other than ZFS.


> You most certainly can add drives to a zfs pool to expand it.

You can't replace drives with bigger ones and expand the pool. This is important, if you have 4/5/6/8 bay chasis and exactly the same amount of drives in the pool.


You can, although you need to replace all the drives in the pool. You can swap one, wait for resilver (or for a month, if you're in a budget), do the next one... And once you replaced every drive, you do like this:

https://www.ateamsystems.com/tech-blog/expand-zfs-to-use-lar...


Few years ago, I needed exactly that, and it didn't work.

I guess I'm not alone: https://www.google.com/search?q=zfs+autoexpand+not+working


>You can't replace drives with bigger ones and expand the pool.

Yes you can. That's exactly what the 'autoexpand' property is for. It's odd how this kind of thing floats around on the internet.


Just because there's a property doesn't mean that it works. It floats around on the internet, because that's the experience people have.

It works just fine. I've upgraded vdevs this way several times, and it worked without a hitch on every occasion.

It didn't for me; in the end, I backed up the files, scraped the machine and put the drives into Synology box.

So take it as an piece of the puzzle why is Synology more popular.


> makes their own hardware for it

All of their hardware is off the shelf parts, including the case, the motherboard and the drives. I built my own FreeNAS setup using the same components that FreeNAS was selling bundled together at the time. It ended up being about 2/3rds the price.


This is true, but it's more about support. iXSystems provides full testing and support on their hardware, which OP mentioned as a want. DIY is cheaper, especially since you have the option to buy used parts, but the premade systems are actually reasonably priced especially compared to some of the markups on Synology hardware.

This. I've tried most solutions under the sun, but now that I'm 40 with kids, mucking up with my storage is just not how I spend my weekends anymore.

Unraid is what you are looking for then

Well, I did buy a QNAP TS-419P many years ago. It's still running mainline Debian, that was why I bought it. I would have replaced it with a newer model if the new ones were similarly open, but they're not.

Seriously considering a Helios64, once they get their supply issues resolved.


I also got it one but it's just something I use to run a container to manage my nextcloud and other stuff...

I'd have bought a dozen by now if they'd double the RAM and make it ECC.

It uses ECC memory.

https://kobol.io/helios4/


This is not the same product.

Yep. They were planning on adding an ECC option to Helios64, but it's not available yet.

Synology is proprietary UI but it’s just using Linux raid. That’s how you can recover if anything happens to the hardware.

Does that apply to SHR as well?

Yes.

SHR is just a friendly gui to automatically juggle mdraid arrays to fit when you have different-sized disks (e.g. if you have 2x8 TB disks and 2x10 TB disks, SHR will create one 4-disk 8 TB mdraid array and one 2-disk 2 TB mdraid array and append them to a single volume).

The one proprietary bit Synology has is a way to use mdraid parity to fix checksum errors detected in BTRFS.


That seems perfect spec-wise. Would you mind giving a quick review of the acoustic characteristics of the case?

I'm looking to move away from a QNAP box, and one of the driving reasons is the horrible "hard-plastic hard-mount everything" design that couldn't amplify hard drive noise any more if they'd done it on purpose.

(The other reasons are that I'd rather manage ZFS myself, and the need for more than gigabit ethernet)


Another suggestion for QNAP owners is to simply replace the firmware with a regular Linux distribution. This is what I’ve done and haven’t looked back.

Is this commonly possible? I know some of their devices can run a normal distribution, but when I looked into this recently I didn't see confirmation for current models.

I have a 4 bay TS-453 Pro (Celeron J1900). I swapped out one of the HHDs for an SSD with the distro install and created a ZFS array with other three drives.

In my experience, BIOS/EFI comes up if you mash F2 with a HDMI monitor and a USB keyboard and mouse attached. Your mileage may vary.

A few niggly bits: the LCD says “System Starting” until LCDd/lcdmon starts and there is no control over the HDD activity lights. Fan Control is sufficient to quiet the fans to a tolerable level once Smart Fan is disabled in the EFI.

