TS-453 Pro, firmware QTS 5.2.8.3359 Digital Signature
Team, I am getting continued hits from router IP (192.168.1.1) with many different usernames all of which do not exist and admin is disabled. I do run Plex and share with a few friends (3) outside network and restricted to their account info. Attached screenshot but qulog is getting max message so it is continual at this point.
I have QuFTP installed and just de-selected the Enable the FTP server to see if that stops it.
Bots automatically scan every IP address and attempt basic attempts to access your system. This is why you should never directly expose your NAS to such threats. You should disable UPnP on your router and remove any ports that are manually forwarded to your NAS. You should also disable UPnP on your NAS.
You would be shocked if you knew what was being thrown at your NAS right now if you have it published to the internet. You really should not do that. If you want to safely share videos with friends via Plex, then you should all get a Plex Pass or set up a VPN on your router and let them access your server via the VPN.
If itâs your router that sends these out, itâs probably a security suite on your router that tries to identify weak devices on your LAN.
Unless your router has been compromised and malware is now probing your LAN devices, without more info, impossible to say.
The IP address being the local router, doesnât that suggest that the target is the external published IP address of your ISP connection, and those attacks are being routed by Port Forwarding on your router? You need to switch that OFF.
Both are valid reasons as to why it is happening and both should be investigated and corrected.
But it would show the WAN IP of the probing bot/attacker in the logs, not the router, if it was from port forwarding.
As discussed above, please pay special attention to your routerâs security configuration and ensure that you have performed regular backups.
Additionally, could you please share the brand and model of your router? Thanks!
The router is a Netgear RS500. Also it seems that once I disabled QuFTP the issues have stopped.
The symptoms may have âdisappearedâ i.e. it isnât being logged any more, but unless you have actually taken the steps to disable the access that was in place, you are still at risk. You need to disable UPnP or remove the manually forwarded ports to properly protect your system and your entire network.
Disabling UPnP on the router might prevent other functions from working, outside of the NAS.
If QuFTP is disabled, then it wonât be making a forwarding request to the router, via UPnP for that port. Iâd restart the router, just to make sure any previously requested port forwarding isnât still active.
Like what? Many new router firmwares have no upnp at all..yet everything works
It depends what âeverythingâ youâre doing.
My ISP tried to âupgradeâ me to a router without UPnP and I had to reject it, as I run some services with manual port forwarding (which that router also didnât support) and a couple with UPnP.
Their 3rd-level support got involved and it was âno problem, weâll send you a proper routerâ
ISP routers are set to bridge mode, as no ISPâs will send you a âproperâ router.
Port forwards I can see, the need for upnp remains mysterious.
Actually, thatâs not correct. I ended up buying my own cable modem a few years ago because the one Comcast gave me would not stay in bridge mode after a firmware update. They absolutely want to give you a router (whether it is good or not is another question) and provide your WiFi, etc.
I guess I should have written âISP routers are to be set to bridge mode [âŚ]â.
So far the ones I have gotten here (these days itâs basically Xfinity clones, as my ISP was bough in a cooperation with them) stay rock solid in bridge mode. I offered years ago to buy my own but they said they can only guarantee DOCSIS compliance with their own, so getting my own was not allowed. Plus they change DOCSIS standards every few years, so them swapping it is easier than to re-buy and turf your own all the time.
Yeah, I had theirs for years, but had all kinds of trouble after a firmware update. Comcast Tech support is oh so helpful. They kept asking me about my WiFi and I would tell them I am not using their WiFi and they would be like, âWhat do you mean?â
A guy at my local Xfinity (Comcast) store, told me to go buy my own modem which I did. I worked great for several years but after my area got upgraded to faster upload speeds, it turns out that particular Aris model was only limited to 40 Mb/s upload even though it was fully compliant to the DOCSIS specs (3.0 or whatever they are on now). So I bought a different modem and things have been great since.
I think you live in BC. Here in the states at least the modems all get certified by the CATV providers. So they already have approved the ones I have used.
I now have to pay for unlimited data when before I didnât, but then Iâm not paying to rent the modem so itâs a wash actuallyâŚ
