QNAP QSW-L3208-2C6T switch console login user name

English Networking
1

I have a QSW-L3208-2C6T switch running the latest firmware version 2.1.0. It is classified by QNAP as a “managed lite” switch. It does have a web interface. Nowhere in the web interface are any settings to enable console or set console credentials. Nowhere in the web interface are any settings to enable SSH or set SSH credentials. SSH to port 22 fails with “Connection refused”.

I need to get to the command line.

I have connected a USB-to-serial cable to the console port on the switch. I have set it to 115200 baud and when I log in it prompts me for a Username:. I enter “admin” which is the login name that I use for the Web GUI. The console immediately outputs “Incorrect User Name!!”. I have tried using “enable”, I have tried using my QNAP Cloud Key (as username). It never prompts me for password.

I have done a backup of my switch config, will paste it below. No clues there either.

Ultimately, I want to log into the switch to disable weak SSL ciphers.

What is the console login user name? Any alternative way that I can disable weak SSL ciphers?

Switch config:

SYSTEM CONFIG FILE ::= BEGIN
! System Description: QNAP GSW-L3208-2C6T Switch
! System Version: v2.1.0
! System Name: QSW-L3208-2C6T
! System Up Time: 0 days, 0 hours, 0 mins, 1 secs
! System Model Name: QSW-L3208-2C6T
lag load-balance src-dst-mac-ip
lacp system-priority 32768
jumbo-frame
jumbo-frame-size
system name “QSW-L3208-2C6T”
burnin “28800”
ip address 192.168.1.207 mask 255.255.255.0
ip default-gateway 192.168.1.xxx
no ip dhcp
ip dns lookup
ip dns 192.168.1.xxx
clock source sntp
sntp host pool.ntp.org port 123
clock timezone “” -6 minutes 0
clock web tzindex 9
username “admin” secret encrypted <snip_x>
enable secret “<snip_y>”
vlan default-vlan 1
vlan 2
!
!
loop-prevention
no ip igmp snooping
no ip igmp snooping report-suppression
ip igmp snooping forward-method dip
ip igmp snooping unknown-multicast action flood
ip igmp snooping version 2
ip igmp snooping vlan 1 robustness-variable 2
ip igmp snooping vlan 1 response-time 10
ip igmp snooping vlan 1 query-interval 125
ip igmp snooping vlan 1 last-member-query-interval 1
ip igmp snooping vlan 1 last-member-query-count 2
ip igmp snooping vlan 1
no ip igmp snooping vlan 1 immediate-leave
ip igmp snooping vlan 1 router learn pim-dvmrp
ip igmp snooping vlan 1 static-router-port 10gi1,10gi3-8
no ip http
ip https tls 2
ip https
ip http session-timeout 15
ip https session-timeout 15
!
qos
qos queue strict-priority-num 0
qos map cos-queue 0 to 1
qos map cos-queue 1 to 2
logging
!
no custom
custom fan mode “normal”
custom active devive 1
interface lag1
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface lag2
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface lag3
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface lag4
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi1
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 tagged
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi2
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi3
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi4
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi5
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi6
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 2
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
switchport hybrid allowed vlan add 2 untagged
switchport hybrid allowed vlan remove 1
no shutdown
flowcontrol on
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi7
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
no shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
interface 10gi8
lacp port-priority 1
lacp timeout long
no eee
switchport mode hybrid
switchport hybrid pvid 1
switchport hybrid ingress-filtering
switchport hybrid acceptable-frame-type all
no shutdown
flowcontrol off
back-pressure
no protected
qos cos 0
no qos trust
no qos remark cos
no qos remark dscp
no qos remark precedence
no custom
!
line console
history 128
password-thresh 0
line telnet
history 128
password-thresh 0
!
mac address-table aging-time 300

!

2

i never used the console port on my qnap switches so not able to help you there. I would suggest you try qnap helpdesk to see if they can give you some more info. You can also try using the device mac address as password without : or -

Sometimes they use that mac id as password. you can also try root as user id in case the admin id is only used for the gui.

Good luck, hopefully support can help you out.

3

In my experience, “Lite” managed switches only have a web interface. There may be backdoors into a CLI, so definitely open a ticket and see if it is available.

