IP Access Protection don't work

Discussion on setting up QNAP NAS products.
Post Reply
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

IP Access Protection don't work

Post by venique »

Hello.

Due business reasons and some user limitation I was forced to expose my TS-231P with QTS 4.5.3.1652 to Internet via port-forwarding of standard Samba ports on my firewall. I know the rules about 'no Internet to NAS', but I mitigate this by all available ways.

Of course, sometimes cool hackers scans WAN and, once discover opened Samba-ports, trying to brute password to some 'default' accounts that doesn't exists:
a4csf.png

Why QTS doesn't react to this even with correct IP / Account access protection?
Screenshot 2021-05-10 в 17.36.21.png
Screenshot 2021-05-10 в 17.36.31.png

I suppose that Account protections doesn't work because that is attempts to logon into non existing account, but why QTS don't ban those IPs due more that 5 failed login attempts in 30 mins?
You do not have the required permissions to view the files attached to this post.
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

Also I've noticed that there is some successfull logon events of 'guest' via SMB:
a087ha.png

But:
- there is no 'guest' account in the system
- guest access is denied to every share I have on QNAP
- every share have ABE / ABSE is enabled
- consequently anonymous users are restricted from accessing SMB shared folders at all
- advanced folder permission is enabled too

So if there is some way to logon with 'guest' it won't give access to any share or file. By the way, I tried to simulate this situation by trying to log on from Windows / macOS via SMB with guest / guest or just with 'guest' and no password or without specifying any credentials at all, using different SMB version, with GUI or cli but I didn't get even closer to such event on my QNAP (successful guest login). So I don't understand how it can be possible and I suppose that there is some incorrect logging process that tells me about successfull guest login while it was not happened. Am I right or just missing something?
You do not have the required permissions to view the files attached to this post.
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: IP Access Protection don't work

Post by jaysona »

You will have to ask QNAP why the settings are not working. Also, there is no reason to blank out the IP addresses of the source IP addresses, in fact those IP addresses may help some that keep track of bot-net IP addresses.

Also, 30 minutes is too generous for Internet exposed systems, you should set it to the lowest possible. I have asked QNAP to add 1-minute as the minimum, no such luck - yet.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: IP Access Protection don't work

Post by jaysona »

venique wrote: Mon May 10, 2021 11:51 pm ....

So I don't understand how it can be possible and I suppose that there is some incorrect logging process that tells me about successfull guest login while it was not happened. Am I right or just missing something?
Welcome to the world of QNAP and its insecure QTS operating environment. Maybe someone found yet another QTS vulnerability that can be exploited, maybe it is false positive log entry - only QNAP will be able to tell you for certain.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

there is no reason to blank out the IP addresses of the source IP addresses, in fact those IP addresses may help some that keep track of bot-net IP addresses
I'm already have huge amount of subnets where infected machines (or real hazkers) constantly scanning network (and my QNAP) but what next? I can't provide this info to anyone (guess that even theirs ISP won't block them or smth else) and I'm not interested in further investigation so for now I'm just ban whole subnets like XX.XXX.XXX.0\24 via QuFirewall until I will deal with automatic IP Access Protection.
30 minutes is too generous for Internet exposed systems, you should set it to the lowest possible
Why? Some 'scanners' not so stupid so they take some pause between retries. In this case 30 min period to monitor will discover and ban them more efficienly than short period like 1 min.
You will have to ask QNAP why the settings are not working
only QNAP will be able to tell you for certain
Okay, will try my luck with official support.
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: IP Access Protection don't work

Post by QNAPDanielFL »

venique wrote: Mon May 10, 2021 11:36 pm Hello.

Due business reasons and some user limitation I was forced to expose my TS-231P with QTS 4.5.3.1652 to Internet via port-forwarding of standard Samba ports on my firewall. I know the rules about 'no Internet to NAS', but I mitigate this by all available ways.

Of course, sometimes cool hackers scans WAN and, once discover opened Samba-ports, trying to brute password to some 'default' accounts that doesn't exists:

a4csf.png


Why QTS doesn't react to this even with correct IP / Account access protection?
Screenshot 2021-05-10 в 17.36.21.png
Screenshot 2021-05-10 в 17.36.31.png


I suppose that Account protections doesn't work because that is attempts to logon into non existing account, but why QTS don't ban those IPs due more that 5 failed login attempts in 30 mins?


