Failed localhost login attempts

I have a TS-453A NAS running QTS 5.2.4.3079

For the last few days I’ve been getting failed login attempts with the following message:

Failed to log in via user account “admin”. Source IP address: 127.0.0.1

I read elsewhere online that running Security Counsellor refreshes a security token, but I don’t have Security Counsellor installed and when I checked available apps for my NAS it wasn’t in the list of available/supported apps.
I was able to install Security Center and I ran a scan, but the failed logins continue to happen a few times a day.

The NAS isn’t external facing and the login attempt is coming from the loopback IP address, so I guess it’s something on the NAS trying to login to perform some task or other, but I have no idea what’s causing it or how to fix it.

If anyone can suggest a fix I’d appreciate it.
Thanks

Did you disable the admin user ? (if so, enable it and see if these messages go away)

Hi @RodJSmith,

Thanks for your post. If your NAS isn’t exposed to the internet, the direct security risk is generally low.

To help us investigate what might be causing these log entries, could you please tell us:

  1. Installed QPKGs: Could you list the QPKGs you have installed? It would be especially helpful to know if you’ve recently installed or updated any.
  2. Recent Password Changes: Have you changed your admin or any user passwords recently?
  3. Timing: Do these failed login attempts happen at the same time each day, or are they random?

This information will be very useful in narrowing down the possibilities.

The admin account isn’t disabled. I’m only using the NAS as a media server and to act as a home directory for scanned documents etc. Also, it isn’t external facing and I’m the only user on my network, so I never bothered to disable the admin acct.

I have the following apps installed:
ClamAV, CodexPack, Container Station, File Station 5, HBS 3 Hybrid Backup Sync, Helpdesk 3.3.4, License Center 1.9.51, Malware Remover 6.6.5, Media Streaming add-on, Multimedia Console 2.8.0, myQNAPcloud 1.1.75, myQNAPclound Link 2.4.63, Network & Virtual Switch, Notification Center, Plex Media Server 1.30.0, Qboost 1.6.3, QNAP AI Core 3.5.0, Qsirch 5.6.2, QTS SSL Certificate, QuLog Center 1.8.1.898, Resource Monitor 1.2.0, Security Center 3.0.3.3481, SMB Service 4.15.003, SSD Profiling Tool 1.0.3047, Video Station 5.8.2

This problem started a few days ago. I’ve haven’t installed anything new for months and I hadn’t updated any of the apps for about the same amount of time (although I’ve updated them all now in case this fixed the issue I’m having - which it didn’t)

There have been no password changes recently.

The timing of the failed logins: It happens a few times per day. The last few were:
Two, last night at 22:47:08 and 22:47:11, then today there was one at 9:01am this morning and then another two at 13:20 and 13:21 this afternoon.

Maybe try uninstalling/disabling Security Center? It’s the most-likely cause of continued logged attempts.

You still need to find the original cause, though.

2023 i have the same problem with my TS-364 and the app QVR Pro

After 4 reboots the problem is gone and never came back.

I didn’t have Security Center installed when this problem first started, so I’m not sure it’s the problem. I only have it installed now because I read a post elsewhere saying the failed login was because Security Consultant needed a token refreshed (or something similar) and starting the app and then exiting would do the trick. Security “Consultant” isn’t available for the 453A, but Security Center was, so I installed it, ran scans etc but the problem still persists.

@RodJSmith
Thanks for the info. Let’s try to isolate the cause.

Could you please stop HBS 3 Hybrid Backup Sync, and check if the “Failed to log in. (admin), Source IP: 127.0.0.1” messages stop?

  • If they do stop, let us know. It’s likely HBS 3.
  • If they don’t stop, then, go to the Helpdesk app:
    1. Create a new support ticket with QNAP support, and attach the Diagnostic Logs to your support ticket.
    2. Enable Remote Support through the app, so the support team can assist you directly.

Please update us on the HBS 3 test, or if you’ve created a ticket. Thank you!

Will do. I’ll let it run a 24h cycle with HBS stopped and report back. Thanks

1 Like

Ok - I stopped HBS3, and the failed logins are still happening.
On the 28th:
1 at 13:35
7 between 16:30 and 16:34
On the 29th:
1 at 15:54
1 at 16:41
1 at 17:32

It’s also worth noting that when HBS3 was enabled, the various sync and backup jobs I have configured were all working just fine.

I’m not sure this is the same problem, but today my TS-130 sent 146 notifications of failed login attempts over an 8 minute period starting at 06:00:

[QuLog Center] Failed to log in. User: —. Source IP: ::1. Connection type: HTTP.

This looked like an inside job so I checked the crontab for that time and found:

0 6 * * 5 /usr/local/bin/python /share/CACHEDEV1_DATA/.qpkg/SecurityCounselor/bin/security_advisor --check_all;#SA_SecurityCounselor_SA_security_counselor_schedule_task_SA

I know I have seen Security Advisor and/or Security Counselor apps, but neither exists in the web UI now. Based on posts elsewhere I ran the uninstaller:

sudo /share/CACHEDEV1_DATA/.qpkg/SecurityCounselor/.uninstall.sh

That did remove the package and the cron job, so I’m expecting no more trouble. Nothing seems changed in the web UI.

Steve,
I’ve done as you asked and reported back with the results.

Hi @RodJSmith
If the troubleshooting steps we’ve discussed so far haven’t resolved your issue, we’ll need to conduct a more in-depth check.

To proceed, please open a support ticket through Helpdesk or Customer Service - QNAP.

Thank you!