4

Yeah QNAP already came back and said Managed Lite means web interface only. I sent them my vulnerability scan results and they said they would report it to the security team. So, it goes into a black hole I guess.

5

Honestly, if you are that worried about security, I would spend the $$ and get a fully managed switch.

6

Yeah I know that is always an option. I dont want the noise or the price of a fully managed 10GbE switch, that’s why I bought this one. I mistakenly assumed they would have resolved a 10 year old vulnerability with a simple update of the SSL ciphers to not use DES and 3DES like every other product QNAP has. I have 2 QNAP NAS and neither are vulnerable to SWEET32. Out of all the old IoT gear I have at my house, none of that is vulnerable to SWEET32 either. It’s rookie stuff.

7

tried MAC address (without the special chars), tried QNAP Cloud ID, root, admin, enable, user, RTK (it’s based on a realtek 9300 switch board). i rebooted with the serial cable connected and watched all the boot messages scroll, its definitely Realtek 9300 based. some switches have a “press N in the next 3 seconds…” thing at boot to configure some low level stuff but this one doesn’t. I’ve managed many layer 3 switches in an enterprise environment so I know what I’m doing. Anyways, QNAP said it is not possible, even their support agents dont know how to do it, it is only for developer level debug. They submitted my concern to their security team, and I asked for a workaround to disable weak SSL ciphers some way, possibly by backing up the config file, edit it (its cleartext - similar to old Cisco), and “restore”.

8

Just to add some more info around why I want to disable weak SSL ciphers - is because this switch is exposed to SWEET32.

I have run a security scan against it and found it is using weak TLS/SSL cipher suites with HTTPS. This is the SWEET32 Issue, classified as a “High” - CVSS 7.5.

‘Vulnerable’ cipher suites detected by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

TLS_RSA_WITH_DES_CBC_SHA (SWEET32)

Hence, I would like to disable these weak cipher suites to protect against this vulnerability. There is no screen in the Web UI to do that. And no way to log into the console,.

9

So is this switch on your LAN? Wouldn’t your router be hardened to protect against such things? Do you have a particularly dangerous environment on your LAN?

10

This is a hobby. Same as for many people. I am not so dense as to not understand what is going on in my network. And yes. I have an OPNsense based router that I made myself from a mini PC. It has a firewall on it that I have custom tailored. Just like my PiHole on raspberry pi and OpenVAS security scanning on another rPi. I know what I’m doing. Thanks.

Do I consider my environment hazardous? Well, I have a lot of IoT gear, cameras, lights, switches, etc, which is foreign made, and shows with security vulnerabilities. There could be all sorts of reverse-SSH on a high number ephemeral port or who knows what else elaborate cybersecurity vulnerabilities on these little things. I have fun doing it and I prefer to be cautious. I scan all my new gear and if it shows vulnerabilities, and the vendor can’t resolve them, I return it. Simple as that. I just bought this switch.

I am interested in suggestions to accomplish what I described. Not to question myself. I am well educated, well informed, and resolute. Thank you

1 Like
11

Wow. Wasn’t trying to offend you but understand what you are trying to do. No need to be sensitive about it. You do you.

12

qnap brand products not design for security calmless peoples :innocent:

13

I’m not convinced you have the requisite knowledge or skillset to make an informed comment on this topic.

I have 2 QNAP NAS which are not vulnerable to SWEET32. In fact, they only have vulnerabilities with CVSS score with 2.5 (Low) and lower. QNAP does indeed put out updates to address security issues. QNAP does indeed have built in features on the NAS for security like QuFirewall, QVPN, service port binding, and more.

I would expect that their switches are less feature rich, but still do not have 10 year old vulnerabilities that no other devices have.

Your comment is completely useless and uninspired. I am not sure why you even left it.

15

Hi @k00s02
Thank you very much for your valuable feedback and for taking the time to share the security scan results with us.

We appreciate your detailed explanation regarding the SWEET32 vulnerability and the weak cipher suites currently enabled. Based on your input, we will remove these “vulnerable” TLS/SSL cipher suites in a future firmware release to enhance overall security.

Thank you again for your helpful suggestions. Your feedback is truly appreciated.

16

great, thank you!