You ask a good question. I was just told we will add a new feature to ban IPs due to more than 5 failed login attempts in 30 min even if it is for a non-existing account.
Last edited by QNAPDanielFL on Wed May 12, 2021 9:48 am, edited 1 time in total.
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: IP Access Protection don't work

Post by QNAPDanielFL »

venique wrote: Mon May 10, 2021 11:51 pm Also I've noticed that there is some successfull logon events of 'guest' via SMB:
a087ha.png


But:
- there is no 'guest' account in the system
- guest access is denied to every share I have on QNAP
- every share have ABE / ABSE is enabled
- consequently anonymous users are restricted from accessing SMB shared folders at all
- advanced folder permission is enabled too

So if there is some way to logon with 'guest' it won't give access to any share or file. By the way, I tried to simulate this situation by trying to log on from Windows / macOS via SMB with guest / guest or just with 'guest' and no password or without specifying any credentials at all, using different SMB version, with GUI or cli but I didn't get even closer to such event on my QNAP (successful guest login). So I don't understand how it can be possible and I suppose that there is some incorrect logging process that tells me about successfull guest login while it was not happened. Am I right or just missing something?
Would it be possible to make a support ticket so we can investigate what you are experiencing? And if I know the ticket number, I can pass it on to our our PSIRT team.
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

QNAPDanielFL wrote: Wed May 12, 2021 9:43 am You ask a good question. I was just told we will add a new feature to ban IPs due to more than 5 failed login attempts in 30 min even if it is for a non-existing account.
So for now IP Access Protection works only for valid accounts, that's the reason, right? If somebody trying to brute force some non-existing account, their IP wouldn't be banned? How quick new function will be released?
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

QNAPDanielFL wrote: Wed May 12, 2021 9:47 am Would it be possible to make a support ticket so we can investigate what you are experiencing? And if I know the ticket number, I can pass it on to our our PSIRT team.
I'm glad to hear such feedback, but there is some difficults.

Actually, I have QNAP D2 which is copy of TS-231P (identical HW/FW, just other model name) and supplied to RU region. So Global Support are not eager to deal with my tickets and asking me to search help with Russian Helpdesk. They, in turn, can't know everything so just creating tickets to HQ as their own instead of me. Similar situation happened this time. And now HQ asking me to provide them Remote Support to figure out what is going on.

Before that, of course, I decided to encrypt my data but realised that there is no such option. Our helpdesk answers that any encryption is disabled on hardware level due Customs Union regulations. If I wish - I can use any 3-rd party software for encryption purposes (which one?) without any warranty of data loss. If I don't - I can provide Remote Support with access to all my personall and security-sensitive data 'as is'.

So I don't know how to deal with that burrocraty. May be HQ can connect via TeamViewer so I can monitor their activity?
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: IP Access Protection don't work

Post by QNAPDanielFL »

venique wrote: Wed May 12, 2021 7:46 pm
QNAPDanielFL wrote: Wed May 12, 2021 9:47 am Would it be possible to make a support ticket so we can investigate what you are experiencing? And if I know the ticket number, I can pass it on to our our PSIRT team.
I'm glad to hear such feedback, but there is some difficults.

Actually, I have QNAP D2 which is copy of TS-231P (identical HW/FW, just other model name) and supplied to RU region. So Global Support are not eager to deal with my tickets and asking me to search help with Russian Helpdesk. They, in turn, can't know everything so just creating tickets to HQ as their own instead of me. Similar situation happened this time. And now HQ asking me to provide them Remote Support to figure out what is going on.

Before that, of course, I decided to encrypt my data but realised that there is no such option. Our helpdesk answers that any encryption is disabled on hardware level due Customs Union regulations. If I wish - I can use any 3-rd party software for encryption purposes (which one?) without any warranty of data loss. If I don't - I can provide Remote Support with access to all my personall and security-sensitive data 'as is'.

So I don't know how to deal with that burrocraty. May be HQ can connect via TeamViewer so I can monitor their activity?
If I have the ticket number I can ask what we can do.
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

QNAPDanielFL wrote: Thu May 13, 2021 1:51 am If I have the ticket number I can ask what we can do.
Unfortunately, I'm not able to use PM to send you ticket number in private, maybe you have any other method I can reach you by?
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: IP Access Protection don't work

Post by QNAPDanielFL »

venique wrote: Thu May 13, 2021 4:52 am
QNAPDanielFL wrote: Thu May 13, 2021 1:51 am If I have the ticket number I can ask what we can do.
Unfortunately, I'm not able to use PM to send you ticket number in private, maybe you have any other method I can reach you by?
danielfrancislyon@qnap.com
venique
New here
Posts: 7
Joined: Sun May 09, 2021 6:53 am

Re: IP Access Protection don't work

Post by venique »

QNAPDanielFL wrote: Thu May 13, 2021 5:47 am danielfrancislyon@qnap.com
Sent. Thank you in advance!
Post Reply

Return to “Turbo Station Installation & Setup”