Perhaps I should document this somewhere …


I _desperately_ want something like this, but in a 1U 4-drive form factor. If someone is working on something like this, _please_ let me know. It doesn't even have to be an RK3399 based system, just something that works with a mainline (or near-mainline) linux distro and will host an SMB server & DLNA server.

Why not a 1U Supermicro server? They have options that are short depth or with Atom processors. If you just want a 4 disk 1U server, those would be a good option.

Or is it a question of budget? If that’s the case, what about a used server (like those from UNIXSurplus)?

Or is it a question of power? If that’s the case, then... I don’t quite know in that case.


For other popular, affordable used short-depth 1U servers that you can get with 4 external 3.5" drive bays, there's the Dell R210 II, R220, and maybe R230.

Without getting into questions of possible security implications/perceptions of where servers are designed and manufactured... I do like the simplicity of some of the Supermicro options. I currently have a short-depth 1U Atom-based one, which runs passively-cooled except for the PSU fan, which I've replaced with a soldered-in practically silent Noctua. I intentionally got a mobo without a crazy BMC with IPMI, but I still don't assume the hardware is very trustworthy. It might still be more trustworthy than a popular consumer board.

(BTW, if you're looking at any quiet/cool-running server that uses an Intel Atom C2xxx or some other Atom models, make sure that either it isn't a lemon one, or it has a mitigation. [1][2]

[1] https://www.servethehome.com/intel-atom-c2000-avr54-bug-stri... [2] https://www.eevblog.com/forum/microcontrollers/intel-atom-c2...


ASRock also has some SFF server boards with IPMI and ECC, if I remember correctly, also with onboard CPU and fanless in some cases.

Thanks, that's good to keep in mind. ECC is great, though I personally don't want IPMI. (The only IPMI implementation I looked at so far appeared likely chock full of vulnerabilities, and it was sharing a NIC. There was a jumper that ostensibly disabled the BMC, but didn't appear to disable it fully.)

I mean power and price are a factor, but I haven't seen a hot-swap drive 1U system that that's not big and noisy. I guess part of the problem is that my rack is right next to my desk (noise) and can only support 24" of depth (I'm real drunk and somehow forgot deeper 1U hot-swap servers exist).

Like this? http://www.casetronic.com/corporates/40-t1160.html

Not ARM-based though, but they do have a variant that can host 4 pico-itx boards: http://www.casetronic.com/corporates/42-t1040.html . I gather you may be able to convert that one easier to fit an ARM board, or RISC-V for that matter.


Well, damn, that is absolutely what I'm looking for. I just never happened to be able to find that in my (literally) _days_ of searching.

Thank you for linking that.


iStarUSA make some cases that might suit you. I can't directly link to its search results, but they have a requirements selector here: http://www.istarusa.com/en/istarusa/index.php

http://www.istarusa.com/en/istarusa/products.php?model=EA-1M... (love the "XServe" aesthetic)

http://www.istarusa.com/en/istarusa/products.php?model=U-140...

http://www.istarusa.com/en/istarusa/products.php?model=M-140... (extra short!)


Helios64 looks amazing but they've been sold out for a while.

You had my hopes up for a moment there, haha


Seems to be so common with these niche SBCs and accessories. They look so cool, but are unobtainable. People sometimes complain about the over-use of RasPis, but one thing they have going for them is that you can always find them available from many different sources.

I personally have a qnap Nas because I wanted something cheap. I did not enabled all the fonction and I will definetly not enable all the "internet functions".

Wow very cool. I wish there was an optional 10gbe interface. Otherwise, I wonder how they are able to make this soo affordable.

Thank You, never heard of it before. The bundle price is really good for a 5-Bay, Battery UPS NAS.

Unfortunately I only want 2 Bay.


Many 2 bay NAS cost close to that figure, so it's still convenient, and more bays are never enough. The only two problems with the Helios, which I monitor since last year, is that it appears to be not 100% stable yet, although most problems reported in the forums seem related to excessive clock speed (which can be throttled down), and being always out of stock. It's a revolutionary product given the price and features (how many noticed it also has a small UPS on board?), therefore as soon as a new production batch is ready it goes away almost immediately.

