Continuous "Failed to log via ..." messages
-
- Getting the hang of things
- Posts: 95
- Joined: Tue Feb 01, 2011 4:16 pm
Continuous "Failed to log via ..." messages
Hello
Im experiencing a HUGE and continuous alerts of:
[Users] Failed to log in via user account "admin". Source IP address: (different IP)
One alarm every 30-60 seconds
Clearly my ADMIN user is off
What is the reason why? number is too huge than a random network scanning.
Im experiencing a HUGE and continuous alerts of:
[Users] Failed to log in via user account "admin". Source IP address: (different IP)
One alarm every 30-60 seconds
Clearly my ADMIN user is off
What is the reason why? number is too huge than a random network scanning.
-
- First post
- Posts: 1
- Joined: Mon Sep 20, 2021 6:46 pm
Re: Continuous "Failed to log via ..." messages
Looks like it happen a bit everywhere !!! IPs are Mainly from Asia !! WTF
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Continuous "Failed to log via ..." messages
Why are the NAS web exposed?
Remove all direct access asap!
Remove all direct access asap!
-
- Getting the hang of things
- Posts: 95
- Joined: Tue Feb 01, 2011 4:16 pm
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Continuous "Failed to log via ..." messages
Qnapcloud exposes your NAS to WAN (in conjunction with the dangerous upnp).. no fault in the tool.. just the way this works
-
- Getting the hang of things
- Posts: 95
- Joined: Tue Feb 01, 2011 4:16 pm
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Continuous "Failed to log via ..." messages
Disabling MyQNAP cloud will also remove the port forwards (upnp) and attacks then don't get forwarded to your NAS anymore
your IP is probably in here
https://www.shodan.io/
a quick demo
https://www.shodan.io/search?query=qnap
your IP is probably in here
https://www.shodan.io/
a quick demo
https://www.shodan.io/search?query=qnap
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Continuous "Failed to log via ..." messages
But your router also plays a part - UPnP will also be enabled on it.Disabling MyQNAP cloud will also remove the port forwards (upnp) and attacks then don't get forwarded to your NAS anymore
This allows any UPnP-enabled device on your LAN to activate port forwarding - allowing the entire internet to have access to the devices on it.
There are many such UPnP-enabled devices, quite common are CCTV cameras and recorders.
Log on to the router admin interface and disable UPnP.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- New here
- Posts: 3
- Joined: Thu Dec 19, 2019 8:57 am
Re: Continuous "Failed to log via ..." messages
I've also been getting notifications, but every 20 min. I blocked one IP address which stopped it for about a day, but another showed up from different IP address. FWIW, both IPs originated in Frankfurt, Germany.
UPnP is disabled on my router (always has been), although there are two entries in the UPnP table that point from port 8080 and 8081 to my NAS. I wouldn't think these can be used if UPnP is not enabled.
There are no external ports enabled on the router.
The admin account is disabled on the NAS.
The myQNAPCloud instance that was enabled was deregistered, which should release that IP address to the pool and should no longer be associated with my NAS. Still getting the messages a day later.
There is no external web server hosted on the NAS and never has been.
What can still exist in the QNAP environment that would be associated with my NAS that is exposed directly to the internet?
I can block this new IP address, but I'm sure another will pop up in a while.
Running TS-451 with QTS 4.5.4.1800 Build 20210923
UPnP is disabled on my router (always has been), although there are two entries in the UPnP table that point from port 8080 and 8081 to my NAS. I wouldn't think these can be used if UPnP is not enabled.
There are no external ports enabled on the router.
The admin account is disabled on the NAS.
The myQNAPCloud instance that was enabled was deregistered, which should release that IP address to the pool and should no longer be associated with my NAS. Still getting the messages a day later.
There is no external web server hosted on the NAS and never has been.
What can still exist in the QNAP environment that would be associated with my NAS that is exposed directly to the internet?
I can block this new IP address, but I'm sure another will pop up in a while.
Running TS-451 with QTS 4.5.4.1800 Build 20210923
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Continuous "Failed to log via ..." messages
probably faulty router config if 8080/8081 is forwarding ports to your NAS ...check if you can remove them by hand ..deregistering qnap DDNS is no help...attackers go direct via public iP
-
- New here
- Posts: 3
- Joined: Thu Dec 19, 2019 8:57 am
Re: Continuous "Failed to log via ..." messages
RE: "..deregistering qnap DDNS is no help...attackers go direct via public iP"
Irrespective of the actions below, if I have deregistered the myQNAPcloud instance, how would that IP address still be associated with the IP address of my WAN connection, which would seem to be required to connect to my network?
And if it is just the bot hitting the IP I previously used, why would messages still be forwarded to me if I am dissociated with that host name and IP address as the messages imply when deregistering?
I blocked the specific IP address in the Allow/Deny screen under Security. That stopped the login failure messages. To prevent having to block each IP address used by a bot, I have now changed the Deny/Allow table so it only allows connections from my local network as I don't access the NAS from the internet.
Once I have confirmed that the updated IP address Allow setting blocks the login attempts, I plan to delete the two entries under the UPnP service as a further precaution even though UPnP is disabled, to counter the possibility of "probably faulty router config if 8080/8081 is forwarding ports to your NAS".
Irrespective of the actions below, if I have deregistered the myQNAPcloud instance, how would that IP address still be associated with the IP address of my WAN connection, which would seem to be required to connect to my network?
And if it is just the bot hitting the IP I previously used, why would messages still be forwarded to me if I am dissociated with that host name and IP address as the messages imply when deregistering?
I blocked the specific IP address in the Allow/Deny screen under Security. That stopped the login failure messages. To prevent having to block each IP address used by a bot, I have now changed the Deny/Allow table so it only allows connections from my local network as I don't access the NAS from the internet.
Once I have confirmed that the updated IP address Allow setting blocks the login attempts, I plan to delete the two entries under the UPnP service as a further precaution even though UPnP is disabled, to counter the possibility of "probably faulty router config if 8080/8081 is forwarding ports to your NAS".
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Continuous "Failed to log via ..." messages
If you deregister the ddns but still have portforwards in there then you are as vulnerable as before...as said ..attacks are done via ip and listst thereoff ...(fingerprints of devices behind the NAT)
lists like shodan.io have millions of public reachable devices for sale...of you have a semi static IP ..your device is probably in there and for sale
lists like shodan.io have millions of public reachable devices for sale...of you have a semi static IP ..your device is probably in there and for sale
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Continuous "Failed to log via ..." messages
This does suggest that the NAS is, or was, accessible from the entire internet.there are two entries in the UPnP table that point from port 8080 and 8081 to my NAS. I wouldn't think these can be used if UPnP is not enabled.
There are no external ports enabled on the router.
As a check, suggest using a service such as ShieldsUp! to check inbound access.
First use the 'All service ports' check.
Then check for a range covering 8080 and 8081
https://www.grc.com/x/ne.dll?bh0bkyd2
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Easy as a breeze
- Posts: 488
- Joined: Fri Mar 31, 2017 7:09 am
Re: Continuous "Failed to log via ..." messages
There are many good ways to access a NAS remotely without forwarding any ports besides the VPN port.
VPN is a great option and it is faster now that we support Wireguard.
Qlink through myqnapcloud but not doing port forwarding is easy to set up for remote access and much safer than forwarding ports.
We now support Teamviewer as an app on the NAS for remote access without port forwarding needed.
VPN is a great option and it is faster now that we support Wireguard.
Qlink through myqnapcloud but not doing port forwarding is easy to set up for remote access and much safer than forwarding ports.
We now support Teamviewer as an app on the NAS for remote access without port forwarding needed.