MyCloud.Zyxel can't detect my NSA325-v2

2

All Replies

  • Tomalamix
    Tomalamix Posts: 34  Freshman Member
    I've never done linux scripting so I'm not familiar with the 15 * * commands, curl, sh and so on commands but as far as i understood i need to create a script like getip.sh and put it /admin/ folder.

    The content of that file will be:

    ---BEGIN----
    #!/bin/sh
    @reboot cp /i-data/md0/admin/yourscript.sh /tmp/yourscript.sh
    15 * * * * sh /tmp/yourscript.sh
    ---END----

     I'm not using 15 * * * * sh /i-data/md0/admin/yourscript.sh because of the HDD spinup issue.

    After this procedure I'll be able to access to the box directly thru my personal duckDNS address.

    Maybe the script is not correct but as I've told you I don't know any scripting commands
  • Mijzelf
    Mijzelf Posts: 2,002  Guru Member
    Incorrect. The script is
    (Where you of course have to exchange {YOURDOMAIN} and {YOURTOKEN}

    The lines
    ---BEGIN---
    @reboot cp /i-data/md0/admin/yourscript.sh /tmp/yourscript.sh
    15 * * * * sh /tmp/yourscript.sh
    ---END---
    have to be added to crontab, which can be done by adding them in the cron section of the Tweaks webinterface.


  • Tomalamix
    Tomalamix Posts: 34  Freshman Member
    ok then,

    I've added the lines in the crontab and I've enabled it.

    About the file script, I have my domain, lets say its XYZ.duckdns.org and my token is ABC123. Should I use {XYZ.duckdns.org} or just XYZ.duckdns.org without brackets? The same for the token.

    Meanwhile I've noticed that there is a file in /admin/ folder that I don't remember to be there, Its Photo.scr (5Mb size), does it ring any bell to you?
  • Mijzelf
    Mijzelf Posts: 2,002  Guru Member
    Without brackets. You can run that script manually, (in a shell, 'sh yourscript.sh') to test, and it should say OK if OK, and KO if something is wrong.

    Meanwhile I've noticed that there is a file in /admin/ folder that I don't remember to be there, Its Photo.scr (5Mb size), does it ring any bell to you?
    Yes. Do not open it. Does it have a timestamp? Maybe while your box was in DMZ? Do you have the FTP server enabled?
  • Tomalamix
    Tomalamix Posts: 34  Freshman Member
    i've tested mannualy but it seams that im missing something:

    /i-data/910115eb/admin $ sh ddns.sh
    curl: (77) error setting certificate verify locations:
    CAfile: /etc/ssl/certs/ca-certificates.crt 
    CApath: none   

    About the Photo.scr I did not open it, just removed it to a temporary folder in my desktop. The creation date is from a few days ago, when the router was already in the DMZ and while I was trying to put it in working order. Yes, I have the FTP server on

    So this file is here because someone is harvesting FTP servers to put this file running there?
  • Mijzelf
    Mijzelf Posts: 2,002  Guru Member
    Ah, ZyXEL didn't install the certificates. You can try to change the script:

    curl --insecure https://

    This way the certificate isn't checked.

    So this file is here because someone is harvesting FTP servers to put this file running there?

    I hope so. The other option is that a PC in your network is infected, and tries to spread through network shares.

    The file is not dangerous for your NAS, BTW. Wrong OS, wrong CPU. It only targets Windows PC's. (Based on just it's name)

  • Tomalamix
    Tomalamix Posts: 34  Freshman Member
    as soon as i've pasted it inside a temporary folder in my desktop the AV detected something wrong about it and blocked it. I'm going to deleted it and thats it. The rest of my computers are turned off for a few weeks now, I'm only using one for the last few weeks and this one seemed to detect the threat and dealt with it.

    About the script I've ran it and I've got "OK" message so now it's time to take the NAS from the DMZ and all done I guess. Just a few more hints:

    - Can I install the certificate (since Zyxel didn't do it) ? Isn't a bad thing to be more secure..

    - Which ports should I open and forward to my box? I have the following for now:
    FTP - TCP any-> 21
    HTTP - TCP any-> 80
    HTTPS - TCP any-> 443
    HTTP Secondary - TCP any-> 8080

    - The know vulnerability can be solved in the tweaks package using "Patch vulnerability"? There is just one patch, the CVE-2020-9054. I just tick the box and click apply. Is that simple? If it's a know issue by Zyxel why Zyxel doesnt improve the FW to solve this? It shouldn't be an huge investment to develop an update for this? I get that this is not the newest model but hell, its just one patch, and doesn't add new features to the box (taking market from the newest units).

