Qnap [QPKG] Qwhitelist app -> Super whitelisting (Qnap Firewall) version 1.6 [14-09-2015]

sebastienbo

Apprenti
Everybody,

I've created an app that allows users to protect their NAS by only allowing hosts that they allow.

Right now security is a really big threat for our data, because all these apps and services that we open to the internet can have vulerabilities at some point...and we cannot close all the vulnerabilities.
And even when there are no vulnerabilities, hackers will try to bruteforce our usernames and passwords for all those services and applications...

That's why whitelisting is the best solution, you block everyone out except the servers(like backup servers) or friends that you trust.

I've created this app because the default app lacks some features.

This app extends the whitelist functionality of QNAP by adding:
- A remote available interface for managing your whitelist
- Supporting DNS entries (for allowing access to your clients on the road by identifing them based on their dyndns host or your backup server hostname or even your uptimerobot hostnames,etc...)
- Enforce the idea of not forgetting to include your private networks so that you don't lock out yourself(but if you do, whitelisting can be disabled by pressing your reset button for 1,5 seconds (soft reset))
- Ability to add hosts in an automated way for temporary access untill the pre-defined time has expired (tickets)
- optional two-factor authentication (trust a server on the internet, that server can grant permissions to your home nas-> so in order to attack your nas , first they need to authenticate themselfs on your trusted server)

Although enabling country blocks seems the best thing to do, we discourage the usage of so many IP's althoug it is much better then having the whole internet accessing your nas :)
We recommend to use the two-factor authentication script, that way you keep the scope of computers conencting to your nas very small.

See screenshot
Qwhitelist_app.png

Version 1.6:
http://www.positiv-it.fr/QNAP/APP/Qwhitelist_1.150914.qpkg.zip

1) unzip
2) Install
3) Execute
 

QoolBox

Représentant QNAP
Good Job ;)

you have to install QDKTOOL on your NAS as prior

in SSH,

where you want to install you environment :

ex : /share/Public

and launch

qbuild --create-env QWhiteList

after not sure what is embedded in your app

if binaries put them in the right directory

other in shared directory, the script start and stop is here also


qpkg.conf is the qpkg index file for your app

finish go inside /share/Public/QWhiteList

and launch qbuild command to create qpkg

you will find more info in the qpkg SDK pdf
 

QoolBox

Représentant QNAP
i am not sure to have some free time in the next days...

forward me your script i will quickly package it
 

sebastienbo

Apprenti
Thanks, I've sent you a link via PM to the script (it's just one file without dependencies)

In the file you'll see in the source how to install it (very easy 3 steps without db stuff etc..)

The app is open source for everybody to use but not to sell (it must stay free also if you change something to the code it must stay free)

Theoreticly (and with some minor adaptations) this script can be used for all brands of NAS'ses (even thecus) , I'm even writing a DD-WRT version now (that would block the connections even before entering the network)
 

QoolBox

Représentant QNAP
sebastienbo a dit:
Thanks, I've sent you a link via PM to the script (it's just one file without dependencies)

In the file you'll see in the source how to install it (very easy 3 steps without db stuff etc..)

The app is open source for everybody to use but not to sell (it must stay free also if you change something to the code it must stay free)

Theoreticly (and with some minor adaptations) this script can be used for all brands of NAS'ses (even thecus) , I'm even writing a DD-WRT version now (that would block the connections even before entering the network)

not received :(
 

giopas

Grand Maître Jedi
Wow, this seems a pretty nice work!

And on wrt/tomato capable routers, it would make a good difference in securing access to the LAN.
 

QoolBox

Représentant QNAP
a bit overloaded, i check this as soon as possible

if possible, do you have preference for an icon 80 x 80 for QTS display ?
 

sebastienbo

Apprenti
Good point , I really didn't think about an ICON :)

What fits a firewall Icon ? I suppose some white must be in the colors (to accentuate the whitelisting part) , maybe something Black and white?

Ying and yang sign ? :) (black and white lists)


https://www.google.com/search?q=yin+and+yang&num=40&espv=2&tbm=isch&tbo=u&source=univ&sa=X&ved=0CDcQsARqFQoTCKn7j6WYuMcCFUXWGgodoskH3w&biw=1536&bih=815

What do you think?
 

QoolBox

Représentant QNAP
look nice, i will check for this

i am makin an update of QGit and Gogs, and i am making your QPKG
 

sebastienbo

Apprenti
Thank a lot Stephane

I hope it didn't take too much of your time.

I just tried the 4.2 package, but that one stays stuck at 45% for 10 minutes now.

Is there some log that I could collect to help the troubleshooting?
 

QoolBox

Représentant QNAP
damn, second time one of my apps has this behavior on the QTS 4.2 (got a ticket for QPydio )
I tested here on ts-253 in 4.2 i have not this issue

please send a feedback report to the QTS 4.2 team, over the ui in top right corner menu, only them can know about this behavior
 

QoolBox

Représentant QNAP
May be the new Beta available today fix the issue ? did you try ?

look 45% is the moment where the application is installing after been copied (probably the unpack i would say)
check also if your volume is sane ( Volume > Check Filesystem )
 

sebastienbo

Apprenti
Thanks for your help

I've isntalled the new 4.2 beta and rebooted.
I then tried to install the package again but it immediatly (without thinking) gave me this error "The following items could not be installed. Please see the system logs for more information qwhitelist_1.1"
I think the previous HALF install might have left something behind...

I'm now running the sane check ;-)

How long does a sane check actually take?

Because my raid building took 3 days for only 6TB
 

sebastienbo

Apprenti
Stéphane, it finally works

I made a ticket with qnap and (i feel stupid) , the problem was that I didn't unzip before uploading (i thought it unzipped automaticly on the nas)

It now is installed correctly, I love the icon :)

I"m gonna make a second version of this app so that it automaticly fills in the current local subnet (to protect the users)
In this second version I will also put a password phrase to protect it a litle bit against non admin users, because now it is just too open... (ok well it an only be accessed by whitelisted IP's, but sometimes simple users are also located on a whitelisted IP ...)
 

QoolBox

Représentant QNAP
ahahahah, didnt think about that..

yes, i always zipping (or raring) qpkg to avoid CRC error during file transfert from my hosting

:geek:
 
Haut Bas