I think the 4 Bay Size ( The 4S ) fits me better. I just prefer something taller wider than taking lots of ground space. I dont have the luxury to live in a large flat. Although the 4S is now discontinued?

I dont quite understand "excessive cloud speed". Assuming I am only using it for file transfer and nothing more would it still be a problem? Or is it something to do with Filesystem. I haven't checked out if the default support something like ZFS or BTRFS.


It's excessive clock speed, not cloud speed. Might be causing the CPU overheating so users throttled down its speed which seems to solve the problem.

>It's excessive clock speed, not cloud speed.

It was obviously a typo.


There's also U-NAS, which makes a 2-bay mini itx system. They'll sell you either a chassis or an entire prebuilt (Intel) system [0].

[0] https://www.u-nas.com/xcart/cart.php?target=product&product_...


The built-in UPS feature is very cool.

It's very cool, until something goes wrong with it. IMHO you are better off getting an external UPS and putting some other stuff on it.

It seems much more efficient with a small, DC, li-ion UPS than an external UPS which will use an AC inverter (and now you gotta decide, spring more for pure sine wave?) and heavy lead-acid batteries.

It seems like a gimmick to me. It depends on the use case, I guess. So you have your NAS on a built-in UPS. Now what about the rest of your network? Switch? Router? Modem? You still need an external UPS.

It's mostly a gimmick, but for home/small business users I think it is actually pretty useful.

A mobile power bank-sized battery like this can probably power a NAS like this for at least 10-15 minutes (personal experience messing around with USB-C).

Most home/small business NAS usage is SMB file sharing, and SMB writes are async. Just a minute to sync writes and close the file system safely is huge for most users.

As someone who has supported a small business, just being able to handle the 5 minutes between someone running the coffee maker at the same time as the fridge and then resetting the breaker is huge.


Nice box, but "Out of Stock". And no IPMI, as it seems.

Am I the only one that thinks that connecting the NAS directly to the internet is a stupid idea to begin with?

Don't get me wrong, I can totally understand why people (without much technical background) are tempted to do this. But with all the complexity these NAS systems nowadays have it was only a matter of time for something like this to happen.


Other than your router you should not have ANYTHING directly on the internet these days.

There is just too much surface area for device software now and cost pressure doesn't allow for security to be much of a priority.


With the QNAP cloud service, even if the server was behind a firewall/NAT, you could still directly access the NAS from the internet. So, you could still get caught with this.

Source: I have a QNAP NAS and after the first week, I couldn’t figure out who was trying to login to it as an admin account. Thankfully, I had changed all the passwords, but by default it had connected to their cloud service and was remotely accessible. I’m still not 100% sure I have it completely secured.


> you could still directly access the NAS from the internet

Not unless you intentionally opened a port on the router to allow inbound access. Even default cable modems come with every port blocked by default.

Even cloud-enabled services require that the machine behind the modem/router open the connection first, so unless you're getting MITM there's no externally available access.


Actually, enabling the myQNAPcloud service comes with a "Auto router configuration" which makes the NAS send uPNP requests to the router for opening inbound ports. So unless uPNP is disabled on the router (which in most cases would have to be done manually at some point), you don't need to intentionally open a port for inbound access, the QNAP NAS will do it automatically...

>No you can't, unless someone intentionally opened a port on the router to allow inbound access.

That's what I used to think. Then I found out about upnp on routers. I'd like to have a quiet talk with whoever thought that was a good idea.


QNAP has something called QLink which I believe is a NAT traversal scheme that gets the NAS to open a link to the QNAP servers. No port forwarding is necessary.

No reason to believe a random offf the shelf router is any more secure than any other device

It's probably better to only have one random possibly unsecure device connected to the Internet than a dozen random possibly unsecure devices.

I'd like to hear what HN folks would most comfortably put as that router (device/software).

I have this pc engines apu2 openbsd setup. Upgrading openbsd is kind of a pain, but other than that, it has been trouble free:

https://github.com/elad/openbsd-apu2

In the last 5 years, it has crashed zero times.

Once, after a power loss, fsck blocked until I pressed y over and over again.