  • Mijzelf
    Mijzelf Posts: 2,002  Guru Member
    - Can I install the certificate (since Zyxel didn't do it) ? Isn't a bad thing to be more secure..

    As far as I remember the package 'Random Tools' installs the certificates. But I don't know if they still work, as they are aging.

    - Which ports should I open and forward to my box?

    Depends on what you want to do. I wouldn't open port 80, as 443 gives the same interface, unless you either are using something like letsencrypt (which needs port 80 to update the certificate) or you regularly up- or download large chunks of data. As https is encrypted, this takes a lot of CPU, limiting the stream to around 1MB/sec. Further you should think if you want to open the admin interface to the internal at all. Which functionality do you want to use?

    Why would you open port 8080? Are you running something on that port?

    For FTP port 21 is not enough. you also need to forward a pool of data ports. In the FTP server you can assign a block of ports, (20 is enough) which you have to forward. Make sure you configured FTP correct, with good passwords, and anonymous shouldn't have write access.

    If your router supports port translation, you could also use that. Forward for instance port WAN:8443 to NAS:443, and use https://yourdomain.dyndns.org:8443/ to access your NAS. Then the webinterface won't be found by ordinary port scans. The same is true for port 21.

    - The know vulnerability can be solved in the tweaks package using "Patch vulnerability"? There is just one patch, the CVE-2020-9054. I just tick the box and click apply. Is that simple?

    Yes. But make sure your password doesn't contain any forbidden characters before applying the patch. Else you won't be able to login anymore.

    You can enter your password here, (or only the special characters you want to test), anything which translates to %XX is forbidden.

    If it's a know issue by Zyxel why Zyxel doesnt improve the FW to solve this? It shouldn't be an huge investment to develop an update for this? I get that this is not the newest model but hell, its just one patch, and doesn't add new features to the box (taking market from the newest units).

    The box was EOS when the vulnerability appeared.


  • Tomalamix
    Tomalamix Posts: 34  Freshman Member
    edited October 2021
    Hello Mijzelf,

    Back from vacations and some hard work, I have some spare time to finish this chapter :)

    I've applied the patch, the password I use is OK in the test but basically the users can't use almost anything with symbols, which is contradictory to what we should use nowadays.

    About the certificates I think I'm ok like this, it's not a deal breaker, so I don't care

    Now the most important, why do I need the NAS from the exterior. Is really simple in fact, i need to access some documents and images that I store in my NSA from wherever I am, is not an aeveryday need but sometimes it's very handy to have those files available. A plus, besides the basic need, is to access some movies I have stored there and watch them if the Internet speed allows it. For that purpose I've deleted all ports from the forwarding table and I've done the following:

    For FTP:
    TCP 821 -> 21-41

    The 21-41 range that I've set in the router is this the 20 available ports you spoke about? Or you were meaning those available in the "FTP Server Application" inside the NSA325? There is an option to "Customize the port range for data transfer" where i must use ports starting at 1024 and ending in 60555 or something like that, where I can put 1024 to 1050 for example but I don't know the difference between the two settings.

    For HTTP:
    TCP 8443 -> 443 - It seems to be not working properly, it's directing to the login page of my router instead of the NAS, despite that I've forward the port to the NAS. Besides I've acknowledged what you've said, there is a speed limitation here. If I want to get rid of that speed limit I should switch to port 80 loosing the encryption.

    The telnet I think I will not turn it on for external access, everything I need to do using telnet i think I should do it in my internal network

    Please make your annotations/hints about what doing here.

    Thank you!
  • Mijzelf
    Mijzelf Posts: 2,002  Guru Member
    The 20 ports are indeed the data ports. You can't assign them <1024, as <1024 are considered 'service ports', and have a special status in Linux. (Only root may open one)
    So in your case you need 2 forwards, one to 21, and the data port range.
    TCP 8443 -> 443 - It seems to be not working properly, it's directing to the login page of my router instead of the NAS, despite that I've forward the port to the NAS. Besides I've acknowledged what you've said, there is a speed limitation here.
    Assuming you did the forward right, this is a router problem. Maybe you can ask about it in a forum about that router. A work-around could be to use Tweaks to change the https port on the NAS. Make sure you didn't enable the automatically redirect to https option.
    About the speed limitation, could it be that that is the encryption? Encryption is expensive, and I know for ssh encryption that is is limited to around 1.5MB/sec on a 325. Https encryption might be in the same range.

Consumer Product Help Center