QNAP QuFile - Event Count showing specific accesses being denied

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

QNAP QuFile - Event Count showing specific accesses being denied

Post by RobLatour »

MY QNAP QuFile - Event Count window is showing denied access to 10507 packets in the last 24 hours. It is also showing,

0 All IPV4 8005 TCP 185.198.57.185 Deny
0 All IPV4 Any Any 185.10.68.89 Deny
0 All IPV 48080,443 TCP 93.206.246.22 Deny
48 All IPV4 Any Any Any Deny
84 AllIPV6 Any Any Any Deny

Unless I did it wrong, I believe I have blocked all external accesses to the three addresses above via my hardware firewall (which sits between the NAS and the QNAP). However, the Denied access count of packets in the last 24 hours is still fluctuating, and at times still going up, in the QNAP QuFirewall QNAP app.

This is leading me to believe the access requests are coming from within my QNAP?? is that correct?

I have also found this post: https://www.qnap.com/ko-kr/how-to/faq/a ... 198-57-185
which does not really explain why these events are happening but implies they are malware.

Finally, I've also found a post on redit: https://www.reddit.com/r/qnap/comments/ ... ent_count/
where others are having the same problem - but with no real conclusion (other than one person thinks its a QNAP bug).

Can anyone shed some light on this?
User avatar
dolbyman
Guru
Posts: 35023
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by dolbyman »

Do not expose your NAS to WAN, just today QNAP announced a new attack of of cryptominer infections
https://www.qnap.com/en/security-advisory/QSA-21-56
Remove all port forwards asap
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by RobLatour »

I think there was some sort of QNAP cloud app on it (long since removed) when I first set it up, but it has not otherwise been not exposed to the WAN (externally) as far as I know.

Also, the IP addresses noted above, seem to have been denied via the QNAP firewall going as far back as my logs record such things (which is early November).
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by AlastairStevenson »

I think there was some sort of QNAP cloud app on it (long since removed) when I first set it up, but it has not otherwise been not exposed to the WAN (externally) as far as I know.
Worth checking is if UPnP is enabled on your LAN router, and in the QNAP Cloud configuration.
If so - inbound access from the internet can be enabled without your knowledge.

As a check - try ShieldsUp! or similar inbound access check to confirm no open ports.
Use the 'All service ports' check.

https://www.grc.com/shieldsup
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by RobLatour »

enable uPnP Port Forwarding is unchecked in the QNAP Cloud configuration. However, under this same configuration, myddns was enabled and I just disabled it, myqnap cloud link was enabled and I just disabled it.

shield up says: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!
However, I note two of the ip addresses above are being reported in qnap firewall as using tcp
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by RobLatour »

So further investigation reveals these three ip addresses appear to be being blocked all about the same time and all about once an hour. Blocking traffic from the Internet to the QNAP does not seem to matter. Also, if I am reading things right, the traffic appears to be being initiated from within the QNAP Server - but is being blocked by the QNAP firewall software. So perhaps a bug, perhaps a bot???
User avatar
dolbyman
Guru
Posts: 35023
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by dolbyman »

I remember there was some mystery IPs blocked on QuFirewall one of the threads you actually link to up there
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by AlastairStevenson »

shield up says: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!
That's not the 'All service ports' check, it's not relevant.
In addition - do the custom ports check covering 8080
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
RobLatour
Starting out
Posts: 32
Joined: Sat Nov 26, 2016 12:49 am

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by RobLatour »

all service ports reported as stealth as did 8080.

However, as noted above, it appears to me that the traffic is being originated from within the QNAP box, not externally.

Just looking for more information on this, what is causing it, how can it be stopped?

QNAP Malware checker reported nothing.
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: QNAP QuFile - Event Count showing specific accesses being denied

Post by AlastairStevenson »

all service ports reported as stealth as did 8080.
Good, that's reassuring.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
Post Reply

Return to “Miscellaneous”