FreshRSS

🔒
❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

TrueNAS Core Software Review – Account Management, Alerts, Notifcations & Business Support

23 mars 2022 à 01:17

TrueNAS Core Software Review – Part II, Managing Accounts, Alerts & Business Support


If you are considering managing your own private server, want to build it yourself (investing your budget primarily into the hardware) and want to take advantage of free to download open source software, then there is a huge chance that you are aware of TrueNAS. In part two of my full review of the TrueNAS Core software, I will be looking at how business users are going to find the account management of TrueNAS, how those accounts can be adapted/changed on the fly, what authentication methods are on offer to those accounts, how detailed the alerts are, in what ways can those concerned by notified as quickly as possible and just what options are available to business users who like the flexibility of TrueNAS but want commercial-grade support. We have a lot to cover, so I won’t waste much of your time, but I should add that today’s review was made possible with help from iXsystems providing a Mini X+ TrueNAS system. iXsystems is the business arm of the open-source TrueNAS platform and they provide the means for users who like the FreeBSD platform to have more of a turnkey ‘off the shelf’ solution at their disposal. If you want to read the FULL review, you can read the (LONG) FULL Review of TrueNAS is available HERE.


Part I of the TrueNAS Review Can be found HERE


Part III of the TrueNAS Review is HERE (25/03)

Review of TrueNAS – Accounts Creation, Control & Management


Given the rather technical, bespoke and detailed nature of TrueNAS, it is easy to understand why the solution is aimed at business users who want things set up in a ‘certain way’. Although turnkey solutions are easier to deploy and are generally more user-friendly, they are more often than not too rigid and inflexible for businesses to use in their larger business models. In most cases, a TrueNAS custom-built (or iXsystem) will be deployed in the center of a business and accessible from many, many company staff for backups, email, document archives, hybrid sync storage and more. Therefore it is important to review how TrueNAS handles multiple accounts, how security is afforded to these accounts and how privileges and access to more mission-critical or confidential data are managed. TrueNAS features a quick and easy means to create multiple users and/or groups for the host user network (as well as connecting these with remote access as required). Let me talk you through what stood out for me in TrueNAS when it comes to account management.


Significant Range of Security and Account Configuration Options


Creating a user account in TrueNAS is incredibly straightforward, as well as making each account as secure as possible. Each account has the standard username and password settings you would expect, but then they delve quite a bit deeper into how you want these users to access the system, their subgroups (which then allows you to create bulk protocols/privileges for all users in that group quickly) and the nature of their account. Options such as which file directories this user can interact with can be set to rear only, write or full access are fairly standard, but I like the options for locking some user accounts easily, creating unique SSH keys, creating temporary admin powers and rotational/changeable passwords are a nice extra touch. As the system is predominantly designed to be remotely accessed via 3rd party client OS’ and 3rd party client software, the more customizable user account features of user images and bespoke desktop GUI found on NAS systems such as Synology and QNAP are absent, but this is still a very easy and detailed user creation element to TrueNAS.

Good Support of Microsoft Account Authorization


It’s a relatively small extra detail, but user account security in TrueNAS also includes an option to integrate the use of Microsoft account security when accessing the storage on the server. This is applicable to any system running Windows 8 or higher (including Windows 11) and allows the authentication methods that are used in the Windows operations system to be used to further verify the identity of a connected user. This user service is not exclusive to TrueNAS of course, but it is another neat piece of third party crossover support that the software includes in its open-source architecture.


Impressively Configurable 2-Step Authentication


The fact that TrueNAS features the support of 2 step authentication (also known as 2FA – 2 Factor authentication) is not going to be a huge surprise for many, given its ubiquitous appearance on pretty much all software clients in the last few years. For those that arent aware, in brief, two-step authentication allows you to have a 2nd degree of user authentication when logging into a service/software alongside your password, as your phone will need to provide a randomly generated code every time when you log in. You need to use one of the many authentication client tools available online (with Google Authenticator being one of the most used for mobiles), but it is surprisingly easy to set up. Where 2-Step authentication in TrueNAS differs from most is the level of configuration that is on offer within the 2FA settings.



Most systems will provide you with the option to simply synchronize with the authentication tool you are using (3D generated barcode or long passkey as best suited to the end-user). TrueNAS on the other hand allows you to change the authentication interval that the randomly generated code changes (usually 30 seconds) to longer for those that need it for accessibility support, as well as change the validity period/number of attempts before a potential lockout. Then you have the option to customize the length of the one-time password (OTP) to greater than the usual default 6 digits (something I have not seen offered by any other NAS brands in 2022). Finally, there is the choice to integrate the requirements for 2-step authentication into SSH logins (command line access with an SSH client window tool such as Putty), which given the huge degree of SSH access built into the typical TrueNAS use scenario, it definitely beneficial.

No Bulk Group or User Creation Options


One small but present absence that I noted in TrueNAS was the lack of an option to create bulk users at once or to import an existing CSV or .xlsx file. This is a very minor detail of course and only applicable to users who have larger volumes of users they wish to move over to a new server from an existing setup, but I am still surprised that it is absent in TrueNAS Core. I have contacted iXsystems to enquire about this and apparently it IS an option that is available in TrueNAS Scale, but nevertheless, I am disappointed that it is not available across the whole platform.

Review of TrueNAS – Alerts & Notifications


Most users who are looking at getting a private server, although initially heavily invested in tinkering and playing with the device, will eventually want the system to just sit in the corner, be quiet and do it’s job! It’s understandable, as interesting as the software and services are, ultimately a NAS (TrueNAS or otherwise) is a tool and as soon as you have set the device up to do the thing you specifically need it to, you want to go back to doing other things and whilst your NAS carries on. However, whilst that is true, in the event something is wrong or out of the ordinary system processes are noticed internally, you want the TrueNAS to tell you ASAP! Most NAS systems have inbuilt notifications and alerts that can be pushed to select/all end users that can be tailored to preferred client devices and methods. In the case of TrueNAS there are (as you might expect) a wide, WIDE variety of settings and choices for delivering those all-important notifications and although in the case of many apps being 3rd party (therefore having their own notification and alert schemes in place as appropriate), the greater storage system, network/internet connections and user behaviour alerts are still pretty extensive in their alert options. Here is what stood out in TrueNAS for me in this area.


VERY Customizable Alerts and Notification Customization


I really cannot stress enough how diverse the range of alert configuration options that TrueNAS allows you to adapt. The window above is just a small example of the many, many windows available although it is a long, long list of options, you cannot really suggest that TrueNAS didn’t cover all the scenarios. There are even slightly more customizable ones that you can add too. The delivery of these alerts is a little less straightforward than those found in Synology/QNAP (which have proprietary client apps for mobile and desktop that allow faster alert methods) but a large number of platforms are supported in TrueNAS for notifications that include email, Slack, AWS, InfluxDB, Mattermost, Pager Duty, SNMP Trap and more. Alongside incredibly concisely built alert parameters, each one can be scaled in priority and in turn, its urgency adjusted.



TrueNAS uses a 7 tier alert priority scale and you can adjust each alert & notification variable in the wide-ranging list to your own requirements. For example, if you were running a shared storage area with a team of 10 users and 8/10 of those users were accessing the system at once (potentially bottlenecking the network in a 1GbE network, depending on the file volume/frequency), you might want the system admin/IT to know this. It isn’t a high-level alert, more of a case of being aware of the additional network load. In that case you can setup an alert of bandwidth/zdev access above a certain level/% and suitable admin to receive a level 2 notification (NOTICE) so they are aware. Alternatively, example 2, there have been several failed login attempts under a specific user account, but eventually that user has logged in successfully. This might be a cause of concern as repeated password attempts could so easily be an unauthorized individual connecting to the greater system. You can set the # of failed login attempts before an automatic lockout OR set an alert of level 3 ‘WARNING’ to alert a system admin to look into this account behaviour to access the situation. Alerts and notifications become significantly more intricate (breaking down into encryption certificates, hardware health, critical system failure, SSH/Telnet logins. etc) and this easy 7 tier alert system can be applied to all instances.


Build In Support Lines, Business Support tiers, Direct System Messaging System and Issue Reporting Mechanism in the TrueNAS GUI


As TrueNAS is an opensource and community-driven NAS platform, you would be forgiven for wondering just how much this all means when you hit a technical wall, encounter system roadblocks, need advice on a setup or just generally looking for guidance. One of the main appeals of an off the shelf/turn-key solution from brands such as Synology and QNAP is that as a paid hardwware+software solution, you feel that there will be technical support lines via live chat, email and even phone in some cases (depending on the level of solution of course) that a homebrew/DiY solution will not be able to supply. However, the support on a TrueNAS system is a little more diverse than that. If you build your own NAS system from scratch and install TrueNAS Core onto your system, you will not have access to premium/commercial level support, but you do have links in the TrueNAS GUI to community support, details online guides and access to the Jira support system that allows your query for assistance to be submitted to the community pool. There are also provisions there to check if your issue has already been documented and resolved elsewhere. These links are immediately available from within the GUI in multiple areas.



But if you are a business user, despite the TrueNAS open-source/freely available status, you may well have opted for it for it’s customization and flexibility compared with off the shelf NAS solutions. Therefore you might still want paid/commercial/enterrpise grade support. This is where the distinction between going TrueNAS DiY and pre-built TrueNAS from iXsystems becomes a little clearer, as iXsystems are the official pre-build provider of TrueNAS and with their solutions, they offer a scaled range of support options that include numerous contact methods. In addition to all the TrueNAS CORE support options that are still available, TrueNAS Enterprise customers who purchase hardware from iXsystems can receive assistance from iXsystems if an issue occurs with the system. Silver and Gold level Support customers can also enable Proactive Support on their hardware to automatically notify iXsystems if an issue occurs. Here is how those support options scale and which systems support each tier:

Gold Silver Bronze Warranty
Software Help Desk 24×7 12×5
12×5 Limited
Hardware Support 4 Hour

On-Site Support & Repair

Next Business Day
On-Site Support & Repair
Advance Parts Replacement Return to Depot
Remote Deployment Assistance (60 days) Yes Yes Yes No
On-Site Hardware Spares Kit Included Optional Optional Optional
Proactive Support & System Monitoring Yes Yes No No
Advanced Hardware Replacement
Delivered the next business day
and/or Saturday.
Delivered the next business day. Delivered the next business day. No
After Hour Maintenance/Upgrade Assistance By appointment By appointment No No
Online Support Portal and Knowledge base Yes Yes Yes Yes
Software Updates Yes Yes Yes Yes
S1: Not serving data or severe performance
degradation, critically disrupting business.
Response within 2 hours, 24×7 Help Desk Support Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) Email support (Next business day) for S1 and S2 intermittent faults only
S2: Performance degradation in production or
intermittent faults.
Response within 4 hours, 24×7 Help Desk Support Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) Email support (Next business day) for S1 and S2 intermittent faults only
S3: Issue or defect causing minimal impact. Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) Email Response within 4 hours, 6:00 AM to 6:00 PM Pacific Time (M-F) No support available.
S4: Request for information or administrative
requests.
Next business day response. Next business day response. Next business day response. No support available.

The level of support afforded to each tier of the iXsystem hardware portfolio is not quite as straightforward, however, as smaller-scale systems only support upto a bronze tier. Therefore on closer examination, you can only access the highest/most-involved customer support tier when you are looking at the enterprise tier hardware systems. Now, on the face of it, that makes sense in terms of priority as it is those highest volume use systems that are going to want the fastest and most responsive support. Equally, the most modest systems will be used by smaller-scale users and have smaller scale utilities in mind. Still, I know more than enough NAS users who choose more modest NAS systems from Synology and QNAP, BUT will push for extended warranties, 5year warranty enterprise storage media, choosing to allocate their storage server budget towards lengthy support periods for peace of mind/insurance. Here is how the commercial support options spread across iXsystem hardware options:

Model Gold Silver Bronze Warranty
M-series Available Available Available 3-Year Included
X-series Available Available Available 3-Year Included
R-series Not Available Available Available 3-Year Included
FNC Not Available Available Available 3-Year Included
Mini Not Available Not Available Available 1-Year Included. SW Warranty requires registration

In the case of my review, I have been using a TrueNAS mini x+ and below is how the support prices are based on this model of the TrueNAS iXsystem mini. It is worth noting that only systems with all hardware provided by iXsystems are eligible for software support and warranty. Enterprise Bronze Support is only available for customers that have larger TrueNAS systems also under Enterprise Support Contract. Component swaps are the standard process for resolving major issues.

Model 3-Year Silver 3-Year Bronze 3-Year Warranty Warranty
Mini E, E+ Not Available $299 $149 1-Year Included. SW Warranty requires registration.
Mini X, X+ Not Available $399 $199 1-Year Included. SW Warranty requires registration.
Mini XL+ Not Available $599 $299 1-Year Included. SW Warranty requires registration.

Overall, I think TrueNAS (and iXsystems) have balanced the level of support and assistance options that are available to most kinds of NAS user. It makes sense that a free-to-download software platform would not be able to provide a commercial/enterprise-grade support level without having to financially support this behind a subscription service. And they do not leverage this against the community support, opening encouraging this as an option and facilitating multiple methods of looking up similarly submitted and solved issues, streamline the community support process as much as possible and still presenting the choice to go down the paid-support route when needed. The face this support is not available in non-iXsystem TrueNAS setup’s might be a bit of a downer for some, but as mentioned multiple times in this review, the money that some users are saving in a custom/DiY solution in TrueNAS vs a turnkey/off-the-shelf solution from Synology/QNAP needs to be paid in learning how it all works. I think TrueNAS and iXsystems found the best middle ground possible here.

Larger Range of Configuration Options Can be Overwhelming and Lacks Convenient Preset Options


When I said that there are a lot of alert and notification choices built into TrueNAS, I was not kidding. Even at a casual glance, they are in the triple figures, and that is jsut on the outset. It IS true that the bulk of them are automatically set to one of the 7 pre-set alert levels by default, but if you have a slightly more secure/closed setup in mind for your system notifications, you are going to be spending hours, not minutes adjusting them all to your unique needs. The same goes if you want to run a more open setup for testing, as the TrueNAS default settings are a pinch higher than I would class as ‘casual’ in scaled alerts (better safe than sorry). Now, other turnkey solutions on the market combat this by providing various alert/notification switches BUT also arriving with security councillors/preset configuration dropdowns. In brief, I wish TrueNAS had a range of preset notification levels, perhaps set as ‘low-medium-high-business-enterprise’ that changed these settings in bulk and THEN you can go in manually where needed and change a few, allowing you to create a custom profile which you can then save as ‘CUSTOM’. Similar tiered/scaled choices exist in other areas of TrueNAS for other services that change bulk options on the fly, as well as ‘advanced’ tabs in places when you want to get your hands a little dirtier and play with options at a deeper level in the GUI. Overall though, I prefer to have too many alert/notification options that are not enough though!


In the third and final part of my review of TrueNAS coming later this week, you can find out what I thought about Security, Network Management, how the platform handles applications & Addons and my overall verdict of TrueNAS Core 12.


Part I of the TrueNAS Review Can be found HERE


Part III of the TrueNAS Review is HERE (25/03)


Alternatively, you can read the (LONG) FULL Review of TrueNAS is available HERE.


 



 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

TrueNAS Core Software Review – GUI, Design & Storage Management

21 mars 2022 à 01:10

TrueNAS Core Software Review – Part I, Design, the Interface & Storage Management


Have you been considering a NAS for a few years, but looked at the price tag that off the shelf featured solutions from Synology or QNAP and thought “wow, that seems rather expensive for THAT hardware”? Or are you someone that wants a NAS, but also has an old PC system or components around that could go towards building one? Or perhaps you are a user who wants a NAS, but HAS the budget, HAS the hardware, but also HAS the technical knowledge to understand EXACTLY the system setup, services and storage configuration you need? If you fall into one of those three categories, then there is a good chance that you have considered TrueNAS (formally FreeNAS). The community supported and highly customizable ZFS storage platform that is available for free and along with regular updates has adapted over recent years towards diversifying different kinds of users, their setup’s and their requirements of TrueNAS. Today I want to review the TrueNAS software. In order to do this, I have been supplied with a Mini X+ 5 HDD/2 SSD Desktop system (hardware review on that soon) by iXsystems, a company with established ties with TrueNAS and the platform’s official enterprise hardware solution partner. This review is going to be conducted a little different than my normal NAS server reviews. Unlike a review of a new piece of NAS hardware, TrueNAS is a software platform that is significantly more flexible in it’s installation (ultimately available in one form or another on a custom PC build or even much smaller shuttle case builds). Equally, unlike many who have reviewed TrueNAS and it’s previous versions or recent splinters (e.g. FreeNAS, Core, Scale, Enterprise, etc), today’s review is going to be a fresh look at this platform, what it does better than Linux NAS systems like Synology or QNAP, what is does worse and ultimately help users who are thinking of moving towards the steeper learning curve of custom-built TrueNAS. What TrueNAS lacks in the ease and simplicity of traditional NAS drives, it can more than makeup for it in its sheer scope and potential to be more powerful, efficient and flexible overall. So, let me guide you through my highlights of 30 aggregate hours of use with TrueNAS.