FreeNAS on an X11SBA-LN4F. Its an awesome board for a home router. With a 100W 80+ Gold PSU this thing pulls like 3-5W from the wall most of the time. I'm tempted to just get a 12V brick as it can run off just a DC power supply instead of a full ATX but hey if it works it works why mess with it.

https://www.supermicro.com/en/products/motherboard/X11SBA-LN...


Oops, didn't mean FreeNAS, I meant pfsense there. All this talk about NAS'es put FreeNAS on the mind.

I use a pcengines APU2C4 (AMC x86 cpu SBC with integrated network switch) with VyOS as my external router.

https://routersecurity.org/ brought me to https://www.peplink.com/products/soho-series/

But I would love to understand my router better and why/how to trust it, or that I've configured it the best way, to protect from threats both inside and outside my LAN.


When I tried to research this last time I heard that dd-wrt were more on top of CVEs than OpenWRT, so I picked them. No idea if that's correct though

I use a Unifi USG despite the anti-ubnt security hype. I also use pcengines apu2 with ubuntu focal as VPN routers.

I like the Ubiquiti EdgeRouter X since it doesn't try to be as magic and cloud-enabled as the USG (yes there is UNMS but they don't push you use it like they do on the Unifi gear)

At work I use fortigate equipment and keep it updated.

At home I have sold my soul to Bezos and just use an Eero.


personally I have something like this: ISP modem ---> Netgear (for guests) ---> pfSsense ---> My network with the VPN server for dialling in.

I would of added a second pfSense for the NAS and cloud but I thought it would be an overkill.


openwrt on a wrt1200ac

So are you completely against self-hosting services or do you apply this only to closed (IoT) appliances?

Your service should probably be sitting behind the firewall/router/proxy. But you really should consider your options and if the service itself needs to be exposed directly to the internet.

I think it's insane to do. I wouldn't want to open my NAS up to the internet. I can VPN into my home network if I need to access it remotely.

I think it's a bad idea as well but I don't blame people for doing so because of how QNAP markets them.

Competing products are marketed in the same way.


I can't imagine attaching anything directly to the internet outside my router.

And you likely have UPnP disabled.

The device can be hacked even within LAN. These gadgets sometimes use UPnP and open ports on routers. A lot of ISP provided routers support UPnP.

If you use Google or Apple photos you are connecting to their computers that are exposed directly to the internet, but I would much rather own my data rather than have these corporations own it. The question in my mind is why these NAS companies are so comparatively terrible at writing secure software.

Yes, I made the suggestions to both QNAP and Synology for having an simple single option to disable ALL Cloud function and Internet connection. I want an Intranet NAS. Not an Internet NAS.

But they seems to think they dont add value without the Internet stuff.

I dont use any of the Internet stuff. I only want my files to be shared within the network in my home. And doing it myself require so much tinkering.


Assuming you aren't talking about completely air gapped parallel IT infra: The alternative comes with different administration burdens after which you've built an insecure internal network that is still indirectly internet connected and can be breached. If it's not that in the beginning, it will become one, due to human factors.

Nope. My Synology is only reachable via a VPN. Even connecting to the Plex server on it requires a VPN.

It’s worth mentioning that, people found that Synology also has a default encryption password (same password for all devices):

https://blog.elcomsoft.com/2019/11/synology-nas-encryption-f...

The OpenVPN also had a hidden password:

https://www.cvedetails.com/cve/CVE-2014-2264/

The funny thing is that, they didn’t even bother to choose a longer password (the password is synopass). Even if people haven’t found them, an attacker brute forcing these passwords would easily find them.


Stopped buying storage appliances when my old drobo went out of support. Now I get a suitable case, fill it with drives and go from there. Even a usb tower with ten drives is far more preferable than some proprietary linux derivative with a downward ticking support window.

I genuinely believe you're better off with a combination of:

A. an integrated solution like freenas/truenas, unraid or even ceph if you want even more steps. Install and configure. Done.

B. a base linux install with just the particular file servers you need. Install and tinker. Auto-update. Remove unnecessary packages.


