Thousands of failed logins and blocked ip's -- What settings do I need?

[taymag]

I posted this here because I assume many solutions I get on other sub-forums might block my cameras (pretty much why I use the Qnap)

My work has 6 Amcrest cameras that I setup through a NAS address, its been years since I set these up but I keep my Qnap updated as much as I can

I dont know where to start as far as stopping these, as far as I know they have happened forever -- From what it looks like there are thousands of "Failed to log in via user account "admin" and probably 15-20 blocked ip's every day

I guess there are 2 questions, 1, how do I know if anyone got it or how can I setup a login notification in the future? and second, what do I need to do? Is there new settings I need? Is there a "go-to" malware/antivirus app?

Most people say login with a VPN, but I cant imagine thats the only way to stay secure

Thanks!

[dolbyman]

Remove all direct remote access from the NAS (manual port forwards and upnp)

Maybe you are lucky and nobody has paid you a visit yet, see here for the current ransom thread
viewtopic.php?f=45&t=160849

As repeated over and over and over again. The only safe method is, to remove your NAS from direct access and use VPN (no, does not cost anything) to access the NAS from WAN.

[taymag]

Remove all direct remote access from the NAS (manual port forwards and upnp)

Maybe you are lucky and nobody has paid you a visit yet, see here for the current ransom thread
viewtopic.php?f=45&t=160849

As repeated over and over and over again. The only safe method is, to remove your NAS from direct access and use VPN (no, does not cost anything) to access the NAS from WAN.

Ok thanks for the quick reply -- I'm not super savvy with NAS, all I know is that seems to be the only way from my Amcrest POE cameras to the QNAP, is there another suggested way?

I'm familiar with VPN, I used to use them way back on campus at school, but would I still need to remove the NAS access?

Maybe I am thinking of the NAS link wrong, are you saying I can use the NAS connection to the QNAP, but just need to remove what would give me the ability to connect to the Qnap to view video feed when away on phone?

(and sorry for the duplicate thread, I just figured some people look here and not the other sub-forums)

[dolbyman]

I don't know how you installation looks like

But if your QNAP and the cameras are in the same subnet, there is absolutely no need for any WAN access, so please elaborate.

VPN is to traverse the NAT of your router without directly forwarding any ports of your LAN devices. So you login via VPN and your have access to your NAS after (not without)

[taymag]

I don't know how you installation looks like

But if your QNAP and the cameras are in the same subnet, there is absolutely no need for any WAN access, so please elaborate.

VPN is to traverse the NAT of your router without directly forwarding any ports of your LAN devices. So you login via VPN and your have access to your NAS after (not without)

Ok, ill take a look at this after lunch and get back to you -- Also, is there a go-to virus scan or malware realtime scan people use? I assume there's a list of things for security that have to add a little protection

[dolbyman]

No .. All available programs are non realtime, so the only way to protect yourself is to present no attack surfaces

[taymag]

I don't know how you installation looks like

But if your QNAP and the cameras are in the same subnet, there is absolutely no need for any WAN access, so please elaborate.

VPN is to traverse the NAT of your router without directly forwarding any ports of your LAN devices. So you login via VPN and your have access to your NAS after (not without)

Please let me know what information I would need to figure out -- My cameras use static ip's and use subnet mask 255.255.255.0

What would need to be done before setting up a VPN? Or are you saying my settings might be correct and I just need to use a VPN?

[dolbyman]

Subnet mask tells me it's a /24 subnet .. but I would still need to know if NAS and Cams are in the same

e.g.
192.168.10.10 NAS
192.168.10.15-20 CAMs

if so, there is absolutely no need to forward any ports from WAN to LAN for any sort of camera operation.

[taymag]

Subnet mask tells me it's a /24 subnet .. but I would still need to know if NAS and Cams are in the same

e.g.
192.168.10.10 NAS
192.168.10.15-20 CAMs

if so, there is absolutely no need to forward any ports from WAN to LAN for any sort of camera operation.

Ok, how would I go about finding that info? Through my router, camera interface, qnap? Thanks

[dolbyman]

If fixed IP's you should know (as you assigned them)
if DHCP your router will know, but if it's DHCP, chances are they are in the same segment.

With all these questions, i cannot imagine that your network is anything else than a /24 with a central DHCP server (otherwise you or somebody else would ..well.. know what they were doing *wink*)

So with a /24 with DHCP.. there is absolutely no reason to forward external ports through your router for NVR function.

[taymag]

If fixed IP's you should know (as you assigned them)
if DHCP your router will know, but if it's DHCP, chances are they are in the same segment.

With all these questions, i cannot imagine that your network is anything else than a /24 with a central DHCP server (otherwise you or somebody else would ..well.. know what they were doing *wink*)

So with a /24 with DHCP.. there is absolutely no reason to forward external ports through your router for NVR function.

lol, I'm not sure about the /24 part, but I do know my cameras are static IP's because when they were DHCP I was having issues (at least when I had wireless cameras, now they are POE cameras but still static IP) -- I "assigned" the IP's but I really just switched from DHCP to Static and the static IP was the current IP it was using.

How does this effect the outcome?

[dolbyman]

The outcome is

remove all port forwards from your router to your LAN (also disable upnp) , all these failed logins will stop.

If you need to access your NAS/cameras from outside your LAN, use a VPN (server on router). On most phones only a handful of swipes away to activate

[taymag]

The outcome is

remove all port forwards from your router to your LAN (also disable upnp) , all these failed logins will stop.

If you need to access your NAS/cameras from outside your LAN, use a VPN (server on router). On most phones only a handful of swipes away to activate

Ok, I guess the question is if I already setup my cameras and other stuff and I disable upnp will all these stop working? Or can I enable it to setup devices then disable it and they still work?

To add to that, my router says "Enable port forwarding: No"

[dolbyman]

That was the reason for all the back and forth .. there is no port forwarding required for operation

check your router for upnp

[taymag]

That was the reason for all the back and forth .. there is no port forwarding required for operation

check your router for upnp

Ya it is enabled, my question is, I obviously have a bunch of crap hooked up (most cameras are POE, but 2 are wireless, phones, laptops, Bose sound system, etc), will these still work since they already connected to the router or when I turn upnp off will everything stop and I have to configure it manually? Thanks for hanging in there with me lol, this is my office, so its the last thing I need to be hacked (considering how this year has been going)