Part II of the TrueNAS Review is HERE (23/03)


Part III of the TrueNAS Review is HERE (25/03)


Alternatively, you can read the (LONG) FULL Review of TrueNAS is available HERE.



TrueNAS Review Disclaimer – As mentioned in my introduction, my review of TrueNAS today was made on an iXsystem Mini X+, an 8-Core Intel-based system that featured 32GB of DDR4 memory, as well as arriving with 2x 10GbE ports, PCIe Upgradability and mixed storage media support. The system arrived with 5x WD Red Drives and 2x 2.5″ SSDs. This hardware does not impact the bulk of this review as TrueNAS is available as an open-source download that can be installed onto a custom PC, flashed server etc. However, the iXsystem Mini X+ arrives with TrueNAS Core and a few smaller extra bits that are exclusive to this more complete hardware+software package. Where appropriate, I will highlight it, however, the bulk of the features, settings and stand out areas of attention below can be applied to the free, standalone version of this platform. Additionally, there are references to enterprise features and TrueNAS Command (a wider remote deployment monitoring and management portal tool) that may be exclusive to that platform. Finally, my personal background is largely focused on traditional turn-key NAS solutions and therefore I decided to present this review on how things are done differently to NAS brands such as Synology and QNAP. You can find iXsystems Pre-built TrueNAS solutions over on Amazon here.

Review of TrueNAS – GUI & Deployment


First-time deployment of TrueNAS (after the initial installation of the software on the hardware system which will vary based on whether you have opted for an iXsystem solution or a custom build) is very straightforward. Once the system is booted, connected to your network and initialized, finding the device is possible via truenas.local. or obtaining it’s address from your switch or using an IP Scanner.



So, the first thing that I want to discuss about TrueNAS is the design. Finding a very interesting middle ground between providing all the configuration options in a single screen, whilst still not overwhelming the end-user, getting it pretty close to nailing it.


Alot More Hints and Tips than I was Expecting!


The first thing I was very surprised by in the design and deployment of the TrueNAS GUI was the sheer number of hints and information ‘i’s around every single screen. As TrueNAS and FreeNAS before it are built on FreeBSD, although there I expected a GUI, I did think it would still be rather command-line heavy still. However, not only are the controls of TrueNAS almost all displayed in a clearly visible GUI, but also I struggled to find a single option or choice that didn’t have a tip or guidance suggestion. This was a particular surprise as one of the biggest hurdles for most users considering moving from a turn-key NAS solution towards TrueNAS (custom or an iXsystem) is that intimidating climb up the steeper learning curve. It was a genuine and extremely welcome surprise to see how much guidance was available to even small and insignificant choices in the storage system setup where available.


Presentation of Storage and Resource Use is VERY Clear


Another thing that I fully expected to be present, but not to this level, was how the information on your storage areas (Pools, data sets, individual drives, etc) and the monitoring of your resources were displayed both analytically AND clearly. Of course, I expected TrueNAS to have the means to assess the system hardware health and status, but like most of my early personal experience with FreeNAS, UnRAID and FreeBSD years before, I thought this information would be available less in the GUI and more in command retrieval. However, the resource monitor and storage status (both, when delving into the system deeper and just via the initial splash screen of the GUI) provide an excellent level of information and in the case of the former, can be broken into a report form. Getting the presentation of storage on a GUI that can suit both the novice and the veteran techie is a tremendously tough line to balance and although there are a few areas where TrueNAS tends to ‘info-dump’ you a little, this area was no one of them.


Sharing Tab and its Breadcrumbs (WebDav, iSCSI, SMB, etc) Are More Intuative than Most


Another part of the TrueNAS graphical user interface that sets it apart a little from off the shelf NAS hardware+software is how the menu bar is displayed. With most NAS brands having their GUI comparable to popular operating system desktops (primarily Windows, MacOS or Android for the most part), TrueNAS’ GUI is a little bit more comparable to WordPress for the most part. The bulk of the config and service options are all located on the left-hand side of the screen and although there is only a handful at first glance, each one breaks down into subcategories quite quickly. The responsiveness of this menu system is particularly impressive and it’s easy to forget that you are accessing a remote system. Although the bulk of the tabs and options are where you would hope, one particular stand out example of things being done in a different and better way than most brands in the sharing tab/menu. Although most NAS brand software and GUI have tabs dedicated to sharing files (as well as contextual menus on files and folders), once you start breaking down into different sharing protocols, things get a little distance out and you end up having to keep multiple windows open to create and manage your cross-platform sharing environment. TrueNAS on the other hand has bulked these all together into the single tab and allows navigation through and between considerably more intuitive. Equally, the customization and configuration of shares and you delve deeper (although increasing the learning curve) are significantly more diverse to allow tweaking and improvements based on your setup.


Live Reports of System & Processes are Very Detailed and Quick to Navigate


Much like the Storage Presentation and Resource Use, getting reports of historical system information and active processes are much more detailed on the TrueNAS platform than I have seen from many NAS brands. TrueNAS uses Graphite for metric gathering and visualizations. Some general settings can be found in System > Reporting. Once again, it’s a fine line to have information regarding the server be presented in a fashion that is digestible to less storage-experienced users without potentially dumbing things down a little. Luckily these do still seem to present all the information that either tier of user is going to need and is done so by the information being broken down into sections that in turn can be delved deeper into by degrees. The UX of TrueNAS has clearly been thought about a lot and although many FreeNAS veterans might have disliked the changes in some areas towards making it simplified in places, there are still options for drilling down into system heath and history quite significantly.


Lots of Theme Customizations and a Theme Maker


A very surprisingly detail of TrueNAS is how much the GUI can be customized. Most NAS brands and their software allow the end-user (i.e that current user of many that have access credentials) to change minor details. The Wallpaper, their login icon and time/date display and pretty much the full range of choices. Given the fact most off-the-shelf NAS solutions are designed with being more user-friendly and attempting to de-mystified network storage for average users, I was VERY surprised that it was TrueNAS that had a greater degree of customization available in how the GUI is displayed. Colour schemes, logo changes, scaling, icon replacements, fonts, accents and changes to the top bar. There is a comparatively large amount of choice and customization compared with turn-key NAS solutions from Synology and QNAP and leans very well into the already established idea that TrueNAS is designed around custom builds.

Click to view slideshow.

No Avoiding That it is Still Very Stat and Tech Heavy some less experienced Users


As much as I like the GUI fo TrueNAS and how it has melded the controls very well to remain accessible to the experienced and inexperienced user, it has to be said that this is not done 50/50 and although there are hints, guides and recommendations by the system through all choices, it is still a very tech-heavy product and although the basic/top-layer decisions are user friendly, it isn’t going to be long before the full pages fo customization and configuration choices presented in the TrueNAS GUI are going to be a little overwhelming for those that are more used to these tougher decisions being hidden behind presets or set up behind a scaled option of security. In a few other areas of TrueNAS, this is addressed with an ‘advanced’ tab or mode option that until pressed will hide these tougher elements of the setup unless needed. Sadly this is not a system-wide design choice in the GUI and the TrueNAS UX is something that can demand accelerated learning. Alot of this might be solved with ‘easy’ ‘intermediate’ or ‘expert’ table opens on the bulk of pages, but as it stands it can sometimes be a bit of a ‘cannot see the wood because of all the trees’ situation when looking for a specific option in a menu, as there are 10-15 choices/boxes on the screen. The TrueNAS UI in the latest version IS very good and considerably more user-friendly than I thought it would be, but I would still be reluctant to call it novice-friendly.


No Search Functionality at the Home Screen


This was something that, despite the arguably higher skill level that TrueNAS commands in it’s user base, I was still surprised was absent – A search feature from the main GUI. It would not be a commonly used feature, however, I have met plenty of less experienced users or those in a rush looking for a specific option/service/setting that would appreciate a search functionality to be available. There ARE a few services and options in the menus that feature search functionality, but they are generally always limited to that specific function and not system-wide.

Review of TrueNAS – Storage


Realistically, THIS is the thing that is going to be paramount to most users of TrueNAS, Storage! But simply storing data is not enough, it is about how well it stores it, how customizable it is to different user environments, how secure it is in terms of backups and redundancy, how robust it is and the maintenance of that storage moving forward. TrueNAS arrives with ZFS (zettabyte File System), an enterprise-ready open source file system, RAID controller, and volume manager with unprecedented flexibility and an uncompromising commitment to data integrity. It eliminates most, if not all of the shortcomings that veteran storage professionals claim are apparent in ‘EXT4’ or the much newer ‘BTRFS’ file systems from brands such as Synology and QNAP NAS devices. Alongside the widest support of ZFS currently available in the market, TrueNAS also is one of the most scalable solutions available in the world (in part thanks to that freedom in building the hardware architecture being available and the open-source design of the platform allowing migration being considerably more seamless as you change out hardware over time. ZFS also brings big advantages in deduplication and compression techniques that improve how much data is being written to the system, whilst simultaneously simplifying the internal pathways of the system to larger bulks of users. In recent years, turnkey solutions from Synology and QNAP (as well as more affordable brands such as Asustorand Terraamster) have provided a degree of duplication on their platforms (QNAP seemingly extending this more than most) but ZFS has most of the architecture for these processes natively built into it and although you WILL need to bulk up on your hardware (16GB memory recommended in most cases if you want both for example), it still allows TrueNAS to stand out. Here are the elements of TrueNAS storage that stood out for me.


Exceptionally High Level of Access Control Options and Configuration of Data Sets


If there are two areas of consistency throughout TrueNAS storage that need to be highlighted above all others, it would be control and security. At practically every tier of the system’s internal storage management, you are able to apply numerous measures of bespoke user choice protection. More than the fact that standard elements of encryption, ACL and storage segmentation are available here, but more the sheer depth of it. You are able to assign extremely rigid access controls to your storage pools, zDevs, zVols and data sets from the ground up, as well as the branch these security measures into select user and group access (which can be changed by a superuser on the fly with ease). Along with that, ACL support is extremely wide-ranging, giving you the means to create areas of storage that are completely inaccessible (in either direction) by the greater system that ensure that storage can be created quickly, but without opening doors to your mission-critical storage. This bespoke control extends quite heavily to the configuration of Access Control Levels, as access Control List (ACL) is a set of account permissions associated with a dataset and applied to directories or files within that dataset. ACLs are typically used to manage user interactions with shared datasets and are created when a dataset is added to a pool. TrueNAS seemingly allows a create degree of control on this than most NAS systems on the market right now.


Excellent level of support of SED Media and Encryption levels in General


Then with Security, TrueNAS covers this in a few key areas. First off, several methods/protocols of encryption are supported by the system (giving the end-user a choice at the setup level) and generally ‘choosing’ your encryption method is not something offered by most brands to this extent (or at all in many cases). Next, there is the fact that encryption can be applied at every level of thes storage is required. When we look at some other NAS brands that included encryption, they tend to include encryption at the shard folder or volume level (pool level is supported with the use of encrypted drive media). TrueNAS is one of the very few several software on the market that provides native and configurable encryption at every level (storage pool, volumes, data sets, etc) and along with support of key management, there are additional failsafe options available that also passphrase support too. Finally, you have the support of self-encrypted drives (SEDs) in the system that can be fully utilized and that additional encryption be afforded to the greater storage system with the others. In short, you can create a fantastically encrypted storage system to an unparalleled degree in trueNAS. Again, not too shabby for an open-source bit of software!


Unrecommended Storage Configuration Choices Need to be ‘Forced’ to be actioned


One issue that will inevitably come to providing software that is highly customizable is giving the end-user too much rope to hang themselves with! Once you make your way past the rudimentary aspects of storage, the end-user can start putting together the building blocks of their storage inefficiently (or worse still dangerously) and run the risk of creating a basis for their storage for years to come that is inherently flawed. Balancing that line of allowing complete control and customization, whilst stopping a user from doing the wrong thing is a tough line to tread (QNAP have been walking this one as best they can for years too). TrueNAS has addressed this with a (very) soft lock system. When building your storage, if you are configuring the resources in a less than optimal/safe way, the system will give you a warning on the screen that details the potential downside/detrimental effect of your action. This warning can then be closed/dismissed and in order to continue, the ‘continue’ option will be joined with a button ‘force’. This is TrueNAS’ middle ground to allow creative freedom, whilst letting the end-user know that the action they are performing has a layer of risk attacked. For example, you are configuring a RAIDZ2 (think RAID 6) and you are using 8 disks that are not all uniform in capacity, but you do not care/want to proceed anyway. This is where the system would present you with a warning to ‘force’ through. The same thing when you build pools without redundancy or use differing media interface types outside of a fusion pool or cache setup. It is by no means a perfect solution, but at least TrueNAS have clearly understood that they need to steer things a bit at times.

Copy on Write Architecture is an additional Layer of File Level Error Recovery


An interesting architectural advantage of TrueNAS utilizing ZFS is the support of CoW (Copy on Write). This is a system of checksum built data health that involves a brief period of two actions of write occurring on any data being sent to the TrueNAS serve, which are then compared for consistency and then a single final, verified version of that data resides. ZFS does not change the location of data until a write is completed and verified. This ensures that your data isn’t lost during an interrupted task such as a power outage. ZFS uses a 256-bit hash of the data in a file system block, known as a checksum. This checksum ensures data integrity during writes. The way it handles and tests writes means that each write is tested, eliminating storage degradation such as bitrot. It also eliminates the write hole which allows for silent data corruption within RAID. Similar methods of data health and verification are utilized in other storage technology (such as ECC memory and in the write actions of BTRFS) but not to this extent and in such a widespread way. Writes do not overwrite data in place; instead, a modified copy of the block is written to a new location, and metadata is updated to point at the new location.


Support of RAIDZ Means that Initial Building is Faster and Recovery More Precise


One of the long understood advantages of ZFS that TrueNAS provides immediately (perhaps to the jealousy of EXT4 and BRTFS system users) is the utility of RAIDZ. RAID (redundant array of independent disks) is the ability to combine multiple media drives into a single storage pool that provides some/all of the benefits of increased storage performance, storage performance and redundancy (eg a safety net to still access/recover your data in the event of a drive failure). RAID and RAIDZ are similar on the face of it (with support of striping and mirroring), but it is a lot of difference in the larger arrays in terms of building, writing and recovery. RAIDZ has some interesting benefits, the first and most obvious is that a RAIDZ compared with a RAID5 takes minutes, not hours to build! Additionally, RAIDZ has a better understanding of empty blocks and that becomes beneficial in the event of a RAID rebuild, as in the event a drive fails and you introduce a new HDD/SSD, RAIDZ will ONLY need to rebuild the areas onto the replacement disk that data original resided on (using parity data from the other present disks) and then just zero’ing the rest of the disk. Similar systems like this have arrived from Synology on their platform for after RAID recovery (still using TBRFS) but still not as fluid and native as in ZFS. Striped VDEV’s, Mirrored VDEV’s and Striped Mirrored VDEV’s are essentially the same as RAID0, RAID1 and RAID10 accordingly with one difference; automatic checksumming prevents silent data corruption that might be undetected by most hardware RAID cards. ZFS uses the additional checksum level to detect silent data corruption when the data block is damaged, but the hard drive does not flag it as bad.

  • RAIDZ (sometimes explicitly specified as RAIDZ1) is approximately the same as RAID5 (single parity)
  • RAIDZ2 is approximately the same as RAID6 (dual parity)
RAID5 example of parity
Disk 1 Disk 2 Disk 3 Disk 4
1 2 3 P
5 6 P 4
9 P 7 8
P 10 11 12

RAID5 places blocks in a regular pattern. You only need to know the block number (address) to determine which disk stores the block, at what address, and where the corresponding parity block is. Also, with N disks, exactly one parity block is stored for every N-1 data blocks.



