Constant login hacking attempts

Post your questions about myQNAPcloud service here.
Locked
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Constant login hacking attempts

Post by LinkAylomen »

Hiya!

So having your NAS available over the internet has its advantages, but comes with some pitfalls... one I keep experiencing is people trying to brute force the admin and various other logins. Over the last few months, attempts on the login page have gotten worse and as a minimum level of security I've enabled the built in IPS to block an IP after X attempts in X minutes.

Problem is that all of this traffic is from the TOR network, so blocking TOR traffic would (at the moment) solve the issue, I've no worries about anyone actually cracking the password as it's a very long string with a large mix of characters, so long I don't even know what it is.

I can get a list of IP's which act as exit nodes on the TOR network (as can anyone) but unfortunately there's no "bulk" add option to blacklist IP's.

Now most people would suggest using whitelist instead, but as most of my access outside the home is via a mobile network operator, the IP's change a lot... so whitelisting them all would be just as difficult.

Does anyone know a way around this, or an application that would assist in this issue?

I've done a search on the forums and google and most people just keep repeating the whitelist thing... but as stated, that would be just as time-consuming... whitelist or blacklist I need a way of bulk adding IP's

P.S. the NAS is available via qnap cloud, so I dont think changing the ports would work around this as they seem to be hitting my NAS from the cloud.

- Andy
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Constant login hacking attempts

Post by Toxic17 »

So you have port 8080 open to the internet?
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Re: Constant login hacking attempts

Post by LinkAylomen »

Toxic17 wrote:So you have port 8080 open to the internet?
Assuming thats the default port used by the cloud service, yes.
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Constant login hacking attempts

Post by OneCD »

LinkAylomen wrote:I can get a list of IP's which act as exit nodes on the TOR network (as can anyone) but unfortunately there's no "bulk" add option to blacklist IP's.

Now most people would suggest using whitelist instead, but as most of my access outside the home is via a mobile network operator, the IP's change a lot... so whitelisting them all would be just as difficult.

Does anyone know a way around this, or an application that would assist in this issue?
Personally, I built my own IDS/IPS that runs on my webserver and automatically uploads a banned IP list into my DD-WRT router.

But to answer your question, maybe you could add them into the /etc/config/ipsec_deny.conf file instead?

Here's what it looks like after I've added 3 single addresses and an address range via the QTS Control Panel:

Code: Select all

[/etc/config] # cat ipsec_deny.conf 
0:100.0.0.101::0:1484073744
0:100.0.0.102::0:1484073785
0:100.0.0.103::0:1484073822
1:101.0.0.0:255.255.255.0:0:1484073927
I then edited this file and added a line manually.

Switched back to QTS, closed Control Panel, relaunched it, and my new IP address appeared in the list. :geek:

If you can convert your blocklist into a file with this structure, then this may be a solution.
  • Fields are delimited by colons (:)

    1st field = don't know - maybe entry type?
    2nd field = IP address to block
    3rd field = subnet mask
    4th field = don't know
    5th field = appears to be seconds since epoch when this address was added. (date +%s)
Good luck!

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Constant login hacking attempts

Post by Don »

Use VPN instead of opening ports.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Re: Constant login hacking attempts

Post by LinkAylomen »

OneCD wrote:
LinkAylomen wrote:I can get a list of IP's which act as exit nodes on the TOR network (as can anyone) but unfortunately there's no "bulk" add option to blacklist IP's.

Now most people would suggest using whitelist instead, but as most of my access outside the home is via a mobile network operator, the IP's change a lot... so whitelisting them all would be just as difficult.

Does anyone know a way around this, or an application that would assist in this issue?
Personally, I built my own IDS/IPS that runs on my webserver and automatically uploads a banned IP list into my DD-WRT router.

But to answer your question, maybe you could add them into the /etc/config/ipsec_deny.conf file instead?

Here's what it looks like after I've added 3 single addresses and an address range via the QTS Control Panel:

Code: Select all

[/etc/config] # cat ipsec_deny.conf 
0:100.0.0.101::0:1484073744
0:100.0.0.102::0:1484073785
0:100.0.0.103::0:1484073822
1:101.0.0.0:255.255.255.0:0:1484073927
I then edited this file and added a line manually.

