kb:intranet:platforms:qnap

While QNAP forced me to pick up Linux, it wasn't a wholly pleasant experience working with QNAP machines. Many software design decisions decidedly did not make sense, with their own way of organizing files. Other immediate signs indicating that QNAP was not geared for system administration:

Only users belonging to the admin group can SSH into the system - not designed for remote SSH.
No man software was available.
Severe compatibility issues with software: common software such as gcc, python3 need to be pulled in via external third party builds of entware/optware. The latest version of Python 3 available is very dated.
Security updates for the firmware cannot be installed... this is the main reason I decided to pull the plug on the QNAP functioning as the webserver.

https://forum.qnap.com/viewtopic.php?t=140634

#> log_tool -qv -s1 -e0 | sort -n
8440,  1,2021-09-04,11:08:32,System,127.0.0.1,localhost,[Storage & Snapshots] Volume "Volume" has reached the space alert threshold of "80%". Free space: 1.42 TB. Insufficient storage space might lead to decreased performance.,517,1630724912,A002,Storage & Snapshots,C001,Volume,

Turns out QNAP firmware updating problems are very common indeed. Luckily the large number of QNAP users providing feedback makes it likely for the problem to have been encountered and solved. Current issue with TS431P not updating to the latest firmware (QTS >5.0) with error FW004, which led to the following page.

Two useful locations:

Firmware for TS431P
Manually update instructions

Somehow on the new network on which I'm deploying the QNAP server, a series of remote addresses repeatedly attempted to perform root/pi/user logins. At first I misread the access logs and suspected my own computer to be a proxy for these accesses, but a series of malware scans and disconnection from network proved they likely weren't the vector. Since the router itself wasn't forwarding port 22, the likelihood of some device being that proxy is high, i.e. infected with malware. Received ~300 intrusion attempts over 8 hours... Wanted to perform a scan of wireless packets with wireshark, but the physical Airpcap adapter is required. As a stopgap measure, perhaps restricting SSH access by IP range filtering would be great.

A list of software and firmware updates done for this system, baring a decision whether to enable auto firmware updates (which, knowing QNAP, are very likely to introduce regressions):

Reinitialize QNAP (including data and volume erasure)
Firmware updates:
- Unable to directly update to latest firmware, so booted into default firmware first.
- Updated to QTS 4.3.6.1070 as an intermediary
- Judging from how QTS 5.0.0 (beta?) was released just a month or so ago, obviously the right choice is to stick with the latest QTS 4.X firmware.
Created an administration account and revoked the default admin
Created other users
Created a thin volume over 4x4TB with 8kB bytes-per-inode.
Setup OpenVPN via QVPN service, and made sure the router only performs a single port forwarding of 1194 UDP to the NAS alone.
Created shared folder.
Changed ports: webadmin HTTPS 3443, web server 443
Bought domain on namecheap which came with DDNS updates (updating is as simple as a POST request), redirected to router WAN.
Disabled WebDAV
Last one is to enforce IP access control, but no granular version for SSH access. QTS rotates the IP blacklist only up to 1 day (or forever, which absolutely floods the blocklist).

Disabled all the Wifi connections to the router, baring the router...

Turns out it was uPnP, which automatically publishes the port 22 to the router. No wonder it was funny that I could access the port on the NAS even though port forwarding was not set up...

Let's Encrypt Go: https://forum.qnap.com/viewtopic.php?f=320&t=132911

Namecheap DDNS client: https://gist.github.com/t6/e48455f6ceed088ad619

Seems to do a GET request with the password exposed...

DDClient: https://www.namecheap.com/support/knowledgebase/article.aspx/583/11/how-do-i-configure-ddclient/

Functionalities

DDNS client: Network & Virtual Switch > DDNS > DDNS server: Customized
Setup OpenVPN server: QVPN Service 2 > OpenVPN > Enable OpenVPN server
Connect to VPN: QVPN Service 2 > VPN Client > VPN Connection Profiles

TODO

Let's Encrypt: Either via LEgo or qnap-letsencrypt. Yet to test either, need to port forward 80 and 443 first.

https://www.qnapclub.eu/en/repo.xml

Tested QNAP TS-431P overall throughput of data transfer is 32MBps across networks, but drops to 21MBps when running a ZIP file. This means the throughput quoted is IO-bounded.