In RAIDZ, ZFS first compresses each recordsize block of data. Then, it distributes compressed data across the disks, along with a parity block. So, one needs to consult filesystem metadata for each file to determine where the file records are and where the corresponding parities are. For example, if data compresses to only one sector, ZFS will store one sector of data along with one sector of parity. Therefore, there is no fixed proportion of parity to the data. Moreover, sometimes padding is inserted to better align blocks on disks (denoted by X in the above example), which may increase overhead. However, we have still not touched on two more core advantages of ZFS and it’s RAID management…

3 Disk Redundancy is Available and Should Get More Kudos!


TRIPLE DISK PARITY! Now, if you don’t know what that is, then you can be forgiven for wondering why I have put that in capital letters. However, those that know, love it. In short, RAIDZ3 is the 3 disk fault-tolerance storage pool configuration that is largely unavailable conventionally in any other RAID configuration, requiring at least 5 disks (again, HDD or SSD) it means that you can withstand 3 drives failing. Now, if that sounds like tremendous overkill, then let me share a fun fact with you! Most drive failures that I have witnessed (and I welcome commentors to contribute on this) do NOT stem from poor treatment of a single drive, dropping an enclosure or poor individual handling. No, the bulk of drive failures I have witnessed have stemmed from three causes (looking at logs and SMART info):


  • Inherent fault at the point of manufacture or in the logistics chain that has developed over time
  • Overworked system hitting RAID arrays harder than intended 24×7 etc, or just designed drive workloads being exceeded in general
  • Critical larger system failure in the middle of a widespread write action (eg power failure as all drives are engaged for writing)

Now, in THOSE three examples, the key factor to keep in mind is that in none of them is an HDD or SSD on its own. At manufacture in bulk, in transit in crates of 20x at a time or in larger setup RAID array – the things that harm the storage media is hitting several at once. Even if you ignore the degenerative factors of exceeding workloads and system critical failure damage, there is no avoiding that when you buy multiple HDD/SSD from a single e-retailer (eTailer?), they do NOT provide you with multiple drive with each drive from a different crate/carton. No, that would be spectacularly inefficient for any retailer. No, you have to accept that there is a % chance that as soon as 1 drive fails that (without identifying to cause) that another drive in the array could fail for the same reason soon. So a double disk redundancy such as RAIDZ2 or RAID 6 would give you extra time – but how much time? Who known. But if your data is mission-critical and you weigh up the cost of another HDD in a custom build design such as TrueNAS, a triple parity RAID system starts to make a lot of sense.


ZFS ReSilvering Often Overlooked Safety Net


Another wildly overlooked and misunderstood advantage of ZFS and TrueNAS’ utility of it is in the support of Re-silvering. For those unaware, resilvering is when a drive that WAS part of the RAID array is disconnected and reconnected in a brief window that allows the system to identify that the drive belongs in the original pool and re-embraces it quickly. In practical terms, imagine your system suffers a very brief SATA/Controller board malfunction and a drive is dismounted (software level). Alternatively (and something surprisingly more command than you might think) an HDD in a tray/bay of the NAS might be accidentally physically ejected. Resilvering would allow the system to KNOW that the drive is part of the set and reintroduce it. In EXT4 or BTRFS, that brief disconnection would result in the RAID pool changing to a degraded status and the end-user would be forced to 1) endure a slower system as data is being exchanged with the pool in this parity-reading state as 2) the system wipes the former HDD/SSD to re-write all the data it had already and 3) unnecessary stress is placed on the system resources throughout. In ZFS and TrueNAS, the system would SEE that the recently ejected/dismounted drive is part fo the pool, verify that it has the data in place and then re-introduce the drive. the time this takes is largely based on how long the drive was disconnected (and data written in the interim) but it can genuinely take seconds or minutes – unlike the hours to days that a RAID recovery from a degraded state would take.


USB Storage Media is Visible and Managed in the Storage Manager


It is a very small detail but one I think is worth highlighting. Namely that USB storage media in TrueNAS is handled much differently than in other turnkey NAS solutions from Synology and QNAP. In those latter examples, USB storage is treated at arms length, visible in the file manager in the GUI of course, but then only really visible for use in the backup tools (which is still great). In TrueNAS however, USB storage media is visible, configurable and manageable directly from the storage manager. Now, obviously spreading a RAID over SATA storage media and a USB drive would be ridiculously dangerous for storage, however, there are still plenty of benefits and management advantages to having external storage visible alongside the management of the rest of the storage – aside from backup management and configuring the access privileges of the drive media, it also allows the USB drive to be managed for scheduled tasks and processes alongside the rest of the system and integrated into the reports and monitoring of the TrueNAS system. It is a small detail, but one that really stood out for me when comparing TrueNAS against Synology DSM and QNAP QTS USB media management overall.


Fusion Pools of Mixed Storage Media is Great and Rarer Than You Might Think


Another (relatively) recent addition to TrueNAS and its use of ZFS is the option to create fusion pools. A comparatively streamlined process, when you think about how technical and advanced the average options of TrueNAS can be to the end-user, fusion pools allow you to introduce mixed tiers of storage of different performance and combine them into a single visible pool, but in the background the system is sending data to the drive media that is best suited to supply it – so metadata on the SSD media, larger bulkier sequential data on the HDDs etc. ZFS sends writes to individual physical disks rather than just a RAID volume. This allows for stripe writes across RAID volumes and can perform synchronous writes to speed up performance. This model also ensures there are no long waits for file system checks. ZFS incorporates algorithms to make sure your Most Recently Used (MRU) and Most Frequently Used (MSU) data are stored in your fastest system storage media. Utilizing MRU & MSU combined with flash/NVDIMM ZILs/SLOGs and ARC/L2ARC devices, you can speed up your performance astronomically. Similar systems to this exist in QNAP’s EXT4 service ‘tiered storage’ and both they and Synology offer NVMe SSD caching services in conjunction with an existing pool/volume, but again this is done to a considerably higher and more customizable degree in TrueNAS. It just takes more time and knowhow to set up though.


Smart/Intuitive Option to Define Drive Media Use


Then there is an interesting storage setup choice that TrueNAS offers that is actually quite a bit of fresh air versus the more complex elements of it’s configuration. Namey that the system also includes an option to specifically designate a soon to be created area of storage to a task/use. So, if you have introduced one or more drives to your custom build server, you can choose whether you want this to be an independent new pool as a hot spare, to factor as additional storage redundancy, dedicated deduplication storage, designate the space for metadata (SSD recommended of course) and more. It is a surprisingly user-friendly option amidst all the complexity and a welcome addition to save time and headaches!

No Native Browser GUI Based File Manager


One missing feature of TrueNAS that really surprised me was the absence of a browser-based file manager. Now, on the face of it, many will argue that the GUI of your storage system should be reserved for system management, configuration and for troubleshooting (some even erring away from browser GUIs entirely in favour of SSHing etc directly into the system as a superuser for these tasks for pace). Equally, once you have correctly created and configured your storage (along with creating shared paths and enabling the right file access protocol in TrueNAS) you will be able to mount and access your storage in a drive, folder and file level in your native OS (arguable BETTER). However, the ease and added benefits of ALSO being able to access your system storage from time to time in even a simple file/folder level in the GUI cannot be overstated. Sure, you CAN create a very based root directly breadcrumb style breakdown in a browser tab – but with most NAS brands offering the same OS-level native file/folder access AND offering a web browser GUI file management option (with copy, paste, archive, thumbnails, sharing, editing) AND mobile applications to do the same. It is really odd that this is not a native option in TrueNAS. You COULD use 3rd party tools of course to do this, but that would be a credit to those and not TrueNAS.

RAIDZ Still Takes Longer than Traditional RAID in ReBuilding Fuller Arrays


This is a small negative in the grand scheme of things and hardly something that leaves TrueNAS/ZFS reflected too badly against EXT4 and BTRFS setups, but although ZFS Raid rebuilding IS much faster if your actual capacity used is smaller (only building the data/space used and hashing/zeroing the rest), that advantage does not help in the event of your storage pool being much fuller and in testing a RAIDZ at 90% full vs a near-identical RAID5 on 4x4TB actually took a pinch longer on the ZFS pool. Again, the difference was small and largely down to the additional checksums and verification of ZFS, but still, something to note.


Potential Defragmentation in Copy On Write Methodology


Earlier, we discussed that ZFS utilizes copy on write (CoW) in order to create a 2nd copy of the data for ensuring the integrity of the write action. Unfortunately, this can mean that TrueNAS can suffer from data fragmentation as time wears on. There are direct performance implications that stem from that fact. This can be avoided with scheduled/periodic de-fragmentation, but this can be time and resource-consuming depending on the volume of your storage. So potentially, the fuller your storage pool is with actual data, the slower it will ultimately get. Write speeds in ZFS are directly tied to the amount of adjacent free blocks there are to write to in order to maintain the CoW process. As your pool fills up, and as data fragments, there are fewer and fewer blocks that are directly adjacent to one another. A single large file may span blocks scattered all over the surface of your hard drive. Even though you would expect that file to be a sequential write, it no longer can be if your drive is full. This can be an often overlooked and direct reason for long term performance drops in some systems over time if left unchecked. I have personally not experienced this, but it has been discussed online (forums, reddit, etc) and therefore I still thought I should address this.

Still Not Especially Novice or even soft IT knowledge Friendly User


Despite the big efforts by TrueNAS to demystify the complexity of storage management in several areas of its storage area (fusion pools being partially automated mixed media pools, the suggested vDev drive drop-down, USB management in that same area and ‘force’ warning options to name but a few), there is still no avoiding that TrueNAS is CONSIDERABLY more complicated to setup your storage and is a large jump from the frank simplicity of Synology and QNAP. Some would argue that the simplicity offered by turnkey/off-the-shelf NAS solutions are incredibly restrictive and inherently limiting, but there is still a substantial learning curve to setting up your storage in TrueNAS that needs to be appreciated and understood at the outset.


In the next part of this review of TrueNAS later this week we will be looking at Account Management, as well as how Business Users who are considering TrueNAS for their enterprise storage can get support and how far that support extends.


Part II of the TrueNAS Review is HERE (23/03)


Part III of the TrueNAS Review is HERE (25/03)


Alternatively, you can read the (LONG) FULL Review of TrueNAS is available HERE.


 


 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Dirty Pipe Linux Vulnerability – What Do Synology, QNAP, Asustor & Terramaster NAS Owners Need to Know?

16 mars 2022 à 01:10

Dirty Pipe Linux Weakness and Why You and your Linux Based NAS Should Care?


For those that might not be aware, a vulnerability in Linux kernel 5.8 and above was disclosed by Max Kellerman last week and publically disclosed (with a proof of concept demonstrating the weakness) and this vulnerability was reported (tracked under CVE-2022-0847) and effectively allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. This Linux vulnerability is reported to be comparable to the Dirty CoW vulnerability found in Linux from 7 years ago (CVE-2016-5195) where an exploit was used for pushing malware onto software services. Full details on the public disclosure and demonstration of the vulnerability by Kellerman can be found here, but the larger impact of this is that there are many, MANY different software platforms around the world that utilize Linux as the base of their systems and alongside Android and smart home appliances, one big advocate of Linux kernel-based development is NAS storage providers in their systems and services. Now, on the plus side, Linux was incredibly quick to implement a patch on this and the vulnerability has been closed on Linux kernels 5.16.11, 5.15.25, and 5.10.102, however, most NAS servers use different versions of the Linux kernel, as well as roll out updates to their varied hardware systems in a most bespoke fashion. This leads to them potentially running outdated kernels and leaving a door open to this exploit, posing a significant issue to server administrators. We fully expect NAS brands to roll out updates where appropriate/applicable shortly to close this vulnerability, however, one consistent thread in the past when some NAS brands have been hit by ransomware/malware exploits is when vulnerabilities that are found in older software revisions are left unchecked by the end-user (ignoring brand updates or practising unsafe network security). So today, let’s discuss the dirty pipe vulnerability, how/if it affects Synology, QNAP, Asustor and Terramaster NAS platforms right now and what you should do right now to avoid any exploits being used on your system.


What is Dirty Pipe?


In brief, Dirty Pipe is a vulnerability in Linux Kernel 5.8 onwards that allows local users to inject their own data into sensitive read-only files, removing restrictions or modifying configurations to provide greater access than they usually would have. This was first registered and made publically known by Mark Kellerman and he gives an incredibly concise and detailed breakdown on the vulnerability, how he found it and it’s implications in this article by him.


“It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem. “Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.”” Kellermann said. 


A short while afterwards, a security advisor by the name of BLASTY updated this with an increasingly easier method of its execution and also publically disclosed it, highlighting just how much easier it made it to gain root privileges by patching the /usr/bin/su command to drop a root shell at /tmp/sh and then executing the script. This all means that it makes it possible for a user to gain admin authentication and system powers and can then execute malicious commands to the system.

Dirty Pipe PoC (https://t.co/ql5Y8pWDBj) works beautifully. 🤑pic.twitter.com/OrRYJE5skC


— blasty (@bl4sty) March 7, 2022



These can range from malware to (the increasingly more likely) a ransomware action that would encrypt the contents of the system and demand a fee for it’s decryption. Now, the nature of this exploit at this time (for systems that have not or cannot update to the latest patch Linux kernel 5.16.11, 5.15.25, and 5.10.102 right now) is still limited as it would only be usable in the event of a targetted attack and/or the need for a further utility or application in the system to execute the follow-up command. Now the extent to which this affected NAS Drives from the popular off the shelf private server providers is actually surprisingly diverse and a big part of that comes down to how each NAS brand is utilizing Linux. More precisely, different NAS brands are running their NAS system software on differing kernels of linux that they update over time, as well as individual systems in their respective portfolio (for reasons of hardware and utility) also run slightly different revisions of Linux for their software, eg Synology and DSM, QNAP and QTS, Asustor and ADM, etc. So, how does this affect each NAS brand, if at all?

What is the Impact of Dirty Pipe on Synology NAS?



By the looks of things, Synology NAS and DSM 7/7.1 are not susceptible to the Dirty Pipe vulnerability. This is largely down to the Diskstation Manager software and services running on Linux kernel 4.4 (this will vary in subversion depending on the Synology NAS solution). The vulnerability that is executed is found in version 5.8 onwards and even if Synology update their platform to this linux revision in the near future, they would also use the patched revisions and therefore avoid the weakness. Indeed, a bold move by the brand themselves on Reddit when an official Synology rep on the /synology sub reddit made it abundantly clear (zero ambiguity) that the Synology NAS platform and DSM7 was not going to be touched by this:



This i further highlighted by the brand’s security advisory not even acknowledging this in any way HERE. Generally, Synology are s#!t hot on updating their advisories, so this is a very good sign and I would believe them on this (as well as the kernel versions backing this up).

What is the Impact of Dirty Pipe on QNAP NAS?



QNAP NAS, QTS and QuTS run a higher revision of the Linux kernel than Synology, which unfortunately means that this vulnerability (although targetted in design and closed in it’s scope). QNAP runs kernal 5.10.60 on it’s Prosumer, business and enterprise systems and kernal 4.2.8 on it’s more affordable/ARM systems. Once again, it is worth remembering that this si a vulnerability that was found in Linux, not QTS/QuTS, so not only is this something that is not QNAP’s fault but also that issuing a patch/firmware update for their software and services will not be immediate (as they run a modified linux platform and any update needs internal implementation and testing before rolling out). QNAP issued details on this remarkably quickly via their Security Advisory pages with an updated line on this and highlighted which systems in their portfolio were unaffected (running Linux Kernel 4.X onward) as well as ones that feature the affected linux revision that an update will be available for shortly. Here is a breakdown of what they said:


  • Release date: March 14, 2022


  • Security ID: QSA-22-05


  • Severity: High


  • CVE identifier: CVE-2022-0847


  • Affected products: All QNAP x86-based NAS and some QNAP ARM-based NAS running QTS 5.0.x and QuTS hero h5.0.x


  • Not affected products: QNAP NAS running QTS 4.x


  • Status: Investigating


A local privilege escalation vulnerability, also known as “dirty pipe”, has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code. The following versions of QTS and QuTS hero are affected:

  • QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
  • QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS

For a full list of the affected models, please check “Kernel Version 5.10.60” in the following link: https://www.qnap.com/go/release-notes/kernel. QNAP is thoroughly investigating the vulnerability. We will release security updates and provide further information as soon as possible. Recommendation – Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.


So, if you are curious if your system is running the affected linux kernel, you can find a list of QNAP NAS systems that feature 5.10.60 below:



QNAP are working on this right now and although an firmware update should be available quickly, I would recommend heading to the bottom of this article for recommendations on securing your storage and network setup either in the long term OR till an official patch is issued.

What is the Impact of Dirty Pipe on Asustor NAS?



In more positive news, not only is Asustor and ADM 4 not affected by the dirty pipe vulnerability but also the brand has been fantastically loud about this in their security advisory pages. This is one of those rare occasions where a brand has added an entry to their advisory pages for a vulnerability that is NOT impacting their systems. I kind of wish we saw more of this, as even if a brand is NOT affected by a weakness that is being reported on servers, users would rather be abundantly clear. You can find out more from Asustor’s security advisory pages HERE, but the details are available below:

Severity Status
Not affected Resolved

Details – A flaw was found in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and as such escalate their privileges on the system.


