How to Fix QNAP Security and Performance Issues

QNAP is a very ok NAS (see https://www.qnap.com/en-us/product/series/home for details about what’s QNAP and NAS in case if you’re not familiar with the terms). I can’t call it excellent because of the many issues I’m having with it, but I can’t call it bad either, because once the issues are resolved, it’s pretty good. So here is my short list of QNAP biggest problems and how I resolved them:

Security

One thing that QNAP massively failed its users with is the security. To illustrate the problem, just google for “QSnatch” and you will find how at one point over 60,000 QNAPs were infected with a malware and for quite some time the only way to get rid of it was complete device reset. What’s even worse, once the company found a way to get rid of the malware, they never shared details about what it was and how it infected user’s devices, which is just totally unacceptable.

Besides that you might be interested in this read: https://www.zdnet.com/article/hundreds-of-thousands-of-qnap-devices-vulnerable-to-remote-takeover-attacks/ and this one: https://blog.securityevaluators.com/multiple-vulnerabilities-discovered-in-qnap-nass-303b720d487b

It’s ok for a company working on such a complex device to make stupid mistakes like this from time to time. Most companies do it, including Microsoft, Google and Apple. But it’s totally not ok to keep hiding information that may lead to preventing such attacks in the future.

Anyway, what can you do about this? First of all, if you registered your QNAP with myQNAPcloud, unregister it. This service allows you to access the devices from anywhere in the world using QNAP’s portal. Needless to say that if you can access it then anyone can, especially when your device is protected by the company that completely disrespects the culture of security in software development. You can do this by logging into myQNAPcloud here: https://www.myqnapcloud.com/. Once you’re in, cloud “My Devices” -> “Device Details” -> “Unregister”. QNAP keeps changing the interface, so google around to find the details for the latest iteration of this website and how to work with it. I almost feel like they are hiding that “Unregister” option.

Once the device is unregistered from myQNAPcloud, you should uninstall myQNAPcloud Link appliation from your device. Interestingly, if you uninstall the app first, then you won’t be able to unregister the device (well, I wasn’t provided this option when I tried, so I had to reinstall the app, unregister and then uninstall it again).

At this point you may also want to disable the DDNS service and other cloud services you may have turned on. They will stop working after we do the next step and will keep generating errors.

Now you’re ready to go ahead and configure your firewall to completely block your QNAP from the internet. Most QNAPs have multiple network interfaces, so you will need to blacklist all MAC addresses of all interfaces, just in case.

And at this point your QNAP will become not just very slow, but ridiculously slow, if you can imagine that … Let’s address this problem in the next section.

Performance

Performance is another huge problem with QNAPs. Even if you do not have any apps installed and the device is supposed to be completely idle it keeps doing … something. Nobody really knows what is it that it is doing. Processes like “kworker” amd “notify thread” will always keep the CPU at 50% or more. Ok, kworker is a legitimate process, it is essential for execution of Linux OS kernel functions, so there is no good explanation why QNAP is keeping it busy all the time. But “notify thread” is a QNAP’s invention and why it’s consuming so much CPU is a mystery.

And the problem is not just the mediocre CPUs QNAPs are equipped with. You get what you pay for, so in order to keep the price relatively low they need to put crappy processors into it (like ancient Intel Celeron, for instance). But the other problem is how inefficiently QNAP is using this weak CPU. Even with all apps uninstalled there are still SEVERAL HUNDRED processes running on that little box overloading the CPU. Why would they need 32 postgres workers, for instance? Seems like even postgres has no idea, as most of the time they just sit there, do nothing and consume RAM. Ok, they have postgres, that’s a great database solution for all their needs, right? But nooo …, for some reason they are also running mongodb. And, just in case, MariaDB is also there. And, I guess, in case if apache will fail they also run nginx. Anyway, I can keep complaining about lack of any optimization QNAP did, let’s do something about it.

First of all uninstall all software you don’t really need. Even when you’re in doubt if you will need or won’t, then uninstall it. And, of course, QNAP won’t like it and will do all it can to prevent you from uninstalling such useful tools as “SSD Profiler”, for instance. Even if you don’t have any SSDs on your QNAP, still you will be forced to keep that “essential” tool and even if you manually remove it from the system it will still come back after reboot. Still do your best and uninstall everything you can live without.

Unfortunately uninstallation process is also flawed. For instance even if you uninstall the video station and disable the Multimedia Console, the transcoding process will still remain running. So the best approach to this is to avoid installing any software you may live without in the first place.

One more thing you can do is configure the QuLog to store as little (just 1 million) log records for as little time as QNAP allows you (30 days). This will save you some disk space and CPU time for indexing all the logs.

You also need to max out what QNAP can give you, in this case you’re pretty much limited to maximizing the RAM. This doesn’t mean that you need to buy the most expensive model with the maximum RAM possible. QNAP made sure that these have an unreasonably high premium. Instead, buy the cheapest one, buy the maximum possibly amount of RAM supported by your specific QNAP model and upgrade it yourself for 1/3 of the price (before selling the old memory module).

Networking

Most QNAPs come with multiple network interfaces. If yours have multiple interfaces and you thing that just plugging all of them into the switch will give it superpowers, then you’re wrong. You actually need to enable trunking and made sure that you have a managed switch that is configured accordingly. So, unless you know how to do it, don’t bother, even one interface is totally fine for 99% of all your needs. Unplug all interfaces but one and this will may actually improve your QNAP’s connectivity.

Remember how blocking QNAP’s internet access made it so ridiculously slow? That’s because for ton of different operations it tries to do DNS resolution and, most likely, your DNS server is set to something like Google’s DNS servers (8.8.8.8/8.8.4.4) which are no longer accessible. Update the DNS servers to your router’s IP address and this will give a good performance boost to your QNAP.

At this point you may start wondering how are you going to access your QNAP and all its contents after you blocked it on your router? Well, the best solution is to set up a VPN in your home network, just make sure you do not use QNAP itself for this (this will defeat the purpose of blocking it on the router in the first place). There are ton of 3rd party devices that will give you similar functionality, so pick a good one (here is a decent starter list: https://www.amazon.com/s?k=gli.net+vpn), learn how to configure it and use it.

Final words

At this point you may start feeling my frustration about QNAP. It’s really bad, insecure, overpriced and slow. Problem is, you can’t find anything better for this kind of money. You will need to either pay a lot more for a quality product or have enough time to build your own device of this kind (take a look at https://www.freenas.org/) or learn how to leave with QNAP. If you don’t have time/money to build your own NAS solution from scratch, I hope this post will help you to make your QNAP a bit more useful and secure.

Leave a Reply