MY QNAP QuFile - Event Count window is showing denied access to 10507 packets in the last 24 hours. It is also showing,
0 All IPV4 8005 TCP 185.198.57.185 Deny
0 All IPV4 Any Any 185.10.68.89 Deny
0 All IPV 48080,443 TCP 93.206.246.22 Deny
48 All IPV4 Any Any Any Deny
84 AllIPV6 Any Any Any Deny
Unless I did it wrong, I believe I have blocked all external accesses to the three addresses above via my hardware firewall (which sits between the NAS and the QNAP). However, the Denied access count of packets in the last 24 hours is still fluctuating, and at times still going up, in the QNAP QuFirewall QNAP app.
This is leading me to believe the access requests are coming from within my QNAP?? is that correct?
I have also found this post: https://www.qnap.com/ko-kr/how-to/faq/a ... 198-57-185
which does not really explain why these events are happening but implies they are malware.
Finally, I've also found a post on redit: https://www.reddit.com/r/qnap/comments/ ... ent_count/
where others are having the same problem - but with no real conclusion (other than one person thinks its a QNAP bug).
Can anyone shed some light on this?
QNAP QuFile - Event Count showing specific accesses being denied
-
- Starting out
- Posts: 32
- Joined: Sat Nov 26, 2016 12:49 am
- dolbyman
- Guru
- Posts: 35023
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QNAP QuFile - Event Count showing specific accesses being denied
Do not expose your NAS to WAN, just today QNAP announced a new attack of of cryptominer infections
https://www.qnap.com/en/security-advisory/QSA-21-56
Remove all port forwards asap
https://www.qnap.com/en/security-advisory/QSA-21-56
Remove all port forwards asap
-
- Starting out
- Posts: 32
- Joined: Sat Nov 26, 2016 12:49 am
Re: QNAP QuFile - Event Count showing specific accesses being denied
I think there was some sort of QNAP cloud app on it (long since removed) when I first set it up, but it has not otherwise been not exposed to the WAN (externally) as far as I know.
Also, the IP addresses noted above, seem to have been denied via the QNAP firewall going as far back as my logs record such things (which is early November).
Also, the IP addresses noted above, seem to have been denied via the QNAP firewall going as far back as my logs record such things (which is early November).
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: QNAP QuFile - Event Count showing specific accesses being denied
Worth checking is if UPnP is enabled on your LAN router, and in the QNAP Cloud configuration.I think there was some sort of QNAP cloud app on it (long since removed) when I first set it up, but it has not otherwise been not exposed to the WAN (externally) as far as I know.
If so - inbound access from the internet can be enabled without your knowledge.
As a check - try ShieldsUp! or similar inbound access check to confirm no open ports.
Use the 'All service ports' check.
https://www.grc.com/shieldsup
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Starting out
- Posts: 32
- Joined: Sat Nov 26, 2016 12:49 am
Re: QNAP QuFile - Event Count showing specific accesses being denied
enable uPnP Port Forwarding is unchecked in the QNAP Cloud configuration. However, under this same configuration, myddns was enabled and I just disabled it, myqnap cloud link was enabled and I just disabled it.
shield up says: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!
However, I note two of the ip addresses above are being reported in qnap firewall as using tcp
shield up says: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!
However, I note two of the ip addresses above are being reported in qnap firewall as using tcp
-
- Starting out
- Posts: 32
- Joined: Sat Nov 26, 2016 12:49 am
Re: QNAP QuFile - Event Count showing specific accesses being denied
So further investigation reveals these three ip addresses appear to be being blocked all about the same time and all about once an hour. Blocking traffic from the Internet to the QNAP does not seem to matter. Also, if I am reading things right, the traffic appears to be being initiated from within the QNAP Server - but is being blocked by the QNAP firewall software. So perhaps a bug, perhaps a bot???
- dolbyman
- Guru
- Posts: 35023
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: QNAP QuFile - Event Count showing specific accesses being denied
I remember there was some mystery IPs blocked on QuFirewall one of the threads you actually link to up there
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: QNAP QuFile - Event Count showing specific accesses being denied
That's not the 'All service ports' check, it's not relevant.shield up says: THE EQUIPMENT AT THE TARGET IP ADDRESS DID NOT RESPOND TO OUR UPnP PROBES!
In addition - do the custom ports check covering 8080
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Starting out
- Posts: 32
- Joined: Sat Nov 26, 2016 12:49 am
Re: QNAP QuFile - Event Count showing specific accesses being denied
all service ports reported as stealth as did 8080.
However, as noted above, it appears to me that the traffic is being originated from within the QNAP box, not externally.
Just looking for more information on this, what is causing it, how can it be stopped?
QNAP Malware checker reported nothing.
However, as noted above, it appears to me that the traffic is being originated from within the QNAP box, not externally.
Just looking for more information on this, what is causing it, how can it be stopped?
QNAP Malware checker reported nothing.
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: QNAP QuFile - Event Count showing specific accesses being denied
Good, that's reassuring.all service ports reported as stealth as did 8080.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.