Statement – None of ASUSTOR’s products are affected by CVE-2022-0847, this vulnerability issue only affects with Linux Kernel 5.8 and above. The Linux Kernel version built in ADM 4.0 is 5.4, and 4.14 in ADM 3.5.


So, they are making things remarkably clear that regardless of the current update/firmware status of your system, you are unaffected.

What is the Impact of Dirty Pipe on Terramaster NAS?



Details on the linux kernel that is utilized by Terramaster in their NAS systems in the current TOS 4 software that is available (As well as the TOS 5 beta) are still being investigated and I will update the article shortly with my findings. Early checks seem to indicate that TOS 4 is running on an earlier version of linux and therefore unaffected. However, I will confirm this and the TOS 5 beta status as soon as possible here in the article.

What Security Measures Should NAS Owners Take to Avoid Dirty Pipe?


Although the circumstances that need to execute this Linux dirty pipe vulnerability towards your NAS are quite restricted (classing this largely as a targetted attack, as a little bit more prior knowledge is needed about the targeted system in order to exploit it and execute code), this should still not leave users to remain complacent. Regardless of whether you are a QNAP, Synology, Asustor or Terramaster user, you should be actioning safe and secure working practices with your data – as well as ensuring that you have sufficient backups in place of your mission-critical and/or irreplaceable data! Here are some recommendations for your NAS setup to reduce the potential for you to be affected by any exploited vulnerability that could well be currently unidentified in your setup:


If you are concerned about being vulnerable to Dirty Pipe and want to ‘shut the doors’ a bit till a firmware update:

  • Disable Port Forwarding
  • Disable uPnP Auto Configuration Tools
  • Disable SSH & Telnet Services
  • Change Your Port Numbers

If you want to take a moment to do some security and access house-keeping:

  • Disable Admin Accounts
  • Enable Auto Updates
  • Add 2-Step Verification
  • Use Strong Passwords
  • Limit App File/Folder Access to applications they do not need them

And finally, most important of all – GET YOUR BACKUPS IN ORDER!


I will repeat this as many times as it takes, but you should NOT be measuring the cost of your backups by the cost of the hardware. You should measure them by the COST to YOU if that data is permanently LOST! Additionally, if all your mission-critical/irreplaceable data is in ONE location (eg on the NAS, sent from your phones and PCs, then deleted from those to make space), then THAT IS NOT A BACKUP! That is the single repository of that data! Get a USB Backup in place, get a Backblaze Subscription HERE affordably or some cloud space in general, get another NAS – whatever it takes! If you need help arranging your NAS backups on your QNAP or Synology NAS, use the video guides below:


Finally, if you want to stay on top of the vulnerabilities that are publically disclosed on Synology, QNAP, Asustor or Terramaster, I STRONGLY recommend following and/or adding your email to the article below. We automatically crawl the security advisory pages from the top NAS brands and have created a single page that automatically lists and updates the status of known NAS vulnerabilities as soon as they are revealed.



Thanks for reading and let’s keep your data safe together!


 



 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

TrueNAS/iXsystems NAS Q&A – Your Question’s Answered

11 mars 2022 à 01:43

A TrueNAS and iXsystems Questions & Answers Interview



If you have been on the fence about moving into the world of using the open-source platform TrueNAS for your private server, there is a good chance that the rather elite level server software is leaving you a pinch intrigued. The big ZFS optimized software that is available to download completely for free OR as part of a business targeted solution from iXsystems seemingly promises significantly more freedom and flexibility than off-the-shelf commercial NAS solutions, but there is no denying that regardless of whether you are an existing NAS user that is thinking of going down the ‘custom build’ route OR someone who thinks they are I.T verses enough to DiY it on day 1, that TrueNAS can be fantastically intimidating. Later in 2022, I will be exploring TrueNAS in huge detail, looking at what the platform offers to new users, how it compares with popular NAS brands like Synology & QNAP and hopefully helping to demystify this more community-supported platform. In this first Q&A, in what I hope will be many in 2022/2023, I have canvased YouTube, Facebook, Twitter and directly here on NASCompares for traditional NAS users burning questions about TrueNAS. I spoke with Morgan Littlewood, SVP for Product Management over at iXsystems, and put your questions to him. Below are those questions and his responses. If you have any further questions that are not covered in today’s Q&A, or have follow-ups to those that were asked, then fire them in the comments. We will have our full review of TrueNAS coming very soon here on NASCompares, along with a hardware review of the iXsystems Truenas Mini X+, so don’t forget to subscribe for that. But, let’s crack on with the Q&A.


Note – Today’s Questions come from you, the viewer/reader via the site or social media platforms. Where possible I have kept the questions in their original verbatim form. Where changes have been made, it has been for the sake of clarity in the question for structure.

Why are the hardware requirements for TrueNAS higher than EXT4 based Systems that also run on Linux?


TrueNAS is optimised for reliability and performance. Less RAM can be used, but it is not recommended. We don’t recommend anything that may result in a poor experience. ZFS is more robust and resource-intensive than EXT4 on account of its much safer Copy-on-Write architecture. Snapshots and clones are much simpler, and data safety during hardware and power failures is much higher.


Find the answer in the video Q&A here:  04:18

Why are the RAM and CPU requirements so high compared to other systems (from Synology or QNAP for example) that can arrive with Intel Celeron’s and even ARM processors?


TrueNAS is a fully Open Source system based on FreeBSD (TrueNAS CORE) or Linux (TrueNAS SCALE) with OpenZFS. The software is professional-grade and is not optimised for minimum personal electronics cost. The software can run on virtually any hardware, including all drivers, even QNAP hardware. Less CPU and RAM will result in lower performance.


Find the answer in the video Q&A here:  06:08 


In light of a recent spate of off-the-shelf NAS Ransomware Attacks on the likes of Asustor, Terramaster and QNAP, is there any reason that I should think that a TrueNAS build system is less susceptible?


Yes, QNAP (and Synology) have a consumer-grade architecture with poor isolations between apps and the Operating System. Hackers can break into these systems through the complex apps and get access to the underlying OS as a root user.  TrueNAS is professionally architected to avoid these and other issues. Complex apps are isolated to Plugins, Apps, and VMs with no host access. Unlike QNAP and Synology, all software is Open Source and visible to security experts for inspection. It is still important that users follow the best practices our software and documentation encourage.


Find the answer in the video Q&A here:  08:25

If TrueNAS (aka FreeNAS) is free and can be used on a custom build server, why should I spend more on hardware to buy an iXsystems system?


TrueNAS is Open Source and customers have a choice. Running TrueNAS on used equipment is the lowest-cost approach. TrueNAS on Minis or new server hardware will be similar in cost. TrueNAS Minis have the advantage of being thoroughly tested and supported by iXsystems. There is additional software for managing enclosures which are themselves optimised for storage (e.g., whisper-quiet fans). Any revenues from TrueNAS Mini contribute back our support of the TrueNAS Open Source project.


Find the answer in the video Q&A here: 10:32


Does TrueNAS have Mobile Applications?


TrueNAS is an Open System. There are many mobile apps that use the SMB, NFS, and WebDav interfaces into TrueNAS. Mobile browsers can access the TrueNAS or TrueCommand UIs.


Find the answer in the video Q&A here: 13:57 

Does TrueNAS have any preset minimums in place regarding that, if left unaddressed, inhibit the system in any way (remote access, application support, etc)?


If there is insufficient boot drive space, the software updates will be inhibited. Insufficient RAM will inhibit VMs from performing well.


Find the answer in the video Q&A here: 15:09

Aside from S.M.A.R.T and single drive benchmarks, does TrueNAS have more/better self-testing and benchmarking tools? e.g in an internal means to measure the performance of a RAID configuration?


We recommend FIO for performance testing of the ZFS pool, which is built into TrueNAS. Any other testing can be performed remotely on the system via its various protocols.


Find the answer in the video Q&A here:  17:40


What is the hardware entry point for a home user to start using TrueNAS?


TrueNAS is not targeted at small home users with one or two drives. Rather, it is for home users with many Terabytes of data, typically video or photo enthusiasts and/or users with a background in IT. We recommend either a used server or a TrueNAS Mini for home use. The TrueNAS Mini-E is the lowest cost, and the TrueNAS Mini-X has more power and flexibility. 


Find the answer in the video Q&A here: 19:22

What are the benefits of running a smaller 4 Disk NAS on TrueNAS compared to Synology DS920+?



The Synology 920+ is a 4-Bay, 4 core Celeron processor with 4-8GB RAM. It uses a combination of BTRFS and RAID to store its data. It is a nice little hardware package with a non-production file system that is less reliable. Synology then mates BTRFS with RAID-5 which is also less reliable in the presence of power outages and bit rot. This combination makes the data storage less resilient, scalable, and portable. The TrueNAS Mini-X system is a step up from the Synology 920+ in reliability and flexibility. It has 7-Bays, 4 Cores, and 16-32GB of ECC protected RAM. It uses OpenZFS 2.0 which is more reliable by design and enables open, efficient replication to any OpenZFS system, plus the normal Rsync tools. ECC RAM is used to avoid any corrupted data or files and provide rapid detection of any faulty hardware. Without ECC, silent errors that are very difficult to troubleshoot and fix can occur.


TrueNAS has recommended drives, but does not make it difficult to use third-party drives, used or new. We’ve seen Synology move to branded drives with poor support of other drives. TrueNAS supports a ZFS Write Log function which makes the system very reliable even during power failures. Data that is written and acknowledged is always safe. The use of RAID-5 and BTRFS does not provide this level of protection


Find the answer in the video Q&A here: 21:07

Which Drives do you use in your pre-populated systems and is the warranty on these inclusive with that of the system?


TrueNAS Minis use WD Red Plus HDDs and a variety of different SSDs. The system warranty includes all pre-populated drives for a single throat to choke experience. We have found the WD Red Plus drives to be very reliable in conjunction with OpenZFS.


Find the answer in the video Q&A here:  23:16


With TrueNAS Scale, will RDMA/RoCEv2 be supported? 


RDMA is a very useful technology for accessing data in RAM on another system. For accessing data on HDDs and Flash, there is only a minor benefit. TrueNAS SCALE will support RDMA in a future release based on customer/community demand.


Find the answer in the video Q&A here:  25:05

Do iXsystems and/or TrueNAS adequately support flash server use and if so, does it have intelligent wear monitoring?


SSD wear monitoring is available, but it’s really a band-aid for systems with poor flash characteristics. OpenZFS does two things that ensure a much longer flash life:

  1. Writes to flash are distributed evenly over the drives in the system through the use of ZFS VDEVs
  2. Small writes (e.g., 4K) are aggregated into larger writes (e.g., 64K) as part of the writing process. This reduces the stress on the flash media enormously. Even QLC drives can sustain heavy workloads with OpenZFS.

Find the answer in the video Q&A here: 26:04

How migratable is a TrueNAS RAID array between systems? I.e If my Intel i5/16GB DDR4 6 Drive RAID6 Drive configuration based system suffers a motherboard failure, how smooth/easy/possible is installing these 6 drives in another system? And does the hardware configuration need to match?


Great question. This is the beauty of OpenZFS. There are two ways to migrate data efficiently:


ZFS replication: this is incremental, very efficient, and can be done between two systems with different sizes and even different OSes. You can replicate the entire pool or specific data sets within it. Replication is efficient, making it feasible to do every ten minutes or every night.


Drive Transfer: A ZFS pool can be exported to its set of drives. The drives can then be removed and placed in another system, server, or JBOD and imported as a new ZFS pool with all data intact. The new system does not need to use any similar motherboard, RAID card, OSes, and it can even be a VM with access to the drives. If there are any drive errors, these can be repaired by the ZFS checksum and scrubbing processes. 


You can ZFS replicate or transfer a TrueNAS pool to an Ubuntu VM running on VMware. This is the difference provided by an Open Software model with a professional-grade architecture. The software is designed to give users the flexibility they want and not lock them into a proprietary ecosystem. TrueNAS enables data to be maintained well through several generations of hardware using these techniques. This is critical for long-lived data like family photos, videos, and professional work product. For businesses, it is very important that TrueNAS enables scalability from a few drives to over 1,000 drives in a single system. Large archive/backup systems can support many workgroup systems with the same software and tools. Synology is particularly limited in the scalability of its systems.


Find the answer in the video Q&A here:  28:16

Does TrueNAS have an active homebrew scene?


Yes, there is a very active community of users doing three things:

  1. Building their own hardware platforms with new and second-hand parts. We have a few users that have re-used QNAP systems.
  2. Assisting with software development. Some users will find a bug and then resolve it themselves. The software is largely in Python and C. Most users will just report the bug via our Community.
  3. Developing or building Apps that run well on TrueNAS. Most of these Apps are now docker containers or combinations of containers.

Find the answer in the video Q&A here:  31:32


What are the benefits of an Open Source NAS over an off-the-shelf NAS system?


The role of a NAS is the long term retention and sharing of data.  Videos, photos, financial, and medical records all need to be retained for tens of years…even multiple lifetimes.  This can’t be done with a single box and will require an evolving family of platforms and backup strategies. Open Source provides the benefits of long term evolution and migration options.  Data can be replicated and migrated easily between systems. New systems can be built with second-hand hardware and free Open Source software.  The user has control of their own destiny. That is Open Source economics. TrueNAS embraces Open Source economics and allows you to choose the hardware platform that best suits your applications and your budgets.


Find the answer in the video Q&A here:  33:35

How does the TrueNAS Community help a new user?


The TrueNAS Community is a fantastic resource for the average user. Because TrueNAS is Open Source, there are thousands of users that both have operating experience, but extremely good knowledge of how the software works and how to resolve systems integration issues, recover data, and troubleshoot hardware.  When you are trying to do something new with your system, it’s common to find that hundreds of people have already worked out how to set something up, or have the experience to tell you that you can’t get it to work. Community members can save themselves many hours of work and have a fun conversation. The TrueNAS forum is moderated to make sure forum posts are polite and welcoming.


Find the answer in the video Q&A here:  35:48


 


You can watch the original Q&A with Morgan Littlewood of iXsystems below:


 



If you have any further questions about TrueNAS that were not addressed in this Q&A, fire them below in the comments and we will have them featured in a follow-up interview this spring/summer. Thanks for reading.


 


 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below


Other products mentioned on this article:  

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Terramaster NAS Devices Being Attacked By Deadbolt Ransomware

1 mars 2022 à 11:49

Deadbolt Ransomware Attacking NAS Drives Again – This time it is Terramaster


It pains me to make this post, but yes, Deadbolt ransomware has once again attacked NAS drives and this time the target is Terramaster devices. Although exact details on the attack vector of this ransomware are yet to be confirmed (though I will be updating this article as more information arrives), it looks like a very similar attack to those that affected Asustor last week, using very similar display methods of highlighting the means of paying the ransom, as well as similar ways that people have been alerted to it on their individual systems. Likely candidates at the time of writing point to this either being based around a UPnP weakness (similar to a previous ransomware exploit that was used) or weak network management (either in the ports used or in 3rd party applications poking holes in your firewall etc in order to facilitate remote access). As mentioned, the details are still rather murky and the first reported hit by users online was around 10 hours ago, so similarities in how people have arranged their network/system services are slowly getting pieced together. If you DO own a Terramaster NAS drive right now, I would make the following recommendations:

  • Run a Backup! But check you have not been already hit by the deadbolt ransomware and inadvertently overwrite your ‘god’ backups. I would STRONGLY recommend where possible (space/budget) running a completely new and independent backup of the whole system or at the very least your irreplaceable/mission-critical data
  • Disconnect your system from ANY internet connection unless you are 100% confident that your network security is secure (even a VPN doesn’t avoid the fact some apps and services open router ports as a necessity)
  • Check your system logs for any large number of IP login attempts. Not strictly necessary in this case as the attack vector is still unconfirmed at the time of writing, but check nonetheless
  • Power Down your device unless you are 100% confident that you are untouchable. Although deadbolt is actioned INITIALLY over the internet to push command to the system to conduct a large scale encryption command, delete the encryption key and amend the login screen to their own payment window and key entry. So, if you are BEING attacked by deadbolt ransomware, disconnecting the system from the network internet is not enough (as from THAT point, all operations are being conducted locally (ie inside the system). So power down your device until Terramaster issue a patch to close whatever this exploit is that deadbolt is utilizing
  • At the time of writing, we are still awaiting further information on the deadbolt Active Process (i.e in the task/resource monitor). When that is established, you can use SSH and a suitable command client to patch in and kill the process, HOWEVER, you should disable SSH for now if you HAVE NOT been hit, as this manner of control is how the bulk of ransomware attacks are conducted automatically
  • Change credentials for the admin account. Although TOS 5 (previewed last month here on YouTube) has the option to disable the admin account (as well as a kill switch for all remote access), the current version of TOS 4 does not have this functionality
  • Change your local network and remote access ports from the default 8000, 8080, 8001 etc to something randomized

IF your Terramaster NAS is COMPLETELY isolated from the internet (and you are 100% certain of this, eg you directly PC-to-NAS interface your system OR you run the NAS on an isolated vLAN in your network behind a bunch of layers), then you can largely ignore the above.



