Dang! Seems our old home NAS is bare-ass on the internet (thanks uPNP), with a hardcoded credential that is remotely exploitable (CVE-2024-3274). The suggested workaround is to turn off uPNP on the router, which I’d rather not do as I assume it’d affect family gaming consoles.
I’d also prefer not to fork out to replace the NAS if not needed. So I figure:
- Add port forwardings to the router to pre-claim 80/443 and direct them to a never existent IP and port (say in a neighbouring C block)
- or, setup a VM to act as a proxy between the NAS and the internet, and drop 80/443 packets
I’d prefer option 2 but I’m not sure I can be bothered refreshing my iptables etc knowledge.