NETGEAR ReadyNAS

[AlanSmith]

I have a ReadyNAS Duo with PHP installed and I'm using it as a webserver.

A friend of mine also has a ReadyNAS Duo, without PHP installed, also used as a webserver.

He sent me an example of recent logs from his ReadyNAS which worried me slightly

e.g.

[08/Sep/2009:17:58:02 +0100] "GET http://www.freestuffto.net/prx1.php?hash=45A7FC08C60F38CA57C2D7E700500EC051533791A7FA HTTP/1.0" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
[09/Sep/2009:01:00:47 +0100] "GET http://www.freestuffto.net/prx1.php?hash=45A7FC08C60F38CA57C2D7E700500EC051533791A7FA HTTP/1.0" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
[09/Sep/2009:03:40:36 +0100] "GET http://www.freestuffto.net/prx1.php?hash=45A7FC08C60F38CA57C2D7E700500EC051533791A7FA HTTP/1.0" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
[11/Sep/2009:04:39:10 +0100] "GET //phpmyadmin//scripts/setup.php HTTP/1.1" 404 227 "-" "ZmEu"
[12/Sep/2009:01:51:40 +0100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)"
[12/Sep/2009:01:51:40 +0100] "GET /myadmin/scripts/setup.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)"
[12/Sep/2009:01:51:41 +0100] "GET /pma/scripts/setup.php HTTP/1.1" 404 219 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)"
[12/Sep/2009:01:51:42 +0100] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)"
[13/Sep/2009:22:15:56 +0100] "GET http://www.freestuffto.net/prx1.php?hash=45A7FC08C60F38CA57C2D7E700500EC051533791A7FA HTTP/1.0" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
[14/Sep/2009:02:00:41 +0100] "GET http://www.h4x3d.com/feat/themes/red-apple.jpg HTTP/1.1" 404 223 "-" "webcollage/1.135a"
[14/Sep/2009:04:45:28 +0100] "GET http://www.freestuffto.net/prx1.php?hash=45A7FC08C60F38CA57C2D7E700500EC051533791A7FA HTTP/1.0" 404 206 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Looks like hacking attempts.

Is there any risk here especially as I do have PHP installed?

[mdgm]

PHP is a community add-on. As such you should ask the developer super-poussin for how secure the add-on is and how to tweak settings to make it more secure if you wish.

[diffz]

The more services you run on a system the higher the risk. All software contain bugs and there always is a risk that it poses a security risk. This applies for all systems not only a readynas.

My advise is to ONLY open up the ports you REALLY need outside of your home network. You can use port forwarding on your router to do this. I would prefer this instead using dmz where everything is forwarded to you readynas. Also update your services/system when an update becomes available.

What you see in your logging are possible hack attemps but thats normal. These are fully automated scans and attempts by botnets/virusses. They try common security flaws on know systems. Keeping an eye on the logging is a good thing but considering the amount of attemps by the million of infected zombie systems makes it almost undoable for humans. In my own server loggings I see multiple attemps a minute.

For most scriptkiddies/scammers hacking you readynas isnt that interesting considering the limited processing power. And the sparc readynas systems have the advantage that executing binary code wont work unless its for the sparc architecture. Its security by obscurity

EDIT: If you store important or sensitive data on your nas then my advise is not to connect it to the internet (or at least dont open up the services to the internet) and by a cheap nettop/netbook for your php/webserver needs. They arent that expensive and they dont consume a lot of power. And depending on your readynas it can also perform a lot faster

[captainhaddock]

diffz :If you store important or sensitive data on your nas then my advise is not to connect it to the internet (or at least dont open up the services to the internet)

But one of the benefits of the ReadyNAS which is advertised and recommended by Netgear is ReadyNAS Remote - designed to give you secure access to your personal and sensitive data from around the globe. The box is designed for internet use and is good at it.

I certainly agree about only port forwarding the required ports and not using a DMZ unless you have a very good firewall, but we still would like the reassurance that add-ons, which are effectively endorsed by association of them being hosted by netgear. (Yes I am aware that they say "NETGEAR does not provide support for community add-ons and in some cases may deny support if problems are the direct result of using a community add-on") however the association is still there.

This is the advantage of a forum like this (hopefully) that we can share our tips n tricks on security, gotchas et al. resulting is an all round good experience.

[claykin]

diffz :If you store important or sensitive data on your nas then my advise is not to connect it to the internet (or at least dont open up the services to the internet)

But one of the benefits of the ReadyNAS which is advertised and recommended by Netgear is ReadyNAS Remote - designed to give you secure access to your personal and sensitive data from around the globe. The box is designed for internet use and is good at it.

I certainly agree about only port forwarding the required ports and not using a DMZ unless you have a very good firewall, but we still would like the reassurance that add-ons, which are effectively endorsed by association of them being hosted by netgear. (Yes I am aware that they say "NETGEAR does not provide support for community add-ons and in some cases may deny support if problems are the direct result of using a community add-on") however the association is still there.

This is the advantage of a forum like this (hopefully) that we can share our tips n tricks on security, gotchas et al. resulting is an all round good experience.