 


UPDATED 02/03 08:00 GMT


Since the deadbolt ransomware’s first targetted attacks yesterday, Terramaster has rolled out a new firmware update (TOS version 4.2.30) and they strongly recommend users who have not yet been affected to upgrade now. The update will be available from the usual system settings, software update menu from within the TOS web browser GUI in the window below:



Also, you can choose to manually download the TOS 4.2.30 update directly on TerraMaster official website->SUPPORT->DOWNLOAD page (see image below) here – https://support.terra-master.com/download/



It is VERY IMPORTANT that users understand the following details before they update their Terramaster NAS to this latest firmware updated version:

  • If you install this update, it WILL NOT recover/unencrypt files that have been hit by deadbolt (i.e. files that now carry the ‘.deadbolt’ encryption in their name/format. This update closes the vulnerability that allowed the deadbolt group to inject a command towards your terramaster NAS and carry out the attack.
  • If you install this update, it will remove the black deadbolt entry screen to your Terramaster NAS when accessing it via the web browser. However, in doing this, you will also lose the (arguably crap) option to recover your files by paying the ransom group, getting an encryption key and decrypting your data. Although unaffected users and those who have zero intention of engaging with the deadbolt group will be happy with this, some users who have lost mission-critical /irreplaceable data that might consider this option might want to think about this update a little further. When Deadbolt hit Asustor NAS devices last week, when Asustor issued a firmware update, they also added a small add on in the app center that allowed the end-user to still access this screen in an isolated fashion to still keep the option of getting an (arguably illegally) paid for solution to recovery.
  • Right now, users are attempting to perform recovery with deadbolt files via linux mounted drive setups. It is a painfully slow and low success % operation (as in user base) but if your data is important to you and/or/if you want to resume access to your NAS whilst keeping the encrypted data to one side, I recommend removing the HDD/SSD media (keep track of which drive in which bay) and replace the drives in the Terramaster NAS and re-initialize. Then you can reintroduce those drives to the NAS or to a linux machine in the event of a recovery method becoming possible.

Back to the Original Article.

What Do We Know About the Terramaster NAS Deadbolt Ransomware Attack?


The bulk of the details even at this early stage of the terramaster NAS deadbolt ransomware attack bear alot of similarities to those of the Asustor attack last week (Read the article on that plus all the updates and MOST IMPORTANTLY the comments of that article as there is alot of information on how people have responded/adapted to when this hit them). Most users understood that their Terramaster NAS system was in the process of being hit by deadbolt Ransomware in two very clear ways, one arguably worse than the other. The first was that many of the more value series Terramster NAS systems (2/4 Bay systems at the Dual-Core level) had a sharp and very noticeable rise in system fan activity (and HDD LED lights kicking off incessantly) as the encryption command pushed the system very hard indeed. If you were fortunate enough to spot this early, then there is a reasonable chance that the % of files encrypted would be very low. However, a larger proportion of users found their NAS system was mostly/completely encrypted overnight (or whilst they were out of sight/earshot of the NAS) and their first knowledge of the attack was to be greeted by this (now depressingly familiar in 2022) deadbolt login screen:


Important Message for TERRAMASTER
All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:


1) Make a bitcoin payment of 5 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:


You will receive all details about this zero-day vulnerability so it can be patched. A detailed report will be sent to [email protected].


2) Make a bitcoin payment of 15 BTC to bc1qhkeecsgmzf2965fg57ll3enqyj7y094lxl5nzm:


You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients their files. Additionally, we will also send you all details about the zero-day vulnerability to [email protected].


Upon receipt of payment for either option, all information will be sent to you in a timely fashion.


There is no way to contact us.
These are our only offers.
Thanks for your consideration.


Greetings,
DEADBOLT team.


If you are unsure if you have been hit by the deadbolt ransomware attack (i.e. you can still login fine and the login screen has not changed) but want to do a quick checklist on things to monitor. Here is a brief to-do list:

  • Your Remote mounted storage is suffering delayed responses/file opening (eg mapped drives, SMB mounts, etc) as this could mean that these are in use by the system and being encrypted. The same goes if you have a recently accessible remote mount that is now inaccessible
  • Search for .deadbolt in the file manager search bar. It is not the quickest, but any file hit by this will have the .deadbolt file extension
  • Your regular overnight backup(s) failed or took way, WAY too long, as this indicates a large amount of HDD activity taking place at the same time as your regular backups and even 3-4 hard drives in a RAID 5 will struggle to maintain even marginally good input/output actions when these larger volume activities are run simultaneously
  • Your system fans are increasing as drive activity has increased notably (encryption is a hefty task for any system to conduct, especially on the entire storage pool/volumes/etc
  • Your HDD/SSD LEDs are going NUTS! This also applies if you are using larger than 8TB drives or larger Seagate Ironwolfs NAS drives, Ultrastar, Red Pros, EXOs, etc as these Pro/Ent class drives make some real noise in heavy crunch activity such as large scale encryption

Currently (01/03/22 930AM GMT) Terramaster has yet to issue a formal statement on this or a firmware update, but the attack is around 12 hours old at most. Still, this is now the 3rd Deadbolt attack to hit NAS brands in the last 6 months (Asustor and QNAP previously) and alongside the earlier attack of a vulnerability in TOS at the start of the year. There are hopes that the current TOS 5.0 update (still in Beta) will feature improvements in it’s network security and how much access installed apps have to the core system administration.

What Does Terramaster Advise to Prevent the Deadbolt Ransomware?


Terramaster has responded to this recent Deadbolt ransomware attack of their NAS systems with the following statement:


Recently, we have received reports of some TNAS devices being attacked by Deadbolt Ransomware. Based on the case analysis, we initially concluded that this was an external attack against TNAS devices. To protect your data from Deadbolt, please take action now!


If your NAS works normally, we suggest you take the following countermeasures:


1. Upgrade your TOS to the latest version;


2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;


3. Disable port forwarding on your router. After disabling this function, you will not be able to access TNAS through the TNAS device bound to the DDNS external network.


4. Disable the UPnP function on your TNAS. After disabling, your PC, multimedia box, TV and other devices may not be able to access TNAS through UPnP protocol, please use DLNA, NFS, SMB protocol to access TNAS instead.


For more detailed measures, please refer to the following link:


https://www.terra-master.com/global/press/index/view/id/1143/


 


If you find that your NAS has unfortunately been affected by Deadbolt Ransomware, please follow the steps as below:


  1. Remove the LAN network cable from your TNAS device immediately.


  2. Power off your TNAS; x.86 models: short press the power button; ARM models: long-press the power button 3 seconds.


  3. Do not initialize your NAS as this will erase your data. 


  4. Please contact the online support on our official website or email to [email protected] directly.


Additionally, there is a great deal of activity in the last 12 hours on the official support forums on this, with a Terramaster Customer Representative issuing the following response to an initial enquiry on deadbolt ransomware attacks:



Right now, Asustor has yet to issue further information on recovery on this (unless I have updated this article above with further information), but I would recommend following the steps provided by other NAS brands in the wake of a ransomware attack such as this:

  • Change your password.
  • Use a strong password.
  • Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
  • Change web server ports. Default ports are 80 and 443.
  • Turn off Terminal/SSH and SFTP services and other services you do not use.
  • Make regular backups and ensure backups are up to date.

Until the attack vector is established, I would recommend going ‘all in’ on updating your security settings. Although a lot of the changes relating to password changes seem unrelated to this, without having a complete throughline on similarities between users, it is best to dot every i and cross every t!

Is There A Solution, Restoration or Recovery Method Currently Available to Deadbolt Affected Terramaster NAS?


As it stands, there is no resolution available from Terramaster NAS if your files have been encrypted by Deadbolt ransomware. other than paying the ransom (which would suck!) many are looking at methods of recovery using linux based mounting of the drives and accessing any snapshots in a BTRFS volume (or using PhotoRec/TeskDisk in the hope of reverting the files), but even then, there is little currently possible to recover affected files. That may not always be the case and I would still recommend keeping the encrypted files (in a 2nd location if you need to format your terramaster for continued use) as recovery methods might become available in weeks/months from now. Terramaster issued an updated press release on this with further instructions on disabling specific services, We suggest you take the following countermeasures:

  1. Upgrade your TOS to the latest version;
  2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;
  3. Disable port forwarding on your router. After disabling this function, you will not be able to access TNAS through the TNAS device bound to the DDNS external network.
  4. Disable the UPnP function on your TNAS. After disabling, your PC, multimedia box, TV and other devices may not be able to access TNAS through UPnP protocol, please use DLNA, NFS, SMB protocol to access TNAS instead.

  1. Disable RDP, SSH and Telnet when not in use;


Additional Changes Here:


  1. Change the default port of FTP. When you use the FTP protocol to access, please pay attention to bringing the port, such as ftp://192.168.0.1:1990.

  1. Set a high security level password for all users;

  2. Disable the system default admin account, re-create a new admin account, and set an advanced password;
    Note: For versions after TOS 4.2.09, you can set the administrator account without using the default admin username when installing the system. If it was upgraded from a version before TOS 4.2.09, you need to reset the system configuration, then you can customize the user name.

  3. Enable firewall and only allow trusted IP addresses and ports to access your device;
    a. Go to Control Panel > General Settings > Security > Firewall.
    b. Create a firewall rule and choose the operation of allow or deny.
    c. Fill in the IP range you allow or deny access to. If you fill in the network you want to deny access to, please fill in the subnet address correctly, otherwise it may cause your existing devices to be unable to access TNAS.

  1. Avoid using default port numbers 5443 for https and 8181 for http. After changing, please enter IP:Port in the browser address bar, such as 192.168.0.1:8186.
  2. Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts;

  1. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy.

 


If your Terramaster NAS was NOT affected, I would still recommend disabling remote/internet access., as the act vectors are not clear and there are reports from some users right now that state that they had the latest firmware, they were still hit. Therefore right now there is so much unconfirmed info here to allow remote access (in my opinion) and until further info is made available, I strongly recommend disconnecting your Terramaster NAS from the internet (wire AND via the software settings) and getting your backups in order. I will update this article soon as more information becomes available.


 

Asustor NAS Uninitialized Repair After Deadbolt Ransomware – Getting Back to ADM, Avoiding the Black Threat Screen & Seeing What Remains of your Data

25 février 2022 à 10:05

Getting Your Asustor NAS System Up and Running Again After Ransomware Attack


It has now been a few days since the initial attack of Asustor NAS systems by the deadbolt ransomware attack and although full recovery is still not a complete option for a lot of users (without having to take the agonizing step of paying the group for an encryption key – gah!), there have been steps by users, the linux community and Asustor to mitigate some of the damage for some and for those unaffected, allow them to use their systems with a little more confidence and comfort. Below are some instructions that will be of use to users who are currently in the following situations with their Asustor NAS:

  • When the encryption/attack first started (or you first noticed the NAS activity) you powered down your system abruptly and your NAS now shows as Uninitialized’
  • You Have the Asustor NAS working, but are being greeted by the black deadbolt threat screen that you want to navigate around WITHOUT using SSH/Command line
  • You are in either of the above two positions AND you have snapshots or a MyArchive routine setup on your NAS

If any of those three setups are how you would describe the position that you/your Asustor NAS is currently in, then you may well find this guide useful. However, DO remember that you are still dealing with your data and although this guide has been provided for the most part by the band themselves (with additions by myself – Robbie), you should immediately have a backup of your data (even if it’s encrypted in case of a system failure etc) and/or an external drive ready to move any/all data over too. If you caught the ransomware encryption early, then you might still have a  good % of your data still ok. Observing numerous affected machines have shown us that the encryption/changes begin at the system level (ie so it can change the index screen and renaming, etc), so in some cases, some people have reported that they caught it in time for some data to have been RENAMED (i.e the .deadbolt prefix that is affecting access or older structure in some cases) but not actually encrypted. So, this guide is about getting you into a position to access your Asustor NAS GUI and whatever the state of your data is. After that, you may still have no option but to format your system, wait for any kind of brand/community recovery method or (and I do not say this lightly, as the thought of continuing this kind of behaviour is disgusting) pay the ransom to get your data back. I appreciate that this is S&!T but some business users might have little choice. Let’s discuss access recovery options. If you are unaware of everything that has occurred to asustor and the deadbolt ransomware, you can use the attached video below:


Asustor NAS – How to Get Your NAS Running Again If It Is Saying Uninitialized


If you powered down your NAS abruptly when you saw the black threat screen OR unusual activity on your NAS (either by pulling the power cord or holding the power button for 5-10 seconds), then chances are that as the encryption hits the system files first and was in progress, that your NAS is not showing as ‘uninitialized’. This is because the system software is no corrupted. Yesterday Asustor released a new firmware update that closed the vulnerability (they claim, I have not verified personally yet). So, the following steps in the guide using the client desktop software Control Center and an internet connection (can be just on your PC/Mac and you directly connect with your Asustor if you choose) will allow you to access your NAS login GUI.



If you have shut down before, please connect to a network. If you enter the initialization page, please follow the instructions below to update your NAS:


Step 1

  • If you enter the initialization page and have an Internet connection, please press Next.

  • Please click Live update and then click Next.


Step 2

  • If you’re on the initialization screen and not connected to the Internet, please download ADM from ASUSTOR Downloads to your computer.
  • Once done, manually update ADM by uploading the ADM image file from your computer as shown below.
  • Please press Next.


Step 3

  • Update.
  • After the update has completed, you’ll be able to return to ADM.

Asustor NAS – If You Are Still Seeing the Black Threat Deadbolt Ransomware Screen


If you have access to your NAS drive BUT are faced with the black threat login screen replacement that replaced the previous one AND have followed the previous steps to install the latest firmware, the next three steps should allow your to navigate AROUND this and remove it entirely.


If the ransomware page remains after you connect to a network:

  • Please turn off your NAS, remove all hard drives and reboot.
  • When the initialization page appears, reinsert the hard drives.
  • Please follow the instructions above to update your NAS.

Asustor NAS – How to Restore Data with Snapshots, MyArchive Backups or Mirrored Volumes


Now, the next step is not going to be an option for everyone. Once you have logged in and accessed the extent of the file damage by encryption (eg, % of files affected, are they encrypted completely OR just renamed? etc). The following steps will be of use to those of you who are running a BTRFS setup and setup snapshots and/or the MyArchive backup/sync storage service. This part of the guide also includes the means to install a ransomware tool that (I know, ANNOYINGLY) gain access BACK to the black encryption entry screen. So if you have no choice (I am not judging you, the importance of your data is your call) and are going to choose to pay the ransom as it is going to cost you less than not retrieving your data, then you can use this ‘ransomware status’ tool to gain access back to the payment screen, encryption key window and ultimately allows you to pay the hackers. Again, it’s your call.


If you want to restore data and you have more than one volume installed on your NAS, use MyArchive drives, or have previously made Btrfs snapshots, please refer to the following instructions below. Restore all backups that you may have. Alternatively, if you have Btrfs snapshots, use Snapshot Center to restore previous versions of files and erase changes done by ransomware.



If regular backups were not kept and you want to enter the decryption key to retrieve lost data:


  • Confirm details and press Install.

  • Wait for installation to complete.

  • Reload the webpage to enter the ransomware screen again. You’ll be able to enter the decryption key.

  • If you want to return to ADM, you can do this in one of three ways. You can add backup.cgi after/portal/ in the address bar of your browser, you can hold the power button for three seconds to shut your NAS down and turn it on again or you may use ASUSTOR Control Center or AiMaster to restart your NAS.


 


  • Afterwards, it is imperative to uninstall Ransomware Status from App Central.


 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,460 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR ANY OTHER NAS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Asustor NAS Drives getting hit by Deadbolt Ransomware

21 février 2022 à 18:30

If you own an Asustor NAS and are reading this – CHECK IT NOW


Original Article – As of around 1 hour ago, multiple users online are reporting that their Asustor NAS systems have been attacked by ransomware known as Deadbolt. Much like the ransomware attack of QNAP NAS systems of the same name, this is a remote-command-pu#sh encryption attack that takes advantage of a vulnerability in the system software to command the system to encrypt the data on the NAS system, but with the added twist in this recent update of adding a new login GUI style space screen asking for 0.03BTC.


