Constant Admin login failures from different IP addresses

[jon96789]

I logged into my QNAP NAS today and I noticed in the system logs that I am getting constant [warning] admin login fail http from different ip addresses by user admin... The attempts are happening about every ten seconds. What can I do to stop this?

Is there a way to prevent NAS access from the internet, i.e. only allow access within my home wi-fi network? Currently, the NAS is connected to a external router (which has Wi-Fi disabled) which my PC is hard-wired to. I have a Netgear Orbi system for my meshed Wi-Fi connected to my external router. The external router does have MAC access control enabled so nothing is allowed to connect if the MAC address is not registered. But I am not sure if this blocks anyone from accessing the NAS from the internet. Thanks in advance...

[dolbyman]

disable auto router config and upnp on your router

without portforwarding there will be no more login attempts

[Shanetower]

I had the same issue, but after a lot of back and forth I just restricted access to my NAS to certain IP addresses, this has stopped this in its tracks and I can access the system at my home WiFi with ease.

[dolbyman]

if access is supposed to be only in wifi (lan) ..why are ports forwarded to wan anyways ?

[jon96789]

disable auto router config and upnp on your router

without portforwarding there will be no more login attempts

I was able to disable UPNP on my router but could not disable auto router config in my router settings. I have a Netgear R7000...

I did find disable auto router config in the MyQNAPCloud app on the NAS but it shows grey (-) bars there... The Auto Router Config in the app shows UPNP as disabled. I do not have Cloudlink setup on the NAS so I think I do not have access to the NAS over the internet.

I am sorry but I am not too familiar with some of these things...

[dolbyman]

yes ...
upnp gets disabled on the router
autorouter config on the nas

with both disabled (even one should be enough) no more login attempts should happen

[jon96789]

Thanks for the info...

[Moogle Stiltzkin]

upnp should be disabled on your router.... here is steve gibson explaining why upnp is a bad idea.... especially for router
https://www.youtube.com/watch?v=wEa43qM4JjQ


because.... an app that will auto do upnp will make holes through your router without you knowing about it. and we all know what happened to the USS enterprise everytime the shields went down


How to Turn Off UPnP on Netgear NIghthawk Routers
https://www.podfeet.com/blog/tutorials- ... k-routers/
https://kb.netgear.com/24306/How-do-I-e ... awk-router


if ever you needed a port forwarded, do the port forward manually, it's not that hard. but mostly try and avoid it when not needed.

while at it, keep your QNAP, client devices, and router all updated


By the way your router was also affected by vpnfilter vulnerability. So if you haven't updated your router in ages, you probably should

https://kb.netgear.com/000058814/Securi ... AR-Devices
https://www.youtube.com/watch?v=2YfT1FHCslU
https://www.youtube.com/watch?v=H0OlA51NR_Y



and yes although the qnap has myqnapcloud, you are not required to use it. i suggest using vpn if you require a secure remote access. but even then, that would require a proper vpn setup (check the forum or google for how to do that, if you need it).



in your QTS security settings, there should be an option to limit auto logins. what this does is, if someone tries to login with an incorrect credentials, it won't just let them do it for infinity without consequence. Instead it will block them for a short period of time before they can try again. this prevents them from infinite times of entering credentials until they succeed (this is called a brute force attack). a good limit auto login mechanism would increase the block duration penalty for successive flags by the same ip.

it's better to just install the qnap security counselor app from app center. this will run you through a checklist of security items to get your NAS secure with the minimum level of hardening you should do for your NAS. This is useful for less technical (and even technical users) for quickly hardening their QNAP NAS security.


if your broadband isp subscription is dynamic meaning the ip address changes, maybe you can try power off your router and modem for 5-15minutes or so, boot up. and hopefully you get issued a new ip (you can check in your router UI, or here https://www.iplocation.net )

if you set your qnap to use a dyndns which is a fixed ip e.g. myqnapnas.com then changing your ip is not gonna do much since they can use that dyndns ip which will be updated to use the new one.

if you didn't secure your router and qnap, by disabling upnp and port forwarding, then you'll just get this issue all over again. do that first thing

[Moogle Stiltzkin]

this is an interesting post related to a similar issue. recommended read
https://www.reddit.com/r/qnap/comments/ ... good_qnap/

[joishere]

Hi,
I have exactly the same problem, noticed following the update of my NAS that I made today.
Is it a coincidence, a bug in the update? Or is there really a constant intrusion attempt on my NAS?

[dolbyman]

probably constant intrusion attempts..get the nas out of the open web

[jon96789]

Hmm... Intreresting reading... Here is my setup, maybe someone can chime in and give me some advice. Repeating from OP...

Currently, the NAS is connected to a Netgear R7000 external router (which has Wi-Fi disabled) which my PC is hard-wired to. I have a Netgear Orbi system for my meshed Wi-Fi connected to my R7000 external router. The external router does have MAC access control enabled so nothing is allowed to connect if the MAC address is not registered.

Am I correct to assume that if the NAS is connected directly to the Orbi iso the R7000 it would make it more secure because it would be within the network and not exposed to the internet? What would be the drawbacks of this?

[dolbyman]

not sure what wifi mac address control has to do with wan login attempts

[jon96789]

Sorry, let me clarify... If I connect the NAS to the Orbi iso the R7000, does that mean it is isolated from the internet?

[jon96789]

Also, on a side note, since disabling the UPNP and the auto router config, I have had no further attempts to log in to the NAS... I hope that fixes it... Thanks all...