> Thank you Walter Shao, best engineer ever! This is really good for your CV! Oh, and you owe a few people 0.01 BTC...

Best line of the thread


I feel bad for Walter and people blaming him as the sole responsible party are just part of a mob reaction - is this backdoor bad; yes, QNAP should suffer a financial setback*, but who among us hasn't done something like which then combined with pressure to release from management and (obviously) poor corporate code review and audit practices gone on to 'almost'** release something that shouldn't be.

My point, this isn't on Walter alone, in fact, most of it isn't, it's the software development processes (or lack thereof) that allowed this happen. My guess, Walter will be shown the door, QNAP will be able to say we took action and got rid of Walter but the true issue, the bad process that led to this, is probably still there. Worst, Walter's knowledge of the code base will also be gone.

And no, I'm not Walter if anyone is wondering.

* they won't

**'almost' is in quotes for plausible deniability reasons on my end..


Agreed, the new password should be feelbadforwalter --> decrypt + base64 zbQOp+Pa0RxqLuTjuNnJ3A==

The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of code with the word "walter".

Walter's a popular guy. (Apparently he's QNAP's Technical Manager)


No wonder he was promoted, so he'd stop doing stupid things like that. Obviously they've not wiped up enough after him.

Crazy when things like this happen people even rarely get fired and the company just says "oops, we'll do better." US retailers should stop selling QNAP after something like this. Who knows if this was accidental or intentional.

I was on the fence about getting some type of off-the-shelf ARM-based NAS, but once again my wariness of "consumer" hardware turned out to be a good call. I wish it could be otherwise.

My current NAS is an old PC that I built for the purpose many years ago with ECC RAM and an unlocked Phenom II, and currently runs Ubuntu Server after I experimented with OpenSolaris just in time for the Oracle takeover, and then took a detour through CentOS. It's getting kind of long in the tooth now, and I could get a lot more oomph for the same power consumption, or the same for less power.

It's clear that my next server is going to have to be one I build up myself, just as before. I'm leaning toward an AM4 server board (such things do exist), as it offers lots of CPU options from cheap/low-power to Ryzen 9 5950X. The latter is extreme overkill, but it's an option nonetheless. ;) I'd be most likely to go midrange on the CPU. ECC RAM is a no-exceptions must.

I'm on the fence whether or not I should spring for 10G Ethernet. I have absolutely nothing else that uses it right now, and I have perfectly good gigabit gear that has served me well and would rather not throw out or try to sell. It might be worthwhile anyway as a direct single-client SAN.


I was close to getting a QNAP as they are cheaper than a Synology. My use case is storing home security camera footage.

Currently, I have an old PC running Linux with software RAID. My motivation to switching to an appliance was power consumption and heat/noise. I live in a tropical country so I can't get away with passive cooling. Due to dust build up, the Intel Celeron CPU and motherboard broke down.

It's been replaced with an AMD Athlon. My plan was to replace the entire setup with an appliance NAS the next time it breaks down. I'm now hoping it will last long enough that an ARM-based CPU solution will work out. My top candidate is the ROCKPro64.


10G Ethernet is cheap enough that I made a "mini backbone" using a CRS305-1G-4S+IN and threw my NAS and main desktop on it. It's nice.

I wish I'd built my own instead of buying synology. The added value software is just a gimmick to pad the marketing material, most of it has only the most basic functionality and isn't particularly well made.

I really wish there was a small NAS case that didn't look like a massive box. The QNAP/Synology 4 bay low power form factor is just killer for fitting into small spaces, but if I could put a core i5 in one of those with some flash to get some more VMs going and run linux or some BSD distro, that'd be incredible.

Smallest one I've found is https://www.u-nas.com/xcart/cart.php?target=product&product_..., but not quite as compact as I'd hope.

As I can't find DIY hardware like that, Synology looks to have a slightly more mature vulnerability response program than QNAP -- apparently they have a bounty? I've heard about less Synology flaws, so hopefully they're a slightly better choice on the software side.