Updated 24/02 09:45 GMT


Asustor has just released a firmware update for their ADM 4 systems (HERE) for users who have not been hit by the Deadbolt ransomware attack, who are keeping their systems offline and/or powered down until the security issue/vulnerability was identified and neutralized. Here are the Asustor details on this:


An emergency update to ADM is provided in response to Deadbolt ransomware affecting ASUSTOR devices. ASUSTOR urges all users to install the latest version of ADM as soon as possible to protect themselves and minimize the risk of a Deadbolt infection. ASUSTOR also recommends taking measures to guard against the potential harms of Deadbolt in accordance with the previously announced protective measures. Please review the measures below to help increase the security of your data on your ASUSTOR NAS.

  • Change your password.
  • Use a strong password.
  • Change default HTTP and HTTPS ports. Default ports are 8000 and 8001 respectively.
  • Change web server ports. Default ports are 80 and 443.
  • Turn off Terminal/SSH and SFTP services and other services you do not use.
  • Make regular backups and ensure backups are up to date.

In response to increasing numbers of ransomware attacks, ASUSTOR has committed to an internal review of company policies to regain customer trust. This includes, but is not limited to increased monitoring of potential security risks and strengthening software and network defenses. ASUSTOR takes security very seriously and apologizes for any inconvenience caused.


Updated 23/02 21:03 GMT


Much like the deadbolt attack on QNAP devices earlier in 2022, in the changed index GUI on affected NAS’, the deadbolt team are offering to provide information to ASUSTOR about the zero-day vulnerability used to breach NAS devices and the master decryption for all affected users to get their data back. The DeadBolt link includes a link titled “important message for ASUSTOR,” which displays a message from DeadBolt for the attention of ASUSTOR. DeadBolt orchestrators are offering to details of the vulnerability if ASUSTOR pays them 7.5 BTC, worth $290,000. DeadBolt is also offering ASUSTOR the master decryption key for all victims and the zero-day breakdown explained for 50 BTC, worth $1.9 million. The ransomware operation states that there is no way to contact them other than making the bitcoin payment. However, once payment is made, they say they will send the information to the [email protected] email address.



Updated 06:50 GMT



Asustor has issued the following statement and recommendation for those who are (or believe they have been affected by the Deadbolt ransomware):


In response to Deadbolt ransomware attacks affecting ASUSTOR devices, ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to will be disabled as the issue is investigated. For your protection, we recommend the following measures:


Change default ports, including the default NAS web access ports of 8000 and 8001 as well as remote web access ports of 80 and 443.
Disable EZ Connect.
Make an immediate backup.
Turn off Terminal/SSH and SFTP services.


For more detailed security measures, please refer to the following link below:
https://www.asustor.com/en-gb/online/College_topic?topic=353


If you find that your NAS has been affected by Deadbolt ransomware, please follow the steps listed below.
1. Unplug the Ethernet network cable
2. Safely shut down your NAS by pressing and holding the power button for three seconds.
3. Do not initialize your NAS as this will erase your data.
4. Fill out the form listed below. Our technicians will contact you as soon as possible.


https://docs.google.com/forms/d/e/1FAIpQLScOwZCEitHGhiAeqNAbCPysxZS43bHOqGUK-bGX_mTfW_lG3A/viewform


Regarding filling out the technical support form, this is likeLy to help the brand identify the scale of the issue, but also allow a faster sharing (to those affected) of any recovery tools that might be possible. However, the culprit is looking increasingly like the EZ Connect Asustor Remote service. This has been further backed up by the fact that the official Asustor ADM demo page has also been hit by the Deadbolt ransomware (now taken offline). Additionally, many users who powered down their device during the deadbolt attack, upon rebooting their NAS system have been greeted with the message in the Asustor Control Center application that their system needs to be ‘re-initialized’. The most likely reason for this is that during the encryption processes, the core system files are the first files that get targeted and if the system was powered down/powered off immediately during this process, it may have corrupted system files. We are currently investigating if a recovery via mounting a drive in a Linux machine is possible (in conjunction with roll-back software such as PhotoRec).



If your Asustor NAS is in the process of being hit (even if you simply suspect it) as your HDDs are buzzing away unusually (and the HDD LEDs are flickering at an unusual hour), then it is recommended that you head into the process manager and see if the encryption process has been actioned by Deadbolt. The following suggestion of action was suggested by NAScompares commenter ‘Clinton Hall’ :


My solution so far, login vis ssh as root user


cd /volume0/usr/builtin
ls


you will see a 5 digit binary executable file For me it was 22491. I use that in the following command to get the process ID


ps | grep 22491


from this I got the Process id 25624. I kill that process


kill 25624


I then remove the binary file


chattr -i 22491
rm -f 22491


Now, restore the index as above


cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi


Now for the fun part…. a LOT of file had been renamed (not encrypted) to have .deadbolt appended to the end of the filename… So rename them back


(note, you may want to do this folder by folder and check it is working). The following will do for the entire /volume1


cd /volume1
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +


After these are all renamed, everything should work. Probably a good idea to reboot to restart the services etc.


Also, I’m not sure if the above will definitely traverse the [email protected] etc… so I did this manually


cd /volume1/[email protected]
find . -type f -name "*.deadbolt" -exec bash -c 'for f; do base=${f##*/}; mv -- "$f" "${f%/*}/${base//.deadbolt/}"; done' _ {} +


If you have not been hit, I would recommend you action the following from within your Asustor NAS (or better yet, where possible) power the device down until an official statement and a possible firmware patch is issued.

  • Disable EZ Connect
  • Turn off automatic updates
  • Disable SSH (if you do not need it for other services)
  • Block all NAS ports of the router, and only allow connections from inside the network

Updated 19:30 GMT


More details are coming up and it looks like (at least looking at the messages on the official Asustor  Forum and Reddit) the vulnerability stems from a vulnerability in EZConnect that has been exploited (still TBC). User billsargent on the official Asustor forums has posted some useful insights into how to get around the login screen and also details on the processes:


Take your NAS OFF of ezconnect. Block its traffic incoming from outside.
This overwrites the index.cgi with their own. In /usr/webman/portal there is a backup copy of your index there.
To remove theirs, you need to chattr -i index.cgi and replace it with the backup.
But you’ll also have to kill the process. Mine had a process that was just numbers running. I killed it, then deleted it. In /tmp there was another binary that was just numbers.
This is probably not possible to fix without a reset but you can get back into your portal with the above info. Right now though mine is still immediately replacing the index.cgi. 


And:


I am assuming you have ssh capabilities? If so you just need to ssh in and login as root and run these commands. This should help you get back into the portal.


cd /usr/webman/portal
chattr -i index.cgi
rm index.cgi
cp index.cgi.bak index.cgi


If you look at the index.cgi they created before you delete it, its a text script.
I am still in the investigative stages but nothing in my shares have been locked up with this yet. Just things in /root so far.
I’ve pulled out a ton of LTO tapes to backup my data. I think this is going to require a full reset. I hope asustor releases a fix for this but I will never again allow my NAS to have outside access again.


For clarification. This is what my /usr/webman/portal directories looked like. the .bak file is the original index.cgi.
I apologize if my posts seem jumbled up a bit. I’m trying to help and also figure this out as well. So I’m relaying things as I find them in hopes that others will be able to at least get back to their work.


Thank you to Asustor user billsargent for the above and full credit to him on this of course.


(Continuing with the Original Article from 21/02 17:30 GMT)


Although it is still very early in the actioning of this encryption attack, these attacks are slowly starting to emerge on forums right now, as well as twitter, see below:

やばい!!家のASUSTOR製NASがDEADBOLTとか言うランサムウェアに攻撃された!QNAP製のNASに最近入るってのは見たけど、まさか自分のNASもやられるとは…
そこまで大事なデータ入れてなかったのが不幸中の幸いだけど700GBくらいのデータ死んだのショックASUSTOR NAS使ってる人すぐネット切断した方がいい pic.twitter.com/gBFu8yx4hG


— sudara (@sudara_hodara) February 21, 2022



Additionally, this splash message contains a call-out to Asustor themselves (much like the QNAP NAS deadbolt attack) that states a message and a link for the brand to open a discussion (i.e pay) towards a master key and details of the vulnerability they have exploited:


“All your affected customers have been targeted using a zero-day vulnerability in your product. We offer you two options to mitigate this (and future) damage:”


Details are still emerging, so I will keep this article short and sweet for now (and add more later as details emerge), if you own an Asustor NAS drive, check it immediately! Regardless of whether you have enabled remote access via EZConnect or not (as that is not necessarily the key to the attack vector and possible remote DLNA port changes by your system, for example), check it now and ideally disconnect it from the internet. Currently, there is not enough information to ascertain if this relates to a case of ‘out of date firmware’ having an existing vulnerability or something inherent in the current firmware. Regardless, check your system and where possible, disconnect it from the internet until further details are confirmed here, on reputable sites such as Bleeping Computer or via direction from Asustor themselves.



Once you log into your NAS, check your logs and check your processes. If you have the means to backup to a NEW location, do so. DO NOT overwrite your existing backups with this backup unless you are 100% certain you have not been hit by deadbolt ransomware.

What to Do if you have been hit by the Deadbolt Ransomware


If you have been hit by the vulnerability, you will likely be unable to connect remotely with your NAS files/folders. Even if you can, you need to check whether you can open them or they have been encrypted to a new format (the extension/ .type or file will have changed). The following users commented onreddit and there are similar threads that we can see on their setup and how they got hit.


IF you still have access to your files, get your backups in order!!!!!


Otherwise, if you have been hit by this, then you need to disconnect your system from the internet. Killing any processes in the task manager is an option HOWEVER do bear in mind that doing so might corrupt currently encrypting files and therefore stop any kind of recovery. I am checking with a couple of affected users (as well as reaching out to Asustor as we speak to see if a suitable course of action can be recommended. Some users who have restarted their system or immediately pulled the power and rebooted have found that their system now states that it needs to be reinitialized.


One big factor to keep in mind right now is that not is still unclear if a) the deadbolt ransomware can be killed as a system process in the Asustor control center (I do not have an Asustor NAS that is affected in my possession right now) and b) if switching your system off DURING the deadbolt attack can lead to the data being unsalvagable as the encryption is partway through. So, disconnect from the internet (physically and via EZConnect for now) and if you can see youR CPU usage spiking and/or your HDD LEDs going nuts, you are likely being hit.

My Asustor NAS is Saying it is Uninitialized


DO NOT RE-INITIALIZE YOUR NAS. At least not yet, if you have already powered your NAS as a reaction to the attack (understandable, if not the best choice without knowing the full attack vectors or how this affects the encryption) and you are being greeted by the option to reinitialize in the Asusto Control Center application, then power the device down again. But again, I only recommend this action right now for those that already reacted to the attack by shutting down their system/restarting already post-attack

If I am not hit by Deadbolt, Should I disconnect my Asustor NAS from the internet?


For now, YES. As the act vectors are not clear and there are reports from some users right now that state that they had the latest firmware, they were still hit, there is so much unconfirmed info here to allow remote access (in my opinion) and until further info is made available, I strongly recommend disconnecting your Asustor NAS from the internet (wire AND via the software settings) and getting your backups in order.


I will update this article soon as more information becomes available.


 



 


 

Are QNAP NAS Safe?

2 février 2022 à 01:05

Are QNAP NAS Drives Safe Enough to Use in 2022?

Are you a QNAP NAS owner? Perhaps you are considering buying a QNAP NAS based on a recommendation from a friend, work colleague, IT professional or even myself (Robbie) on YouTube. The appeal of owning your own server, cutting the connection with your subscription cloud providers such as Dropbox or Google drive, having all your data backed up in-house and that feeling of pure control/ownership is hard to underestimate. However, over the last 2 years or more, it has been hard to ignore that the brand has suffered a series of security issues surrounding the subject of ransomware – a process whereby your data is encrypted with a unique, near uncrackable cypher and a document (typically a .txt) is left for you with instructions for you to make a payment in bitcoin to a predesignated account in order for instructions and the key to recovery your data. Ransomware in of itself is not new and originally dates back to 1996 under the name cryptoviral extortion (you didn’t come here for a history lesson, but the wiki covers a lot of those early developments into the concept) and is frighteningly easy to conduct IF an intruder has access to your system and/or the means to inject the command to encrypt the data inside of any system. Words like virus, hack and malware have been thrown around the internet for the last 20-30 years, however, Malware feels significantly more organized and comparatively recent, as well as being something that has been enacted on all storage platforms, such as Google Drive (thanks to sync tools), Apple was directly hit in 2021 and over 300 BIG name companies that you WILL of heard of in the last 18 months that included:

Acer, FujiFilm, Northern UK Rail, Exabyte Web Hosting, Foxtons, The Salvation Army, Shutterfly Photography, Bose Sound, The NRA, Kronos CRM systems, Gigabyte Motherboards, Volvo, SPAR, Olympus Cameras, GUESS Fashion, ADATA, CD Projekt, Travelex, SK Hynix, Capcom, Crytek, Kmart

Those are just a brief scan of confirmed news reports and only a small fraction of the companies, brands and institutions that have been successfully targetted. Tech companies, media companies, charities and countless retail outlets. Why am I going through all this? Well, 1, these companies should have exceptionally sophisticated storage and remote access protocols in place, 2, cannot use the excuse of being companies with practically no formal association with high-level storage and 3, are companies with a responsibility to protect significantly custom databases that eventually fell foul (partially or fully) to vulnerabilities. Personally, I DO think QNAP have blame that they need to acknowledge publically, made significant errors in these ransomware attacks AND have handled a number of the follow-up actions to these incidents very poorly (both in terms of communication and execution). However, I do also think that the end-user base is also not completely innocent and alongside ascertaining whether the brand is safe to use in 2022, we should also think about how we store data, the limits of our own due diligence and our expectations from server devices.

Important – If you are currently unaware of the Deadbolt ransomware attack that took place on QNAP NAS devices, you can find out more in the NASCompares article and video here. Additionally, if you have been affected by ransomware on your storage solution (QNAP or whatever brand), this post is not intended to play ‘blame games’ or detract from the impact (personally or professionally) that it has caused. I have experienced ransomware attacks, malware attacks through my browser, virus attacks on my OS and seen my fair share of attacks fail and (annoying) succeed. Please do not take this article in the spirit of ‘get stuffed, It’s your fault!”, but as a means of dissecting the current state of play at QNAP NAS and the realistic expectations/responsibilities of all involved.

PSA – GET YOUR BACKUPS IN ORDER!

Before you even go one paragraph further, I have a simple question for you – do you have a backup in place? If yes, then carry on to the next part. If not, and I cannot stress this enough, GET ONE NOW. The time you are spending reading this you could be susceptible to data loss in about 10 different ways without even factoring in ransomware (Power failure leading to hard drive corruption, Malware from a slightly iffy google search this morning, cloud storage provider going bust, OS failure on your device, etc). In this day and age owning a sufficient data backup is as sensible as buying a raincoat or looking both ways when you cross the street – you don’t do it because you like rain or like looking at cars, you do it because they are peace of mind, they are a safety net, they are for caution in case of the worst. It is a bit tenuous, but owning one or multiple backups always make me think of this quote from Shawshank Redemption by Stephen King:

shawshank redemption book

“There are really only two types of men in the world when it comes to bad trouble,” Andy said, cupping a match between his hands and lighting a cigarette. “Suppose there was a house full of rare paintings and sculptures and fine old antiques, Red? And suppose the guy who owned the house heard that there was a monster of a hurricane headed right at it. One of those two kinds of men just hopes for the best. The hurricane will change course, he says to himself. No right-thinking hurricane would ever dare wipe out all these Rembrandts, my two Degas horses, my Jackson Pollocks and my Paul Klees. Furthermore, God wouldn’t allow it. And if worst comes to worst, they’re insured. That’s one sort of man. The other sort just assumes that hurricane is going to tear right through the middle of his house. If the weather bureau says the hurricane just changed course, this guy assumes it’ll change back in order to put his house on ground zero again. This second type of guy knows there’s no harm in hoping for the best as long as you’re prepared for the worst.” 

Get a Backup in place

More Ransomware Attacks than Any other NAS Brand?

