Restrict NAS access to local IPs only

[elvisimprsntr]

I actually have the UPnP enabled! Is it that bad?

Yes, very bad idea. Disable it in your router and any clients immediately.

 

[MrGuvernment]

@Vortigern As noted above, little bit of back info

UPnP flaw exposes millions of network devices to attacks over the Internet

Unsafe for more than a decade, universal plug and play strikes again.

arstechnica.com

The 12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network. It does this by using the HTTP, SOAP, and XML protocols to advertise themselves and discover other devices over networks that use the Internet Protocol.

While the automation can remove the hassle of manually opening specific network ports that different devices use to communicate, UPnP over the years has opened users to a variety of attacks. In 2013, an Internet-wide scan found that UPnP was making more than 81 million devices visible to people outside the local networks. The finding was a surprise because the protocol isn't supposed to communicate with outside devices. The exposure was largely the result of several common code libraries that monitored all interfaces for User Datagram Protocol packets even if configured to listen only on internal ones.

FURTHER READING​

Mass router hack exposes millions of devices to potent NSA exploit
In November 2018, researchers detected two in-the-wild attacks that targeted devices using UPnP. One used a buggy UPnP implementation in Broadcom chips to wrangle 100,000 routers into a botnet. The other, used against 45,000 routers, exploited flaws in a different UPnP implementation to open ports that were instrumental in spreading EternalRed and EternalBlue, the potent Windows attack that was developed by and later stolen from the NSA.

ISP devices are normally shipped in in a way that makes it the least painful (which often means least secure) methods to allow a quick plug in and off they go so they have to provide as little support as possible to the end user trying to get things working. Over the years, some are getting better by disabling insecure things out of the box, but still plenty out there (like ones shipping WEP enabled on their Wifi enabled routers still)

 

[Whattteva]

I actually have the UPnP enabled! Is it that bad?

Usually, anything that allows connections in a semi-automatic way is insecure. This is even true with how most firewalls work by default where they allow any return connections initiated from behind the firewall. This is basically what is exploited by things like Tailscale, Zerotier, or malicious botnet/phone-in, telemetry, etc. and allows them to work even firewalls that aren't locked down (most of them).