Readynas Remote does not require you to leave an open port to the Net. it uses NAT traversal. Also connections are SSL. Assuming the developers properly wrote the app, NAS addon and the web service to authenticate accounts, Remote should be relatively safe. That said, I'm still not liking the way they chose to add users to the NAS addon. They acknowledge its not a great solution and advised they are working on a new method that will likely send a validation email that the user has to respond to in order to be added to the requesting NAS. Not sure when thats coming.

I think one of the reasons why Netgear shy's away from direct support of most services that open up the box to the Internet is because of security issues (and probably support as well). Synology went through a rough time about 1 year ago where one of their security savvy users called them out on some major holes in their OS and Web service addons. Over this past year they have been playing catchup to upgrade components of their OS, the web service and they now even provide a firewall at the NAS level to allow end users to control who and what can connect to the Synology boxes. IMO, this is a step in the right direction.

Anyone running PHP on their NAS should pay attention to security exploits and patch as necessary. You'll need to have SSH access to your box to run the apt get update command. I'm not a Linux expert so I'm probably not the correct person to ask about upgrading Debian components.

Personally I wish it wasn't so complicated to add/run many of these community addons, including the need to open SSH access to the box. Keep in mind that once you open SSH access to the box its advisable to later go in and change it so SSH access is set to one or more of your NAS users as opposed to the rootadmin.

[diffz]

Anyone running PHP on their NAS should pay attention to security exploits and patch as necessary. You'll need to have SSH access to your box to run the apt get update command. I'm not a Linux expert so I'm probably not the correct person to ask about upgrading Debian components.

Patching is good but for most users I would stick with addon updates and the official radiator updates from netgear. Just running apt-get update might upgrade essential system packages/libs/configs. This could break some important functionality. My advise is to stay away from the (random) upgrading packages unless you know what the impact will be and how to fix it. Or at the very least never do a complete upgrade like "apt-get upgrade".

Personally I wish it wasn't so complicated to add/run many of these community addons, including the need to open SSH access to the box.

The couple of addons I tried did not require any SSH access to the box. Keep in mind the ReadyNas is a nas with extra functionality. Netgear and community developers are nice to give you the option to expand that functionality even further. Thats a bonus not the primary goal of the device. If you really want to have have a powerful multifunction device you better buy a dedicated computer and install a OS yourself then you have more control and easier the fix stuff.

[InTheShires]

EDIT: If you store important or sensitive data on your nas then my advise is not to connect it to the internet (or at least dont open up the services to the internet)

How would I achieve this? If only as a temporary measure.

[kathleenp980]

diffz :If you store important or sensitive data on your nas then my advise is not to connect it to the internet (or at least dont open up the services to the internet)

But one of the benefits of the ReadyNAS which is advertised and recommended by Netgear is ReadyNAS Remote - designed to give you secure access to your personal and sensitive data from around the globe. The box is designed for internet use and is good at it.

I certainly agree about only port forwarding the required ports and not using a DMZ unless you have a very good firewall, but we still would like the reassurance that add-ons, which are effectively endorsed by association of them being hosted by netgear. (Yes I am aware that they say "NETGEAR does not provide support for community add-ons and in some cases may deny support if problems are the direct result of using a community add-on") however the association is still there.

This is the advantage of a forum like this (hopefully) that we can share our tips n tricks on security, gotchas et al. resulting is an all round good experience.

Readynas Remote does not require you to leave an open port to the Net. it uses NAT traversal. Also connections are SSL. Assuming the developers properly wrote the app, NAS addon and the web service to authenticate accounts, Remote should be relatively safe. That said, I'm still not liking the way they chose to add users to the NAS addon. They acknowledge its not a great solution and advised they are working on a new method that will likely send a validation email that the user has to respond to in order to be added to the requesting NAS. Not sure when thats coming.

I think one of the reasons why Netgear shy's away from direct support of most services that open up the box to the Internet is because of security issues (and probably support as well). Synology went through a rough time about 1 year ago where one of their security savvy users called them out on some major holes in their OS and Web service addons. Over this past year they have been playing catchup to upgrade components of their OS, the web service and they now even provide a firewall at the NAS level to allow end users to control who and what can connect to the Synology boxes. IMO, this is a step in the right direction.

Anyone running PHP on their NAS should pay attention to security exploits and patch as necessary. You'll need to have SSH access to your box to run the apt get update command. I'm not a Linux expert so I'm probably not the correct person to ask about upgrading Debian components.

Personally I wish it wasn't so complicated to add/run many of these community addons, including the need to open SSH access to the box. Keep in mind that once you open SSH access to the box its advisable to later go in and change it so SSH access is set to one or more of your NAS users as opposed to the rootadmin.

Good post. I appreciate it!



__________________
http://moviesonlineworld.com

[mdgm]

It's a good post, but I think things have changed since then. With ReadyNAS Remote when you add a user now you enter the email address and can then select all ReadyNAS Remote user accounts for that account.

By default ReadyNAS Remote only does CIFS and AFP.

If you want to use more services over ReadyNAS Remote you can disable the ReadyNAS Remote Firewall e.g. using the Toggle ReadyNAS Remote Firewall add-on referred to at the bottom of my sig. to disable the ReadyNAS Remote firewall on the NAS. Instructions are at the top of that thread for how to disable the firewall in the PC Client. The connection is still secure and you can connect to the ReadyNAS without needing to open ports and create a hole in your firewall.