WannaCry, QLocker, eChoraix, Deadbolt, how, many, times…

Probably the most compelling argument against the safety of QNAP for many buyers is the simple fact that they seem to have been in the news more than any other NAS brand for reasons of ransomware attacks. Indeed, even a quick browse of the last 24 months on the site ‘Bleeping Computer’ for stories on QNAP shows you that there have been multiple vulnerabilities found in their software/access that have allowed encryption commands to be injected into the QNAP NAS system to execute the ransomware attacks. How can this one brand be such a soft target? What are they doing wrong? Well as it stands, reading through news posts before/after previous ransomware attacks, as well as the dissection of evens on the official forums in the midst of the current Deadbolt attack, the consistent threads are:

  • QNAP is rolling out software and services with weak default settings and acceptable minimums to allow inexperienced users to open up external access WITHOUT the users understanding the risks
  • QNAP has weaknesses in it’s software that the brand arguably takes a more reactive, than proactive stance on repairing
  • QNAP’s recommendations on actions to user post-ransomware attack both publically and in 1-to-1 dialogue with users has been felt unsatisfactory
  • Your QNAP NAS is better off currently used offline/network only

As general as all that might sound (without letting personal opinions colour it) those are largely the four core issues for many that have voiced their feelings on this in the forums. Moving away from the hefty subject of data loss slightly (we will be returning to that in a bit, but that is a question of Backups and routines to discuss), there is the fact that there have been vulnerabilities found in QNAP 1st party applications and services – but then again, so have there been in different NAS brand’s own services too. A click look at their respective Security Advisory pages will tell you this. This doesn’t exonerate QNAP in any way here with deadbolt, as part of the ‘social agreement’ between the end-user and QNAP is that as long as we ‘follow due diligence in protecting the data inside the NAS as directed AND maintain our own network/router setup, the QNAP NAS should protect our data inside the NAS to the best of it’s ability. This is where it all becomes problematic. As QNAP have never successfully balanced the line between giving the user freedom, control and customization WHILST still preventing the user from doing anything self-harming without a full idea of the consequences. It’s a line that their biggest competitor Synology seems to toe better and this comparison only serves to re-enforce the feeling (and numbers) that QNAP are attacked more. So, how can QNAP change this perception and what have QNAP actioned so far?

The Nature and Practice of Firmware Updates – Prevention & Cures

“Remind me Tomorrow” click

Though sometimes NOT the means with which a vulnerability in the QNAP NAS software/services is achieved, it is still a factor in some instances that updating to a later firmware would actually have closed a vulnerability. However, this is a remarkably broad statement and the truth is a great deal more nuanced. First, we have to understand that ALL software that has a remote access component via the internet will likely be investigated by cybercriminals for weaknesses. Not just NAS ones – ALL of them, from Microsoft office and Android mobile OS, to your LG TV and Amazon FireTV. Hell, I bet there are people who have investigated the ‘buy now’ option of WINRAR in effort to see if an opening exists to use it as a ransomware entry vector. What I am saying is that as soon as a commercially popular software with internet access exists, people are going to try and take it apart to find out its weaknesses for exploitation. If/When these weaknesses are found and actioned (or submitted to the brand for bounty programs – whereupon brands ask people to try and break their software, so they can make it better/safer/improved), the brand then issues a firmware update to the affected software/services to its user base, then around the merry-go-round we go again! This is not a process that happens daily – but it definitely happens weekly or monthly (depending on the frequency of the brand to instigate the changes that are raised to them). This is why is it so common for companies that are affected by ransomware in their software/services to immediately highlight the need for firmware updates. At that point, the attack vector and vulnerability is reverse engineered, patched and closed. Many of these vulnerabilities are small. Very, VERY small sometimes. Indeed, it is for this reason that all the reputable NAS brands have security advisory pages that list current weaknesses, vulnerabilities and issues on their platform that are being investigated (Synology HERE, Asustor HERE and yes, QNAP HERE) and in all my time in the world of network-attached storage, I do not think I have ever seen one of these pages have ‘100% resolved’, but when something is resolved the resolution is invariably rolled into an update. So what we can take from this is that although firmware updates do not completely remove the possibility of new vulnerabilities being found in the future, they do seemingly close the bulk of existing vulnerabilities that have been found by/volunteered to the brand.

So why do we not install the firmware updates automatically? This isn’t limited to NAS of course! From the Mac notification that have been nagging you at the top right of your screen, to the windows update at the bottom right and all those applications on your phone that are asking you to please install the latest updates to your software – we choose to ignore them til ‘later’! Worse still, there is the old ‘if it ain’t broke, don’t fix it’ mentality that will often result in many users only installing smaller updates, but flat out avoiding the BIG updates as they can ‘change where everything is’ or ‘I heard it breaks a bunch of stuff’. Businesses in particular with shared files in their thousands are always reluctant to run any process that can suspend that access temporarily or change how something works. So, there we have a fine melting pop of ingredients that has led (in some instances, but not all – as we will go further go into) to many users being hit by ransomware attacks via vulnerabilities that, although patches were available, were not actioned. How do we resolve this? Forced update that leaves the user’s own hesitance out of the equation? Limitations of the system’s remote connectivity unless the latest firmware update is installed (console gamers will be very familiar with that method of course)? Or a 50/50 split where minor updates are optional, but larger ones are mandatory? It’s a tough tight rope to walk. So, let’s see how QNAP walked/walks this tight rope and how they could have possibly done it ALOT better.

System Updates and Updates that are QNAP Forced?

Forced? Optional? Access Penalties?

As mentioned, tighter control of firmware implementation would allow the brand to ensure that QNAP NAS that have internet accessibility are updated to a high/current firmware revision. Alternatively, the brand could limit the systems external connectivity and disable all settings if the firmware on the system is not up to date – simply running a check with the QNAP domain when trying to access these services and settings and declining if the latest update is not installed. Xbox and Playstation users are more than aware of this as a fixed rule to ensure that installed software is officially licenced and checked in advance. However, those are closed systems and many buyers have selected QNAP because of the flexibility and customization it offers.

Forced updates are something of a taboo subject too, with the recent rather heavy-handed move by QNAP in light of the Deadbolt ransomware attack to remote push the latest firmware update to all QNAP NAS systems that were internet-connected without any notice to the end-users (overriding any settings that disabled or prevented this). Now, clearly, QNAP did this as an extreme and something to prevent the vulnerability of the system software and/or configuration from being exploited further (that have still not been fully confirmed in its attack vectors, with some users who have ridiculously high-security settings still getting hit). In non-ransomware instances, I think QNAP issuing a message to their user base with a “In 5 day’s there will be an essential system update on XX day XX month at XX:XX time” message, with even a brief explanation of why would have been infinitely more preferable and would have been met with a much more positive stance (as well as it also making many users update sooner). However, clearly, the decision for a forced update was more of a last resort/hastily decided choice and that forms part of another reason that many users find the QNAP platform to sometimes bring services and software to market that could do with a little more time in the oven. Whatever way you look at it, QNAP was going to be damned, whatever they did. But did they put themselves in this position? What about the expectations of the end-user and due diligence? What SHOULD be the expected skillset of a QNAP NAS buyer to start with?

The Extent of the End User Responsibility, Skillsets and Expectations?

How much should a user be expected to know about networking?

The simplicity of NAS systems (not just QNAP) can often be oversold. It’s annoying and I am as guilty as most of this, but given the wide range of users who install a NAS system into their storage environments, the ease of setup and use is not shared with the ease of setup and understanding of network security in your home or office. On the one hand, QNAP have have supplied multiple services and processes in their system software that make remote access easy, encrypted transmissions easy, SSL certificate applying easy, 2-step authentication easy, UPNP and router pushing easy – you name it, they have tried to make it easy. But should they have? The ease of setting up a number of these services (as well as non-randomized settings in some places) can easily give users a false sense of security. So, for those users of a higher skillset, it would be acceptable that a QNAP NAS should only be remotely accessed with the highest layers of security applied, and it should not allow remote level access to be possible without some unique intervention and set-up by the end-user (not just a password and/or disabling an admin account), although to stop presets of this nature would lead to a noticeable spike in the difficulty of setup, perhaps that is what is needed. This is by no means a new issue we are discussing and even a brief google search online finds examples of attack vectors and methods as far back as 1999 on public/org sites.

However, in reality, it simply would not work like this, The user base of QNAP NAS is just too varied and though these tougher and more unique security implementations would secure things, the less technically skilled users would hit hurdle after hurdle, once again, one of the prices of some (not all) of that flexibility. Alot of users who have been hit by ransomware attacks have specifically headed to official forums because they do not have the remote setup experience that might be deemed an acceptable minimum to start opening ports via the QNAP settings or directly on the router. This once again brings us back around to what should be the expected skill level of a QNAP NAS owner, how much of the control and security profile of the storage system belongs to QNAP and how much should the buyer be expected to do independently? You can buy a car, you can fill it with petrol and the manufacturer can tell you its top speed, and miles to the gallon – but no car manufacturer would feel the need to add to all their adverts “must have a driving licence”, do they? It’s a rather stretched simile I know, but the fact remains that users cannot expect to connect their storage to the internet in 2022, open up pathways to it via the internet and not at least make allowances or provisions that an attack could happen. This leads us to the hardest and coldest fact of QNAP’s recent ransomware attacks that, although only applies to a % of users, is still depressingly true.

How Backups and Data Storage are Still being Misunderstood

A frighteningly large number of victims with no backup. Acceptable backup levels?

One of the hardest choices for anyone that has been successfully targetted by ransomware attackers (not exclusive to NAS either) is the choice to pay or not. When I am asked to make recommendations for a home or business user in the free advice section here on NASCompares or the comments on YouTube, I will always ask what the user storage quote is currently (now then double annually over 5yrs), their user base (volume and frequency) and their budget? That last one is always a kicker for some, as no one wants to show their cards! I’m not a salesman and I do not work for a eRetailer, I ask because there is a lot of ground between a £99 DS120j and a £5000 RS3621XS+. However, budget is INCREDIBLY important and should not only be measured by the number of 0’s in the account, but also by the cost of if the data is lost! Many users are so busy thinking of how much it will cost to provision for the future, that they are not factoring in the cost of replacing the past! This is the exact personal vulnerability that ransomware targets and sadly, a lot of users still do not understand 1) what a backup actually IS and 2) what a backup actually ISN’T.

If your data ONLY lives on the NAS, then the NAS is not a backup. You likely knew that. But socially and conventionally, we tend to forget it quite easily. We make space on phones by deleting stuff because ‘it is backed up on the NAS’. We sync our laptops and MacBooks with a remote folder to keep our files safe on the NAS, but still make changes or delete files on the hoof. We take the NAS as red as a backup and at that point, it isn’t! Likewise there are things that SOUND like backups… RAID… Snapshots… Hot Spares… they sound very reassuring, but are not backups, they are safety nets! And are all typically found ‘in system’. A REAL backup is something that is the same files, ELSEWHERE!  There is no avoiding that a QNAP NAS (or a Synology or Asustor NAS for that matter) is NOT a backup solution in of itself, but can be used IN a Backup Strategy. All brands highlight at numerous points o their website that you should have a 1-2-3 Backup strategy, or a bare-metal and cloud backup, or a periodic USB backup, a NAS to NAS remote backup – or ALL of them! Sadly, there are a lot of users in the official QNAP forums that have been hit by ransomware and did not have backups in place, with some knowledge that they needed a backup but their budget’s prohibited it. Whilst others say that QNAP said it’s a backup device, they bought it as a backup device, QNAP missold it and that is the end of argument!

The sad truth is that QNAP is not responsible for your backup routine or strategy, it supplies the means to store and access data and their responsibility (succeed or fail) is to ensure its hardware and/or software provides a default secure level of access, as well as the means to configure that access to the users control. There HAVE been vulnerabilities found and they have patched them, as is the usual process in these things (at least, they say they have at that is the best guarantee we can ever have from a brand in the circumstances), but they are NOT responsible for your backup routine. This now leads us to the subject of the QNAP hardware, the QNAP software and comparisons with Synology.

Hardware vs Software Priorities – Both the Brand and the User Base

Hardware vs Software, QNAP vs Synology, Is the grass greener?

Way back in the mid twenty-teens, whenever I would discuss QNAP and Synology on the platform, I would always say that you go to Synology for the Software and QNAP for the Hardware. Synology’s DSM platform clearly makes up the bulk of the companies investment and attention, makes up a significant chunk of the price tag and is designed around keeping things as user-friendly as possible (within reason). This is why their devices at each generation refresh (DS916+>DS918+>DS920+ or DS216+>DS218+>DS220+) only make smaller increases on the previous generation – the software IS the focus. With QNAP we tend to see the hardware taking bigger leaps each generation. Better standard ethernet, better PCIe gens, Better CPUs much earlier and overall greater hardware at any given time. For PC builders and those that know a lot more about the contents of their laptop than the contents of their router, this is speaking THEIR language and makes the price tag translate better. Fast forward to 2022 and although that logic still remains the same, these brands are more 60/40 in their architecture (where 60 = their preferred hardware or software bias). The issue starts when QNAP seem to rush their software out the door very quickly. Alongside a lot of more beta applications being available, they roll out a lot of new types of software that (and I am sorry to use that expression again, but) could have used more time in the oven. This approach to software development and release can be dicey and although it makes QNAP the more exciting platform (with its better hardware, more diverse software and continued AI or generally automated services), it also means that the platform has less of the layers of troubleshooting red-tape that Synology has (which inversely means the Synology product is going to be more expensive and less hardware rich, as that investment of time needs to be repaid to be justified).

Look at the Apple TV box or Amazon FireTV / Firestick? Is it user-friendly? yes! Is it slick and intuitive? Yes! Is it flexible in the installation of 3rd party applications? NO (at least, not without workarounds)! Is it hardware-powerful? LORD NO! One glance on eBay will show you a thousand other media boxes at the same price with Android on board, 5-10x the hardware and customization coming out of the wazoo. Nevertheless, many users will not buy the apple/amazon media option because although they KNOW it will be slick and ‘hold your hand’ all the way, it will be a closed system, noticeably more expensive and even then “nothing is full proof, right?”. And a lot of the anger at QNAP for their increased ransomware targeting and handling of this needs to also be balanced against why a lot of users chose the QNAP NAS brand. The QNAP NAS platform does have good applications and services, some genuinely unique ones and ones that allow tremendous flexibility and customization – but users need to remain relative to what drew them to the platform and have sufficient backups AND safety nets in place. I would say this about QNAP, about Synology, hell… Google drive, DropBox, Backblaze… ALL of them have localized client tools that rely way too much on the success of versioning/roll-backs being possible on the cloud platform. None of them are 100% full proof and QNAP dropped the ball multiple times here, but none of these ways are unprecedented and should be provisioned for regardless of your NAS brand or cloud platform.

The Sad Truth about Servers, Security and Vulnerabilities

Vulnerability > Update > vulnerability > update > rinse > repeat

No platform, software or service is going to be 100% bulletproof. You can increase your personal layers of security (VPNs, Encryption, layers, restrictive white lists, etc) to hit 99.99% but whatever way you are looking at it, everything we use is software-based and therefore, fallible. Equally, users cannot pretend that it is still the early days of the internet anymore and still be annoyed when a statistical possibility that should have been factored against was not. Do I think QNAP NAS are safe? I’m sorry to say that the answer is never going to be a simple Yes/No. I think they provide what they say they provide and I think that QNAP hardware is still the best in the market right now. But their software needs to be less rushed, the extra time/budget be spent on that software, or utilize a trusted 3rd party. The need to relinquish some of the customization of their platform in efforts to remove some of the configuration out of the hands of less tech-savvy users who end up overly reliant in defaults. Perhaps a much more rigorous setup policy that, on day 1, have an EXPERT door and a NOVICE door, with randomized defaults and extremely regimented update rules on the latter. Equally, the brand (though better than it was) needs to work on its communication with its end-user base, both in the event of critical issues and education on what the user base needs to have to increase security OUTSIDE of their product.

I still recommend the brand, I still think users should use their products, but we need to be realistic and honest with ourselves about what we buy and our expectations. If I buy a QNAP NAS, I expect it to store the data I store in it and allow me access to it on my terms, but ‘my terms’ might be a lot more/less strict than the next person and with that comes due diligence in 2022. I hope that the most recent ransomware attack, deadbolt, is the last ‘big’ one we hear about the year/moving forward, but I do not think it will be. More than just QNAP, one look at the vulnerabilities listed on security advisories of all the brands tell us that there is big money to be made by these intruders and the brands can only stay 1 step ahead. As always, me and Eddie here on NASCompares have been running a page that links to the bigger NAS security Advisory pages that gets regularly updated, so if you want to get notifications on these as they get added (pulled from the official pages themselves), then you can visit the page below and put your email in for updates when they happen. Have a great week and backup, backup, BACKUP.

Click Below to Read

 

Finally, If you are currently unaware of the Deadbolt ransomware attack that took place on QNAP NAS devices, you can find out more in the NASCompares article and video below:

 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,451 other subscribers


Get an alert every time something gets added to this specific article!