I have this one at home: https://www.mini-itx.com/~NAS6 . It measures roughly 20x20x30 cm and can fit a standard mini-itx motherboard. Not as small as a dedicated ARM box, but the smallest I could find. Fitting the PSU is very fiddly though, there is hardly any space between the PSU and the HDD backplane.

Would you mind giving a quick review of the acoustic characteristics of the case?

I'm looking to move away from a QNAP box, and one of the driving reasons is the horrible "hard-plastic hard-mount everything" design that couldn't amplify hard drive noise any more if they'd done it on purpose.


Hard-drive seek noise is not something you will avoid with this case. I can't comment on the stock fan configuration, because I replaced the PSU with a Corsair SF-450 and the fan with an Akasa 15mm PWM fan.

The airflow is relatively ok, the exhaust fan is directly opposite (and pretty much centered on) the harddrive cage, and the backplane is organized in a 3x2 configuration so it leaves some room for air to pass between the drives. The motherboard is flat on the bottom of the case, so doesn't impede the airflow, but also doesn't benefit much from it. If you need lots of CPU power, an active fan on the cpu cooler is recommended.

The drive cage itself and the trays are metal with hard-plastic rails, similar to QNAP, but the build quality is surprisingly solid. There's no audible resonance from the case due to the spinning drives. The case feet are padded with soft foam, vibrations don't travel from the case to the shelf it's resting on. I expect it will take a year for the foam to compress, but it's a nice touch. Other than that, yes, seek noise is pronounced. It's not something that bothers me because it's not in the living room, but I wouldn't want to put it next to my HTPC set.

My main criticism is the chosen positon and form factor of the power supply: it's mounted at the same height as the drive cage and projects inwards, leaving almost no room for the hard disk connectors (angled molex connectors for HDD power are a must!). They should have used a Flex-ATX form factor instead of SFX, and mounted it length-wise across the case's back plane. I have half a mind to get a Dremel and do that myself, but the other half is winning out for now.


I use one of these chassis [1], the form factor is great. Be mindful that some of the bracing blocks the pcie slot on some motherboards.

[1] https://m.aliexpress.com/item/33038670915.html?spm=a2g0n.pro...


A lot of people seem to use refurbished enterprise sff machines (optiplex micro, thinkcentre m, etc) for vms and similar, if your storage needs are more modest. I've also seen some run WD externals from them via the stock usb enclosures, although I'm not sure if running raid or the like on usb devices is a good idea.

The HP Gen10Plus Microserver might do what you're after [0].

I've been running the Gen 7 since January 2013 with Ubuntu 16.04 then 20.04. It's travelled between New Zealand, Australia and South Korea multiple times. The Russian BIOS enabled hotplug and took the speed restriction off the CD-ROM SATA port.

I run a Sandisk SSD (purchased 2014) in the Cd rom bay and 3x 8GB WD Red (CMR) drives. The fourth bay I use for transferring or backing up other drives. I used Mdadm for software RAID as the "hardware RAID" needed special drivers and it was too hard at the time.

I haven't played with the Gen10Plus yet but it'll probably be the direction I head instead of a NAS. They come with Xeon processors and 4 ethernet ports!

[0] https://buy.hpe.com/au/en/servers/proliant-microserver/proli...


Wow, almost a perfect solution. Unfortunately, it doesn't support quicksync if you swap to a CPU that supports it. :(

U-Nas (https://www.u-nas.com/) makes compact NAS cases with bays. They sometimes have servers in stock too.

QNAP has some enticing out of the box NAS products, but I guess I feel a bit better having chosen Synology.

That’s not to say I necessarily love any of these vendors too much. They feel a bit too much like feature mills that have lower incentive to adopt better security practices and higher incentives to add features and, well, provide a decent user experience. I appreciate the latter, but it isn’t ideal.

Still, as much as I’d love a NAS running open source software and maybe even open hardware, I think the amount of time and effort spent on doing so would not be well rewarded. So for now, I guess I’ll ride the useful life of my Synology NAS out and go from there.

As for this incident, it is embarrassing, but it happens. Hopefully this will motivate more people to do security research on these devices.