Switched back to QTS, closed Control Panel, relaunched it, and my new IP address appeared in the list. :geek:

If you can convert your blocklist into a file with this structure, then this may be a solution.
  • Fields are delimited by colons (:)

    1st field = don't know - maybe entry type?
    2nd field = IP address to block
    3rd field = subnet mask
    4th field = don't know
    5th field = appears to be seconds since epoch when this address was added. (date +%s)
Good luck!

Woah, Thanks for the detailed info! I'm confident I can use this to add the list of IP's I have in minutes rather than hours via the web UI!

Thank you so much!
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Re: Constant login hacking attempts

Post by LinkAylomen »

Don wrote:Use VPN instead of opening ports.
I've not opened any ports manually, I've just enabled the "cloud" feature... if I knew where to start with setting up a VPN to my LAN and making sure it's secure I'd do it for all the benefits it brings.. but seeing as I'm only 1/3 of the way through a CCNA course with limited networking knowledge at the moment... I'm not confident I could do it and ensure my VPN was secure

Thanks for the idea though.
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Re: Constant login hacking attempts

Post by LinkAylomen »

Just a quick update in case anyone was reading this in the hope for the same fix I needed.

The solution OneCD described works flawlessly, seeing as my issue was with the Tor network and not paid VPN services I was able to grab a list of Tor IP addresses easily.

I downloaded my ipsec_deny.conf file using winSCP, opened it up in notepad++ and pasted the list of IP's I had. Then I used find/replace (CTRL+H) to prefix 0: to the start of every line (Find ^ and replace with 0:) and again to append ::0:1483008022 to the end of every line (find $ and replace with ::0:1483008022) , saved the file and re-uploaded it to the NAS and all the addresses are now in the block list.

From start to finish this list took under 10 minutes to implement and saved me potentially hours... I now have over 1200 entries on the block list. I understand it's a sticking plaster on the real problem for now but while it works I don't mind.

It has been about a week now since I got around to doing it and I've not had a single log in attempt from an unknown source :)
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Constant login hacking attempts

Post by P3R »

LinkAylomen wrote:...as I'm only 1/3 of the way through a CCNA course with limited networking knowledge at the moment... I'm not confident I could do it and ensure my VPN was secure...
Many with less knowledge than half a CCNA have set up VPN. I'm sure the experience gained would be useful in your future studies.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
LinkAylomen
New here
Posts: 8
Joined: Thu Dec 29, 2016 6:56 pm

Re: Constant login hacking attempts

Post by LinkAylomen »

P3R wrote:
LinkAylomen wrote:...as I'm only 1/3 of the way through a CCNA course with limited networking knowledge at the moment... I'm not confident I could do it and ensure my VPN was secure...
Many with less knowledge than half a CCNA have set up VPN. I'm sure the experience gained would be useful in your future studies.
Care to share a good source of information for setting up a home VPN securely?
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Constant login hacking attempts

Post by P3R »

LinkAylomen wrote:Care to share a good source of information for setting up a home VPN securely?
I'm sorry but I don't have any available.

Of course I could google one up for you but the problem is that I don't know:
  • What router/firewall you have (that's the best place to implement VPN).
  • What kind of clients you have in mind.
  • What additional requirements you have.
Therefore I think it would be better if you googled it yourself.

Personally I use a site-to-site IPSec VPN on pfSense firewalls. It's not for everyone but offers professional features at the cost of a second hand PC.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Constant login hacking attempts

Post by OneCD »

LinkAylomen wrote:It has been about a week now since I got around to doing it and I've not had a single log in attempt from an unknown source :)
:D

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
delta2109
New here
Posts: 2
Joined: Mon Feb 11, 2019 2:11 am

Re: Constant login hacking attempts

Post by delta2109 »