Want to follow specific category?

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR NAS DEALS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

QNAP NAS Attacked By DeadBolt Ransomware

26 janvier 2022 à 15:08

New QNAP Attack Emerges in the last 24hrs, the Deadbolt Ransomware

UPDATED 28/01/22 – QNAP has instigated a forced-push firmware update to NAS devices to upgrade their systems to version 5.0.0.1891 (the 23/12/21 update), which will override systems that have their update settings set to ‘Do not automatically update’. This will almost certainly change a number of default settings that in older QTS versions are connected with the means of the deadbolt firmware being instigated on individual NAS systems. Following this, several users have reported that existing iSCSI connections ceased, due to a default setting changing in the update. As per the highlights on the bleepingcomputer update article, this has been resolved by users by seeking out the following setting:

“In “Storage & Snapshots > ISCSI & Fiber Channel” right-click on your Alias (IQN) select “Modify > Network Portal” and select the adapter you utilize for ISCSI.”

Nevertheless, a forced update is quite a big move by the brand in response to this ransomware attack and one that under other circumstances would be something that ideally would have been presented with a “we will be making this forced update on X date, be aware” etc. In the QNAP reddit, a 1st party support team member responded to queries regarding the forced QNAP QTS update with the following;

“We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don’t apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away.

I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.”

Additionally, (again, thanks to BeepingComuter for raising this) there are reports that the number of affected devices may have raised significantly since originally projected and several security researchers and internet device monitoring sites raise this number to between 1,160-3,687 as of Jan 28 2022. See tweet below:

🔐 Curated Intel member, @1ZRR4H, observed QNAP ransomware events being reported via IoT search engines, including Shodan and Censys.

🔗 Shodan (1160 events): https://t.co/qpaCTuICAf

🔗 Censys (3687 events): https://t.co/uZKLQprSDE

Tip: use country tags to search by country. pic.twitter.com/2IXpCNpBvV

— Curated Intelligence (@CuratedIntel) January 27, 2022

I will continue to update this article as new information emerges. Please find the original article detailing the Deadbolt ransomware attack on QNA NAS devices below.

Yesterday (25/01) it has been reported on official QNAP forums that several users have been attacked by a new ransomware (actioned with the name Deadbolt) that, if successful in its intrusion, encrypts the content s of your NAS and demands 0.03 bitcoin (about $1000-1100) to provide the decryption key and allow retrieval of your data. QNAP has responded on multiple channels, urging their user base to immediately disable Port Forwarding on their router/modems and the UPnP function of the QNAP NAS within the remote access services. Additionally, they (as you would expect) strongly advise users to update their QTS software to the latest available version to block incoming DeadBolt ransomware attacks. QNAP has since issued this statement, published 26/01/22:

QNAP Systems, Inc. recently discovered that a ransomware called DeadBolt is attempting to attack NAS exposed to the Internet. The ransomware will hijack the NAS login screen and extort bitcoins from the victim. QNAP strongly urges all NAS users to immediately follow the methods below to check whether your NAS is exposed to the Internet, confirm whether the security settings of the router and NAS are complete, and update QTS to the latest version as soon as possible. More information regarding checking the level of access your QNAP NAS has to the internet, as well as how to change key settings to improve security can be found HERE.

Following the news on this as it has happened over 24hrs, the popular network security site Bleeping Computer reported that DeadBolt ransomware group started attacking QNAP users  and encrypting files on compromised NAS devices applying a .deadbolt file extension to affected files

Unlike previous instances involving QNAP NAS being targeted by ransomware, deadbolt are not dropping ransom .txt or docs to the encrypted devices but, this time are replacing the login pages to display warning screens saying “WARNING: Your files have been locked by DeadBolt.” The ransom screen asks the QNAP NAS owner to pay 0.03 bitcoins (roughly $1,100) to a unique Bitcoin address generated for each victim, claiming that the decryption key will be sent to the same blockchain address in the OP_RETURN field once the payment goes through. Sadly, as is always a risk factor with ransomware, currently, there are no confirmations that the threat actors will actually deliver on their promise to send a working decryption key after paying the ransom (as at the time of writing) users who have been affected are not seemingly considering paying (understandably, as this likely facilitates this happening further still in future for others).

Additional to the main ransom note splash screen on affected QNAP NAS systems, there is also is a link “important message for QNAP,” which then leads to a displayed message from the DeadBolt ransomware group that is specifically for QNAP’s attention. This screen states that the DeadBolt ransomware gang is offering the full details of the alleged zero-day vulnerability if QNAP pays them 5 Bitcoins in payment, roughly equivalent to $184,000. They are also willing to sell QNAP the master decryption key that can decrypt the files for all affected victims and the zero-day info for 50 bitcoins, roughly $1.85 million based on the current BC valuation. They state that if this payment is made:; “You will receive a universal decryption master key (and instructions) that can be used to unlock all your clients files. Additionally, we will also send you all details about the zero-day vulnerability to [email protected]

So, fairly brazen stuff!

What Does the DeadBolt Ransomware do to my QNAP NAS?

The DeadBolt ransomware is attempting to encrypt QNAP NAS, units, utilizing what they state is a zero-day vulnerability within QTS (A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit). The attack began on January 25th, with numerous QNAP users discovering their data encrypted and file names appended with a .deadbolt file extension, as well as amending the QNAP login web page to show a display screen stating, “WARNING: Your files have been locked by DeadBolt,” (see below:

On this occasion, this user was told they need to pay 0.03 bitcoins (roughly $1,100) to an individual Bitcoin link in order to receive the decryption key. The process of receiving the key is detailed follows:

So, if you have not been affected by this ransomware, but have/need your QNAP NAS to be remotely accessible from outside of your local network, what should you do?

How to Check and Amend Your QNAP NAS Internet Access Right Now

Like many ransomware attacks, the full vulnerability that it exploits will become clearer as time goes on, but a high facilitating factor of the deadbolt attack concerns poor remote access security. Remote access to the NAS can be made several ways (some more complex than others) and QNAP in their recent news post on this ransomware attack highlights further recommended network maintenance measures that you should follow/check. Open the Security Counselor program of the QNAP NAS, if you find the warning text “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP”, it means that your NAS is being exposed to the external network, and the risk is extremely high.

If you are unsure which port numbers on your router are open, then you can use this guide on How to query the port number that has been exposed to the external network HERE. If your NAS is exposed to the Internet, it is recommended that you follow the steps below for NAS security protection:

1: Turn off the Port Forwarding function of the router

Open your router’s system management interface, check the router’s Virtual Server, NAT or Port Forwarding settings, and set the NAS system management ports (8080 and 443 by default) to off.

2: Check if the UPnP function of the QNAP NAS remains off

Open the myQNAPcloud app of QTS and check the UPnP Router settings. Uncheck “Enable UPnP Port forwarding”

Connecting with your QNAP NAS remotely may well be a key reason why you purchased the system, but if you are less tech or network protocol savvy, then many users will use the QNAP supplied service. However, I still HIGHLY recommend that you bolster your network security settings as much as possible and ensure you have multiple layers of security (automated or direct authentication required) between the internet and your NAS Drive. If you need a NAS external network connection and want to use the myQNAPcloud Link to connect, please refer to the following link – HERE

Alternatively, QNAP made a whole page on remote access security and a breakdown of the factors HERE. Further details on this are covered in the Data News of the Week Video below from the NASCompares YouTube channel:

We will continue to monitor this and update this article if further information arrives that ranges from changes in the attack methodology to potential fixes and decryption tools emerging.

Additionally, it is worth remembering that exploits can be found in practically any internet-connected appliance, it is just a question of the extent to which a vulnerability can be pushed to execute unique commands. The software makers (not just NAS, but practically ALL internet service linked applications and tools) can only be 1-step ahead of hacks (cat and mouse, 1 step each, etc) and that is why all reputable NAS brands have Security Advisory pages that are regularly updated to list any current vulnerabilities that are found, addressed and patched on their platforms. However, staying on top of these can be difficult, so below is a link to a page here on NASCompares that is updated automatically every day and/when a brand updates its security vulnerability advisory pages. You can add your email address to that page in order to receive updates as soon as the brands publish investigated vulnerabilities. Visit this page by clicking the banner below:

 


Articles Get Updated Regularly - Get an alert every time something gets added to this page!



This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR NAS DEALS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Terramaster NAS Drives Being Attacked by Ransomware

18 janvier 2022 à 10:13

Terramaster NAS Devices Being Targetted by Ransomware – IMPORTANT

If you are a current Terramaster NAS user, then immediately log into your system and check that your data is in order. In a little over the last week, numerous users have been reporting that their TNAS systems have been hit by ransomware attacks (bearing similarity in structure and protocol to the eCh0raix attacks that were attempted/executed on QNAP and Synology NAS systems in 2020/2021) and a considerable number of users are reporting that the data has now been encrypted, with the usual ranSom note for payment (bitcoin to X wallet etc) left for the user’s attention. Despite any internet-accessible device always having to take into consideration (and preparation) for the possibility of an outside intruder getting in, there are questions being raised about the extent to which this has been the fault of Terramaster to secure their systems, re-enforce security protocol/workflows onto their audience (many of whom purchasing their value series devices with a domestic level of technical knowledge) as well as questions being raised about vulnerabilities in the uPnP (previously raised in April 2021). Here is a breakdown of everything we know so far at the time of writing.

The Terramaster NAS Ransomware Attack – The Story so far and what Terramaster Recommend You Do

On the 11th Jan 2022, Terramaster raised this post on their official forum and news pages here regarding reports of ransomware attacks on TNAS systems. The key points and recommendations for actions from that post were as follows:

Recently, we have received reports that some TNAS devices have been attacked by ransomware. Based on the case study, we preliminarily concluded that this was an external attack targeting TNAS devices. To keep your data safe from attack, please take action immediately!

We suggest you take the following countermeasures:

1. Upgrade your TOS to the latest version;

2. Install good anti-virus software on your computer, TNAS device and router to help you detect and resist malicious threats;

3. Disable port forwarding on your router.

4. Disable the UPnP function on your TNAS.
Image

5. Disable RDP, SSH and Telnet when not in use;
Image
Image

6. Change the default port of FTP.
Image

7. Set a high security level password for all users;

8. Disable the system default admin account, re-create a new admin account, and set an advanced password;
Note: For versions after TOS 4.2.09, you can set the administrator account without using the default admin username when installing the system. If it was upgraded from a version before TOS 4.2.09, you need to reset the system configuration, then you can customize the user name.

9. Enable firewall and only allow trusted IP addresses and ports to access your device;
a. Go to Control Panel > General Settings > Security > Firewall.
b. Create a firewall rule and choose the operation of allow or deny.
c. Fill in the IP range you allow or deny access to.
Image

10. Avoid using default port numbers 5443 for https and 8181 for http;

11. Enable automatic IP block in TOS Control Panel to block IP addresses with too many failed login attempts;
Image

12. Backing up data is the best way to deal with malicious attacks; always back up data, at least one backup to another device. It is strongly recommended to adopt a 3-2-1 backup strategy.

If unfortunately, you have found that your data is infected by ransomware:

1. Disconnect your computer and TNAS device from the Internet immediately;

2. Before restoring data, thoroughly remove the infection in the computer system and TNAS; You need to restore your TNAS to factory settings and completely format all your hard drives.

Now, how did this occur? It seems like details are being circulated regarding a vulnerability that was found online in December. A remarkably comprehensive and detailed breakdown of how this vulnerability into a Terramaster was exploited can be explored here, published in December 2021 – https://thatsn0tmy.site/posts/2021/12/how-to-summon-rces/

There has been several criticisms raised against Terramaster and their recommendations that were raised, as well as how loud the brand is being, outside singular forum posts, to raise awareness of this. Criticisms range from not adequately explaining methods of actioning the recommendations (such as how to disable the admin account and how it is not simply a case of an on/off option accessible via a separate account immediately to all) or detailing how these changes will impact system use afterwards. An official Terramaster support team member has responded:

First of all, it is very sad that this happened to all the victims. Terramaster has been working hard to strengthen the security of TNAS devices. Various security tools are integrated in TOS, and we also provide you with various possible countermeasures. However, once your device is exposed to the Internet, there is a risk of being attacked. Because you are dealing with very professional hackers, hackers will do anything to gain profits. Only one method is not enough to avoid attacks. In order to improve the security level, multiple security measures must be adopted. Even so, there is still no guarantee that your device is completely secure. A large number of devices are attacked by ransomware every day, including Terramaster, QNAP, Synology, and even the servers of some large enterprises or government agencies.
https://unit42.paloaltonetworks.com/ech … ware-soho/

If you expose your device to the internet but don’t want to do anything, you may be one of the victims. After studying the cases of individual victims, we found that the hackers continued to attack the victim’s device through the ftp service for more than dozens of hours. If you use the system default port, low security level account and password, you are very likely to become a victim. However, ftp is definitely not the only way to attack, please act immediately and follow our countermeasures one by one to reduce the risk of being attacked.

We will continue to study how the ransomware invaded TNAS devices and will release updates in a timely manner.

Now, one recommendation that has raised particular scrutiny is disabling the default admin account. Many users highlight that Disabling the default administrator account is easier said than done as it is dependant on your installation and version of TOS. To disable the admin account (taken from the official Terramaster official forum and their service team), you need to be a new user with a new TOS installation from 4.2.09 or later versions. For all users with TOS versions installed before 4.2.09 or update to a later version is not possible to disable the default admin account, you need to re-install a new TOS later than 4.2.09. If you are considering re-installing TOS fresh on your terramaster (for security or as a last alternative to get your system storage back without paying ransomware payments regardless of lost data, a guide from terramaster to recover can be found here – https://forum.terra-master.com/en/viewtopic.php?f=76&t=423

Additionally, Terramsater is currently working on TOS 5.0, the latest version of their software (currently still in early alpha/beta testing) and some users on the official forum are highlighting that jsut waiting on this new full release is preferable.

If you have been hit by the Terramaster Ransomware Attack?

Currently, it seems (at least at the time of writing) that if your Terramaster NAS has been hit by this ransomware, there is little to no 3rd party tool/decryption solution available online. However, much like when QNAP was hit by eChoraix and Qsnatch, over time some solutions were made (some in executional form such as QRescue with PhotoRec addons) and some in reverse engineering methods might be possible, so if you have important data that you hope to have recovered, but bulk at the prospect of paying the attackers, it might be worth moving this data off the NAS and onto another storage system (USB, Cloud, offline server, etc) in the meantime. Of course, if you still wish to use your terramaster NAS system, it will require a system reset/format. Indeed, Terramaster themselves raised it (rather bluntly one might say) in their official forum regarding the process of the malware attack in this (and most) cases and the result, if no decrypted can be put together (as has been the case on a few of the 2020/early-2021 ransomware attacks on other platforms such as QNAP:

Since the ransomware creates a random sequence as the AES Key, and then encrypts the previously generated AES Key with the locally generated RSA public key, and uses the AES CFB algorithm to encrypt the files in the infected device, each encrypted device uses a different key. Likewise, once files are encrypted by ransomware, there is usually no way to decrypt them. If your data is so important that you need to get it back, paying the ransom might be the only way. It’s worth reminding that even paying the ransom is not a 100% guarantee that your data will be rescued. If you are not willing to pay the ransom, intend to give up the encrypted data. You can go to Control Panel > Storage, delete volumes and storage pools, and restore the system to factory settings.

If I was in the shoes of someone who had their data encrypted, without a backup in place, then (where possible) I would still hold out for recovery methods. It was rightly raised by Charlie Crocker on the Terramaster forum that decryption of previous NAS ransomware is still ongoing and so if you have the means to move this data elsewhere (along with the ransom .txt, as this is often incredibly useful for identifying the encryption campaign method later), I would recommend that – rather than wiping it all! But I can appreciate that this can be an expensive option.

Criticism of Terramaster in their Response to this Ransomware Attack

Currently, Terramaster is being heavily criticized on their own forums for their handling of this. Understandably, some users were already unhappy with the raised reminders if UPnP weaknesses in a previous version of TOS. An older vulnerability in the Terramaster NAS system was reported in April 2021. As it turns out though, their NAS systems are accessible across the entire internet via the UPnP protocol. Universal Plug and Play (UPnP) is used by an infinite number of network devices, including NAS, routers, computers, gaming consoles, printers, mobile devices, IoT devices, and many more. A full breakdown of this vulnerability in TOS last year was covered over on StorageReview here – https://www.storagereview.com/news/terramaster-nas-vulnerability-found-over-upnp/

This is a developing matter and I will continue to update this article and compile it in a video over on YouTube shortly (when available, it will be published below).

 

❌