Hello all,
Whenever I log into my Qnap it seems there is always an admin logged in even though I have the admin account disabled. I do have plex and a few other things installed and am guessing its a system thing, however there is always that feeling that ransomware is encrypting my drive as we speak.. Does anyone else know what this is?? If you have seen this let me know! if you have never seen this also let me know!
Thanks in advance
Regards,
--Chris
Phantom Admin account logged in?? Security issue?
-
- New here
- Posts: 4
- Joined: Fri Jul 12, 2019 6:22 am
- dolbyman
- Guru
- Posts: 35275
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Phantom Admin account logged in?? Security issue?
is that IP 8.37.180.2 known to you ?
in any case your web login seems to be reachable from the WAN, a very bad security issue
in any case your web login seems to be reachable from the WAN, a very bad security issue
-
- New here
- Posts: 4
- Joined: Fri Jul 12, 2019 6:22 am
Re: Phantom Admin account logged in?? Security issue?
Hi, Thanks for the reply! Yea, that's me logged in from work. I think disabling web login from WAN seems like a great idea. I did a quick search but couldn't find how to do this, could you point me in the right direction?
I disabled SSH Telnet etc. Disabled default admin account, IP banning and timeout.
Thanks again!
-
- Starting out
- Posts: 11
- Joined: Thu Jul 11, 2019 12:46 am
- Location: Bordeaux, FRANCE
Re: Phantom Admin account logged in?? Security issue?
you either activated some dyndns in your nas to reach him through dns resolution, or you activated port redirection in your wan router to redirect incoming wan connexion on a specific port (i guess 80/443) to your nas.
you'd better deactivate that and set up a VPN SSL/IPSEC on your router/firewall and from that vpn grant access to you desired host/whole lan. This way, you're not exposing possible flaw of web engine of your nas to internet.
regarding the admin account : no shown ip, and connected since 15h57. what bugs me is thant its not from localhost (seeing 127.0.0.1 would have been reassuring like "ho that must be local system") is that time corresponding to uptime ?
you'd better deactivate that and set up a VPN SSL/IPSEC on your router/firewall and from that vpn grant access to you desired host/whole lan. This way, you're not exposing possible flaw of web engine of your nas to internet.
regarding the admin account : no shown ip, and connected since 15h57. what bugs me is thant its not from localhost (seeing 127.0.0.1 would have been reassuring like "ho that must be local system") is that time corresponding to uptime ?
Just a random Data & Network tech guy.
-
- New here
- Posts: 4
- Joined: Fri Jul 12, 2019 6:22 am
Re: Phantom Admin account logged in?? Security issue?
that extra admin account logs in the moment I power up the qnap. Which makes me think its not someone connecting, rather something being launched at startup. I do use myqnapcloud as my dyndns, and port forwarding to the QNAP because some of my family uses QSync as backup. Thanks for the tip! So do you think just removing the port forwarding trigger for web access on 8080 via the router is the proper method to disable WAN access?eguitton wrote: ↑Fri Jul 12, 2019 8:02 am you either activated some dyndns in your nas to reach him through dns resolution, or you activated port redirection in your wan router to redirect incoming wan connexion on a specific port (i guess 80/443) to your nas.
you'd better deactivate that and set up a VPN SSL/IPSEC on your router/firewall and from that vpn grant access to you desired host/whole lan. This way, you're not exposing possible flaw of web engine of your nas to internet.
regarding the admin account : no shown ip, and connected since 15h57. what bugs me is thant its not from localhost (seeing 127.0.0.1 would have been reassuring like "ho that must be local system") is that time corresponding to uptime ?
-
- Starting out
- Posts: 11
- Joined: Thu Jul 11, 2019 12:46 am
- Location: Bordeaux, FRANCE
Re: Phantom Admin account logged in?? Security issue?
Yep, you can either :
disable port forwarding from your router, and manually re-enable it when needed (or leave the rule intact but just deactivate/re-activate it when needed), and this is enough to secure your nas and lan (no external packets allowed to be redirected to your lan, except when you reactivate the rule). But that also might mean that you have to let your admin page accessible from internet in order to change that rule when not at home : be carefull ! (or dont allow wan access to admin page, and use teamviewer or equivalent to access directly to your home computer when you need to change the rule from your LAN where admin page is always available)
or setup a vpn on your router/firewall instead of using port forwarding : credentials or certificate are required to establish connexion on your router, and traffic to you LAN will be encrypted (more secure because tunneling + credentials (please use strong password) for vpn + different credentials of your nas). But... you either need a static ip, or a domain name + dyndns or equivalent to be sure to reach your router. Which you apparently are already doing, minus the vpn.
and for the admin account, if it is effectively always connected as soon as you boot up the NAS, I wouldn't be bothered. unless a more educated NAS expert says we should be
disable port forwarding from your router, and manually re-enable it when needed (or leave the rule intact but just deactivate/re-activate it when needed), and this is enough to secure your nas and lan (no external packets allowed to be redirected to your lan, except when you reactivate the rule). But that also might mean that you have to let your admin page accessible from internet in order to change that rule when not at home : be carefull ! (or dont allow wan access to admin page, and use teamviewer or equivalent to access directly to your home computer when you need to change the rule from your LAN where admin page is always available)
or setup a vpn on your router/firewall instead of using port forwarding : credentials or certificate are required to establish connexion on your router, and traffic to you LAN will be encrypted (more secure because tunneling + credentials (please use strong password) for vpn + different credentials of your nas). But... you either need a static ip, or a domain name + dyndns or equivalent to be sure to reach your router. Which you apparently are already doing, minus the vpn.
and for the admin account, if it is effectively always connected as soon as you boot up the NAS, I wouldn't be bothered. unless a more educated NAS expert says we should be
Just a random Data & Network tech guy.
Phantom Admin account logged in?? Security issue?
With all the active threats in the news, why anyone still exposes NAS services to a WAN is beyond me.
https://brica.de/alerts/alert/public/12 ... s-devices/
Never, ever, do that! Even briefly. That includes myQNAPcloud, UPnP, forwarding.
Just because you can do something, doesn’t mean you should.
https://brica.de/alerts/alert/public/12 ... s-devices/
Never, ever, do that! Even briefly. That includes myQNAPcloud, UPnP, forwarding.
Just because you can do something, doesn’t mean you should.
-
- First post
- Posts: 1
- Joined: Wed Jun 05, 2019 7:25 pm
Re: Phantom Admin account logged in?? Security issue?
I observed this once I enabled Q Center, or its agent. Do you have qcenter enabled?