Ever since February 27 the access log on my TVS-671 has been filling up (20 thousand lines) with “Failed to login” error messages for connection type SMB. The user account for these failed connections is admin, which I disabled when I bought the machine years ago (and it’s still disabled). The spooky thing about it is that the IP address being reported as the source of the failed connection is the NAS itself! Why on Earth would the NAS have started trying to establish an SMB connection to itself? I have a Windows machine that maps a a drive letter to a private share on the server with a personal username and that has continued to work.
I was looking at something else and saw a suggestion to set a static IP address. I tried that and broke access to the NAS, so I switched the Ethernet cable to another port in the hope that it would get a new IP address. Not only did the NAS get assigned a new IP and I was able to log in again, but the SMB error messages stopped. Mapping a drive letter from my Windows box no longer worked however, so I switched the Ethernet cable cable back to the original port. My router has reassigned the previous IP address and now the SMB error messages are back! In what world does this make sense?
BTW after a reboot of the NAS I noticed that Virtualization Station was hung during startup so I uninstalled it, but that didn’t help. I’ve also turned off the AI image scanning/indexing but that didn’t help either.
Make sure apps like security counsellor are disabled, they often use the admin account for ‘security probing’ (and admin is still active anyways as it’s used for internal processes and can be vital for certain NAS rescue/troubleshooting operations, so you should re-enable it for sure)
Like I said I’ve had the admin account disabled (per the vast majority of recommendations out there) and never had a problem until February 27th. That being said I did go ahead and disabled Security Checkup, Antivirus and Malware Remover to see what would happen and the errors continued. It still makes no sense to me that the NAS would be trying to log into itself with SMB so I’m re-enabling the security apps. I see that the new firmware mentioned both the authentication mechanism and an issue with the SMB so I’ll see what happens when that’s applied. The SMB item is especially interesting because it mentions making the NAS unresponsive, and it just so happens that when I was trying to figure things out yesterday the system was running really slow, and I got an alert about the swap memory being full (which has also never happened before). That makes me wonder if the SMB login attempts are causing a memory leak or something. We’ll see!
I re-enabled the admin account and the login failure severity=warning messages stopped. Now the severity=information logs show that the NAS is logging into itself successfully every minute with an SMB connection type and I still have no idea why. I would appreciate any advice on how to figure that out and make it stop, because a) I want to stop whatever it is from wasting resources and spamming my logs with tens of thousands of SMB login messages, and b) I’ll be able to re-disable the admin account as QNAP itself strongly recommends (and as it was for many years before this started). One weirdness about this is that the IP address being reported is the NAS’s 192.168.x.x address rather than 127.0.0.1.
Is that (unnecessarily) censored internal IP, the IP of your NAS?
There was an issue years ago that some part of QTS would trigger constant logs unless you logged into it once after an update (security counselor or MalwareRemover, or something like that) I cannot find the news bulletin about it anymore
Yes, 192.168.1.21 is the DHCP-assigned address of the NAS (that wasn’t obfuscation so much as illustration). There are only two computers in the house that map drives to shares on the NAS: one of them is the computer I’m typing on now (192.168.1.15), and I turned the other one off two days ago to remove it from the equation. I found the firmware installation entries in QuLog Center and the last one was January 16th, so that’s eliminated as a possible culprit.
I disabled all the scans in Security Center, Malware Remover and ClamAV, as well as multimedia indexing and AI features. I didn’t expect those to make a difference because I couldn’t imagine why they would be using the SMB service, and sure enough they didn’t stop it so they’re all back on now.
Maybe just open a ticket with QNAP. There has been the same issue 2 or so years ago and the “fix” was simple (opening the “probing” app once with ‘admin’ as the logged in user) I think. But I just can’t find or remember what it was.
QNAP support should fix this via firmware or program update before it becomes a larger issue again…any of the other mods remembers?