Continuous "Failed to log via ..." messages

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
gatto_mannaro
Getting the hang of things
Posts: 95
Joined: Tue Feb 01, 2011 4:16 pm

Continuous "Failed to log via ..." messages

Post by gatto_mannaro »

Hello
Im experiencing a HUGE and continuous alerts of:
[Users] Failed to log in via user account "admin". Source IP address: (different IP)

One alarm every 30-60 seconds

Clearly my ADMIN user is off

What is the reason why? number is too huge than a random network scanning.
eurekkadev
First post
Posts: 1
Joined: Mon Sep 20, 2021 6:46 pm

Re: Continuous "Failed to log via ..." messages

Post by eurekkadev »

Looks like it happen a bit everywhere !!! IPs are Mainly from Asia !! WTF
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Continuous "Failed to log via ..." messages

Post by dolbyman »

Why are the NAS web exposed?

Remove all direct access asap!
gatto_mannaro
Getting the hang of things
Posts: 95
Joined: Tue Feb 01, 2011 4:16 pm

Re: Continuous "Failed to log via ..." messages

Post by gatto_mannaro »

dolbyman wrote: Mon Sep 20, 2021 9:35 pm Why are the NAS web exposed?

Remove all direct access asap!
actually I disabled the myQNAPcloud and all that attempts stopped.
I suppose there is a bug in this tool
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Continuous "Failed to log via ..." messages

Post by dolbyman »

Qnapcloud exposes your NAS to WAN (in conjunction with the dangerous upnp).. no fault in the tool.. just the way this works
gatto_mannaro
Getting the hang of things
Posts: 95
Joined: Tue Feb 01, 2011 4:16 pm

Re: Continuous "Failed to log via ..." messages

Post by gatto_mannaro »

dolbyman wrote: Tue Sep 21, 2021 3:04 am Qnapcloud exposes your NAS to WAN (in conjunction with the dangerous upnp).. no fault in the tool.. just the way this works
mmm ok but how come that with this app on I have all that "attacks"? I mean, why my IP is "known"?
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Continuous "Failed to log via ..." messages

Post by dolbyman »

Disabling MyQNAP cloud will also remove the port forwards (upnp) and attacks then don't get forwarded to your NAS anymore

your IP is probably in here
https://www.shodan.io/

a quick demo
https://www.shodan.io/search?query=qnap
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Continuous "Failed to log via ..." messages

Post by AlastairStevenson »

Disabling MyQNAP cloud will also remove the port forwards (upnp) and attacks then don't get forwarded to your NAS anymore
But your router also plays a part - UPnP will also be enabled on it.
This allows any UPnP-enabled device on your LAN to activate port forwarding - allowing the entire internet to have access to the devices on it.
There are many such UPnP-enabled devices, quite common are CCTV cameras and recorders.

Log on to the router admin interface and disable UPnP.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
jcfergus
New here
Posts: 3
Joined: Thu Dec 19, 2019 8:57 am

Re: Continuous "Failed to log via ..." messages

Post by jcfergus »

I've also been getting notifications, but every 20 min. I blocked one IP address which stopped it for about a day, but another showed up from different IP address. FWIW, both IPs originated in Frankfurt, Germany.

UPnP is disabled on my router (always has been), although there are two entries in the UPnP table that point from port 8080 and 8081 to my NAS. I wouldn't think these can be used if UPnP is not enabled.
There are no external ports enabled on the router.
The admin account is disabled on the NAS.
The myQNAPCloud instance that was enabled was deregistered, which should release that IP address to the pool and should no longer be associated with my NAS. Still getting the messages a day later.
There is no external web server hosted on the NAS and never has been.

What can still exist in the QNAP environment that would be associated with my NAS that is exposed directly to the internet?
I can block this new IP address, but I'm sure another will pop up in a while.

Running TS-451 with QTS 4.5.4.1800 Build 20210923
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Continuous "Failed to log via ..." messages

Post by dolbyman »

probably faulty router config if 8080/8081 is forwarding ports to your NAS ...check if you can remove them by hand ..deregistering qnap DDNS is no help...attackers go direct via public iP
jcfergus
New here
Posts: 3
Joined: Thu Dec 19, 2019 8:57 am

Re: Continuous "Failed to log via ..." messages

Post by jcfergus »

RE: "..deregistering qnap DDNS is no help...attackers go direct via public iP"

Irrespective of the actions below, if I have deregistered the myQNAPcloud instance, how would that IP address still be associated with the IP address of my WAN connection, which would seem to be required to connect to my network?

And if it is just the bot hitting the IP I previously used, why would messages still be forwarded to me if I am dissociated with that host name and IP address as the messages imply when deregistering?

I blocked the specific IP address in the Allow/Deny screen under Security. That stopped the login failure messages. To prevent having to block each IP address used by a bot, I have now changed the Deny/Allow table so it only allows connections from my local network as I don't access the NAS from the internet.

Once I have confirmed that the updated IP address Allow setting blocks the login attempts, I plan to delete the two entries under the UPnP service as a further precaution even though UPnP is disabled, to counter the possibility of "probably faulty router config if 8080/8081 is forwarding ports to your NAS".
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Continuous "Failed to log via ..." messages

Post by dolbyman »

If you deregister the ddns but still have portforwards in there then you are as vulnerable as before...as said ..attacks are done via ip and listst thereoff ...(fingerprints of devices behind the NAT)

lists like shodan.io have millions of public reachable devices for sale...of you have a semi static IP ..your device is probably in there and for sale
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Continuous "Failed to log via ..." messages

Post by AlastairStevenson »

there are two entries in the UPnP table that point from port 8080 and 8081 to my NAS. I wouldn't think these can be used if UPnP is not enabled.
There are no external ports enabled on the router.
This does suggest that the NAS is, or was, accessible from the entire internet.

As a check, suggest using a service such as ShieldsUp! to check inbound access.
First use the 'All service ports' check.
Then check for a range covering 8080 and 8081
https://www.grc.com/x/ne.dll?bh0bkyd2
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
QNAPDanielFL
Easy as a breeze
Posts: 488
Joined: Fri Mar 31, 2017 7:09 am

Re: Continuous "Failed to log via ..." messages

Post by QNAPDanielFL »

There are many good ways to access a NAS remotely without forwarding any ports besides the VPN port.
VPN is a great option and it is faster now that we support Wireguard.
Qlink through myqnapcloud but not doing port forwarding is easy to set up for remote access and much safer than forwarding ports.
We now support Teamviewer as an app on the NAS for remote access without port forwarding needed.
Post Reply

Return to “Users' Corner”