Pseudo Hack attack !

Post your questions about myQNAPcloud service here.
Post Reply
vskal
Starting out
Posts: 32
Joined: Sun Jul 05, 2020 4:57 pm

Pseudo Hack attack !

Post by vskal » Fri Mar 05, 2021 6:57 am

Looks like someone was trying to log in to my NAS tonight:

[Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1

This happened .... about 200 times in 1 hour ... before I found out, disabled the manual port for open VPN, shut down the NAS and rushed into the forum.

This is my first NAS, working fine for 6 months.
Seting it up, I followed related posts and forum advice on did my best to secure it.
No Cloud service, no UPnP, strong password, updates etc.
I only use open VPN with a manual port forwarded for remote access (not running VPN on the router, it is a simple ISP router/modem)

Is the one open port adress my vunerability ?
Am I using open VPN in a wrong way ?
Can my simple router provide the needed secutity/functionality ?
Last edited by vskal on Fri Mar 05, 2021 5:00 pm, edited 1 time in total.

User avatar
dolbyman
Guru
Posts: 22367
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Hack attack ! How to react and defend?

Post by dolbyman » Fri Mar 05, 2021 7:03 am

is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack

vskal
Starting out
Posts: 32
Joined: Sun Jul 05, 2020 4:57 pm

Re: Hack attack ! How to react and defend?

Post by vskal » Fri Mar 05, 2021 7:17 am

Yes, it is always user admin !

I received a bunch of email messages with:
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1.

and after logging in I also show it in the NAS notifications.
It was TV time, so I was not messing up with the network or anything, seemed like a good time to be caught unguarded :)

Since the new Qufirewall I have been getting some blocked packets notifications, I don't know how related to this it might be.
"Denied access to 186 packets in the last 24 hours."

I just rebooted the NAS and the messages started pilling up again.

vskal
Starting out
Posts: 32
Joined: Sun Jul 05, 2020 4:57 pm

Re: Hack attack ! How to react and defend?

Post by vskal » Fri Mar 05, 2021 7:28 am

Forgot to answer your question dolbyman, yes I have Qufirewall installed.

Update: I noticed the QVRpro and my USB camera are on (which are usually not) so I stopped them.
The notifications instantly stopped.

I need to check what in their configuration is causing the login attempts !

Update:
I re-enabled QVRpro and USBcam and still no notifications !

Thought I had something but now I am totally clueless

nikost
Starting out
Posts: 40
Joined: Mon Nov 30, 2020 6:51 am

Re: Hack attack ! How to react and defend?

Post by nikost » Tue Mar 23, 2021 5:02 pm

dolbyman wrote:
Fri Mar 05, 2021 7:03 am
is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack
How can avoid these dozen of messages

NAS Name: ............
Severity: Error
Date/Time: 2021/03/23 08:56:33

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 73.118.210.135.

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9673
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Pseudo Hack attack !

Post by Moogle Stiltzkin » Tue Mar 23, 2021 5:29 pm

vskal wrote:
Fri Mar 05, 2021 6:57 am
Looks like someone was trying to log in to my NAS tonight:

[Users] Failed to log in via user account "admin". Source IP address: 127.0.0.1

This happened .... about 200 times in 1 hour ... before I found out, disabled the manual port for open VPN, shut down the NAS and rushed into the forum.

This is my first NAS, working fine for 6 months.
Seting it up, I followed related posts and forum advice on did my best to secure it.
No Cloud service, no UPnP, strong password, updates etc.
I only use open VPN with a manual port forwarded for remote access (not running VPN on the router, it is a simple ISP router/modem)

Is the one open port adress my vunerability ?
Am I using open VPN in a wrong way ?
Can my simple router provide the needed secutity/functionality ?
running vpn from the router is more preferable to say QVPN running on the nas itself. That is the first thing :'

In this example they are using pfsense router to setup a vpn for remote access
https://www.youtube.com/watch?v=PgielyUFGeQ
https://www.youtube.com/watch?v=ZY49EAMnniY

explanation about vpn
https://www.youtube.com/watch?v=MJXVRwl3_yY


vpn u usually either use openvpn or wireguard. Because some of the older vpn protocols might be less secure
https://www.youtube.com/watch?v=bnV-_BN9OkE


no idea what router you are using. i suggest if possible get a pfsense router since they are solid in terms of software. i bought a qotom and flash pfsense onto it. Much happier than when i used an off the shelf asus ac68u. For wifi i paired it with a ubiquiti unifi to complete my network setup :D


another option is something qhora. You can use the qnap quwan router software to create site to site vpn :D
https://www.youtube.com/watch?v=ZNZRLqjsU_8
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

nikost
Starting out
Posts: 40
Joined: Mon Nov 30, 2020 6:51 am

Re: Hack attack ! How to react and defend?

Post by nikost » Tue Mar 23, 2021 6:08 pm

nikost wrote:
Tue Mar 23, 2021 5:02 pm
dolbyman wrote:
Fri Mar 05, 2021 7:03 am
is it always user "admin" ?
where did you see it ? in the system protocol or did you install the firewall ?
The IP is localhost/127.0.0.1 so it is not an external attack
How can avoid these dozen of messages

NAS Name: ............
Severity: Error
Date/Time: 2021/03/23 08:56:33

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 73.118.210.135.
It is always user admin. The messages are sent to my email as notifications from my device. I have not installed any firewall

Error][Users] Notification from your device:xxxxxxx
Inbox
xxxxxx@gmail.com

12:04 PM (1 minute ago)

to me
[Error][Users] Notification from your device:xxxxxxx

NAS Name: nikost
Severity: Error
Date/Time: 2021/03/23 10:03:57

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 118.163.217.9.

Bob Zelin
Experience counts
Posts: 1031
Joined: Mon Nov 21, 2016 12:55 am
Location: Orlando, FL.
Contact:

Re: Pseudo Hack attack !

Post by Bob Zelin » Tue Mar 23, 2021 10:54 pm

Good morning -
what is different about this attack (which is happening all over the world now) - is that normally, you get 3 - 6 attempts and they move on. But this new attack, hits the systems hundreds of times (with hundreds of failed login attempts) - so if your password is "password" or "admin" - I bet you are in trouble this morning.

I have no answer other than to disable UPnP, disable CloudLink, and if you can - unplug your QNAP from the internet until further notice.
Bob Zelin
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com

mcmnky
Starting out
Posts: 13
Joined: Tue Mar 22, 2016 4:32 am

Re: Pseudo Hack attack !

Post by mcmnky » Wed Mar 24, 2021 9:08 pm

I'm in the same situation. Attempted logins from random IP addresses for user 'admin'. I've seen this before, usually 2 or 3 attempts then nothing for weeks. Current attack has been every minute for last 12 hours, roughly.

I unregistered my nas in myQNAPcloud last night. The attack (and user error emails) continue.

What else can we do to stop login attempts from the internet?

I have 'admin' disabled with all share and folder access denied, so not too worried about a successful login, but I used the cloud too rarely to justify the risk.
NAS: TVS-471 | ReadyNas 312

mcmnky
Starting out
Posts: 13
Joined: Tue Mar 22, 2016 4:32 am

Re: Pseudo Hack attack !

Post by mcmnky » Wed Mar 24, 2021 9:18 pm

Also, reiterating the advice to disable uPNP. The current issue is also discussed here:
viewtopic.php?f=313&t=158834

Off to check uPNP settings on the nas and router.
NAS: TVS-471 | ReadyNas 312

Post Reply

Return to “myQNAPcloud service”