I am still happily running FreeNAS 11. I haven't updated to 12 and it's name change to TrueNAS. Anyway, the amount of janitoring I have to do with it is very minimal. Over the last year, less than 1 hour of time spent total.

Another very happy freenas user, been running freenas (now truenas) for 8 years. Other than hard drive upgrade and one hard drive failure it has been pretty smooth. My overhead in last year has been maybe 5 hours of upkeep.

FreeNas user for many years here, very happy in multiple environments- small home/office stuff and larger "production" environments.

Synology on the other hand just remove file systems that you may be using https://news.ycombinator.com/item?id=26800062

Your one-line summary of the situation is wildly misleading. You had to migrate disks from devices that support btrfs to devices which were advertised as not supporting it, but it just happened to work.

It was claimed that there was (briefly?) an option right in the GUI to create a BTRFS setup, with no need to migrate anything. Was this incorrect?

I believe so.

I sold my QNAP NAS a year ago as QNAP does not have a strong security track record. If anyone is looking for an open source NAS solution, I recommend OpenMediaVault - it runs on Debian Linux and provides a management GUI for managing ZFS pools.

I'm currently using a 3 disk setup with WD Red (CMR) drives + SSD cache on ZFS with it and have had a good experience in the past year using it so far. I've had to replace one of the disks due to age and ZFS makes it super simple to replace and resliver disks.


Is there an official statement regarding the exploit? What should/can you do at this point to ensure access to your data?

Now that ReadyNAS (Netgear bought them years ago, but the hardware and software was still decent up until recently when they stopped releasing updates) seems to have given up in the (pro)consumer space (4+ drives), is Synology the only option now?

Asustor and WD seem to be making more advanced and larger drives, maybe they're options...


Synology has always had better software. But they have been more expensive and they have been threatening to lock out some features unless you use their drives.

There is no real competitor on the market right now except QNAP. And who wants to deal with FreeNAS, I have better and more important things to do with my time at work.


How is Synology software better?

I've had the pleasure of setting up rsync between Synology and QNAP and I would say the Synology software appears to be better but actually isn't as good.

Synology appears to use older versions of a lot of tools like rsync. Although it doesn't say so, it doesn't rsync the data files, it rsync's the files that make up the backing of the software-raid. It's like rsync of the blocks of a sparse disk image instead of the files within the disk image. This makes it impossible to resume or adopt a previous backup. If any of the configuration for the rsync-send changes, it appears to download the entire remote so that it can compare the contents of the files to the local instead of hashing remotely, which nearly completely defeats the point of using rsync. It took my backup task WEEKS to adopt an existing backup that had very few changes.


I guess within the features I use its been a better experience. i use it as a NAS and DVR. The snapshotting and change reversion features have saved me a few times where engineering employees have messed up their files.

Thanks for the point about NFS though.


FWIW: QNAP has those features too

Hey, at least they did not remove the posts from the forum and ban the author, like Apple does regularly.

One of my roommates reset the router and accidentally enabled upnp, which I didn't notice for weeks. Just fixed it a few weeks ago, and seems like I avoided this, phew. I think I'm going to decom the QNAP and just roll my own...

What drives are people buying these days for moderate-load / high reliability RAID?

I usually use the surveillance-line of disk drives. That's WD Purple, Seagate Skyhawk, or Toshiba S300. Theoretically, their firmware is supposed to be tuned to a higher queue depth and lower latency, which should be beneficial to RAID performance.

Haven't run any performance numbers on them, though.


NAS-oriented drives from manufacturers that don't lie about which disks are SMR and which are CMR. Right now, that means I buy Seagate Ironwolf drives and avoid WD like the plague.

You never want an SMR drive. Just say no.


Seagate Exos (x14, x16 or x18) and Ironwolf or WD HC520. Consumer drives, like the Ironwolf drives, are usually more expensive than enterprise. If you have a SAS backplane get SAS because they're cheaper as Chia caused the price of SATA drives to skyrocket.

How can you tell if you've been hit?

Found out that QNAP have an official response with instructions, sounds like their malware remover should detect it: https://www.qnap.com/en/security-news/2021/response-to-qlock...



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: