Pseudo Hack attack !

[vskal]

Looks like someone was trying to log in to my NAS tonight:

[Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1

This happened .... about 200 times in 1 hour ... before I found out, disabled the manual port for open VPN, shut down the NAS and rushed into the forum.

This is my first NAS, working fine for 6 months.
Seting it up, I followed related posts and forum advice on did my best to secure it.
No Cloud service, no UPnP, strong password, updates etc.
I only use open VPN with a manual port forwarded for remote access (not running VPN on the router, it is a simple ISP router/modem)

Is the one open port adress my vunerability ?
Am I using open VPN in a wrong way ?
Can my simple router provide the needed secutity/functionality ?

[dolbyman]

is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack

[vskal]

Yes, it is always user admin !

I received a bunch of email messages with:
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1.

and after logging in I also show it in the NAS notifications.
It was TV time, so I was not messing up with the network or anything, seemed like a good time to be caught unguarded

Since the new Qufirewall I have been getting some blocked packets notifications, I don't know how related to this it might be.
"Denied access to 186 packets in the last 24 hours."

I just rebooted the NAS and the messages started pilling up again.

[vskal]

Forgot to answer your question dolbyman, yes I have Qufirewall installed.

Update: I noticed the QVRpro and my USB camera are on (which are usually not) so I stopped them.
The notifications instantly stopped.

I need to check what in their configuration is causing the login attempts !

Update:
I re-enabled QVRpro and USBcam and still no notifications !

Thought I had something but now I am totally clueless

[nikost]

is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack

How can avoid these dozen of messages

NAS Name: ............
Severity: Error
Date/Time: 2021/03/23 08:56:33

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 73.118.210.135.

[Moogle Stiltzkin]

Looks like someone was trying to log in to my NAS tonight:

[Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1

This happened .... about 200 times in 1 hour ... before I found out, disabled the manual port for open VPN, shut down the NAS and rushed into the forum.

This is my first NAS, working fine for 6 months.
Seting it up, I followed related posts and forum advice on did my best to secure it.
No Cloud service, no UPnP, strong password, updates etc.
I only use open VPN with a manual port forwarded for remote access (not running VPN on the router, it is a simple ISP router/modem)

Is the one open port adress my vunerability ?
Am I using open VPN in a wrong way ?
Can my simple router provide the needed secutity/functionality ?

running vpn from the router is more preferable to say QVPN running on the nas itself. That is the first thing

In this example they are using pfsense router to setup a vpn for remote access
https://www.youtube.com/watch?v=PgielyUFGeQ
https://www.youtube.com/watch?v=ZY49EAMnniY

explanation about vpn
https://www.youtube.com/watch?v=MJXVRwl3_yY


vpn u usually either use openvpn or wireguard. Because some of the older vpn protocols might be less secure
https://www.youtube.com/watch?v=bnV-_BN9OkE


no idea what router you are using. i suggest if possible get a pfsense router since they are solid in terms of software. i bought a qotom and flash pfsense onto it. Much happier than when i used an off the shelf asus ac68u. For wifi i paired it with a ubiquiti unifi to complete my network setup


another option is something qhora. You can use the qnap quwan router software to create site to site vpn
https://www.youtube.com/watch?v=ZNZRLqjsU_8

[nikost]

is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack

How can avoid these dozen of messages

NAS Name: ............
Severity: Error
Date/Time: 2021/03/23 08:56:33

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 73.118.210.135.

It is always user admin. The messages are sent to my email as notifications from my device. I have not installed any firewall

Error][Users] Notification from your device:xxxxxxx
Inbox
xxxxxx@gmail.com

12:04 PM (1 minute ago)

to me
[Error][Users] Notification from your device:xxxxxxx

NAS Name: nikost
Severity: Error
Date/Time: 2021/03/23 10:03:57

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 118.163.217.9.

[Bob Zelin]

Good morning -
what is different about this attack (which is happening all over the world now) - is that normally, you get 3 - 6 attempts and they move on. But this new attack, hits the systems hundreds of times (with hundreds of failed login attempts) - so if your password is "password" or "admin" - I bet you are in trouble this morning.

I have no answer other than to disable UPnP, disable CloudLink, and if you can - unplug your QNAP from the internet until further notice.
Bob Zelin

[mcmnky]

I'm in the same situation. Attempted logins from random IP addresses for user 'admin'. I've seen this before, usually 2 or 3 attempts then nothing for weeks. Current attack has been every minute for last 12 hours, roughly.

I unregistered my nas in myQNAPcloud last night. The attack (and user error emails) continue.

What else can we do to stop login attempts from the internet?

I have 'admin' disabled with all share and folder access denied, so not too worried about a successful login, but I used the cloud too rarely to justify the risk.

[mcmnky]

Also, reiterating the advice to disable uPNP. The current issue is also discussed here:
viewtopic.php?f=313&t=158834

Off to check uPNP settings on the nas and router.