LinkAylomen-
I have been having the same exact issue since day one of getting my TVS-882. Within the first month i had 3 successful hacks on my serve last year and one instance they enabled my container station and installed a bit-mining app. I only noticed because the server was acting so slow when trying to transfer files and watch a movie i looked in to the CPU usage and it was at 100% and was like WTF. So copied all of my logs and connection logs, including my routers logs and sent it to both QNAP and ASUS support, then factory reset it. But Said hay! check theses log and see who the hell hacked my server. The best part, Qnap said there was no evidence of hacking and had the audacity to tell me they could not understand half the logs and had to point out external IP connections of where the hack originated from. In the 4 years of owning my NETGEAR server before getting my QNAP i only ever had 1 login/hack attempt. IDK what the hell it is about QNAP and why it is targeted more than anything else. But still a year later and it never fails if the server is on for more than an hour i get several login attempts from IP addresses originating in the EU and middle east. I can never get a fix on them using tracert or IP lookups because most of these A-Holes are using proxies, VPNS or making so many hops i can't trace them. Im pretty good with IT stuff but not that good lol.

RECOMMENDATIONS
But at the end of the day what i ended up doing is
-1- Turn on IP and address blocking for failed login attempts to the smallest number possible and have it block it for a length of time or indefinitely- Only problem with that is the block list could get very long lol.
-2- Keep it off unless you are using it or heading out of the house and need to use it later, unless you can install an external wake up cmd in your router's LAN, i never did because its a pain in the ** and introduces even more security risks by opening up another port on your network router.
-3- Turn everything off as far as network protocols goes that you do not utilize or need. Shuts down any open ports you do not need.
-4- If i am home i keep it off the router or blo9ck internet connection since i do not need the internet connection if everything is up to date.
-5- Just keep an eye on your connections logs and have notifications set up to text or email you so you can just lock it down immediately or trace them actively since that individual is online with an active connection.
-6- Change your passwords monthly and use enterprise passkey policies, or use 2 way log in verifications through text or email.

ALl in all these are all the BS steps i have had to take to prevent another breach because QNAP can not pull their heads out of there ** and figure out all of the security flaws they have in network protocols, but in the grand scheme of things anything can be hacked.
I have nothing to hide on my server, but i still sure as hell do not want anyone snooping around personal information to try and blackmail me or loose 20 years worth of pictures and personal stuff, hence why i still back everything up on an external HDDS just in case.
Lastly from what i have seen and researched, the servers are used for large scale BotNet attacks on a particular network due to the computing power of the servers and in mine i upgraded to an Intel I7 with 64GB of ram and a solid state 2.5" for all of my apps and running
the server, Its a beast lol.

But good luck and hope this helps.
User avatar
dolbyman
Guru
Posts: 35013
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Constant login hacking attempts

Post by dolbyman »

not sure why you dig out a thread from 2017 .. there is plenty current threads about infected NAS

verdict ..get your NAS out of the NET ..use a VPN if you need external connections
bokr71
Been there, done that
Posts: 605
Joined: Sun Jan 24, 2016 8:13 pm

Re: Constant login hacking attempts

Post by bokr71 »

I was experiencing the same issues, and eventually switched from mQNAPcloud to VPN. It wasn’t as difficult you might fear;

1) I enabled the L2TP/IPSec Server In the VPN app on the QNAP,
2) I also made a read-only ID,
3) On my ISP provided router, I forwarded UDP ports 500, 1701, and 4500 to the IP of the NAS,
4) On my iPhone I setup the L2TP VPN profile, using the ISP Router IP, the user ID specifically made for this, and the Secret from QNAP.

That’s it...
Apple: MS M1 Max 10c/32c/16c/64GB/2TB - MP 3.2GHz 16c/192GB/2TB/2xRadeon Pro - nMP 3.5GHz 6C/64GB/1TB/D700 - Echo Express 1TB Accelsior/4x500GB NVMe Sonnet/Sonnet Solo10G PCIe - MBP 13" 4c i7/16GB/512GB - MBP 14" M1 Pro/16GB/512GB - MB 12" 4c i7/16GB/512GB - MMI 6c i5/8GB/500GB - 2 x TC 3TB - HomePods - iPhones, iPads and Apple Watches...

Primary NAS: QNAP TVS-872XT 7x10TB + 2x512GB NVMe SSD. BackUp: Cloud iDrive - Locally QNAP TR-004 4x12TB

Network: ISP Gtateway - TP-Link Deco - QNAP QSW-M408-4C
Locked

Return to “myQNAPcloud service”