Samba Login Failures

[nwilson777]

Every week I receive INFO messages about login failures and some abnormal logins added to the blocklist. Sometimes I get multiple messages about the same IP. In some instances I've had 65 hits. My ADM is fine and I cant detect any issues but Avast doesnt run. I get an error message 4028. Is there anything I can do to prevent these 'attempts' and improve security and anti-virus protection?

Event Level: INFO
Date: 01-04-2015 15:31
User: SYSTEM
Event: [System] "samba" login failure from IP "95.17.235.195" detected.

Event Level: INFO
Date: 21-03-2015 00:28
User: SYSTEM
Event: [Network Defender] Abnormal login attempt detected, Add IP "80.191.36.173" to BlockList.

[Kapitein Haak]

Hello nwilson777,

It looks like you have connected your Windows shares directly to the internet. Unless you have a VERY good reason to do this you should not expose your Windows shares to the internet. You should check your config and NOT forward port 139.
If you must connect Windows shares to the internet, then upgrade to firmware 2.4 and configure ADM defender and use white lists to block most of the world from accessing your NAS.

Best regards,
Kapitein Haak.

[nwilson777]

Hello nwilson777,

It looks like you have connected your Windows shares directly to the internet. Unless you have a VERY good reason to do this you should not expose your Windows shares to the internet. You should check your config and NOT forward port 139.
If you must connect Windows shares to the internet, then upgrade to firmware 2.4 and configure ADM defender and use white lists to block most of the world from accessing your NAS.

Best regards,
Kapitein Haak.

Where in the config do I check for this? I cant see anything on the ADM port forwarding to 139. I have enable windows file service enabled but there is nothing about a port number. If I de-enable this how will I see NFS shares across my local network.

[Kapitein Haak]

Hello NWilson777,

As you have not forwarded stuff yourself it was probably done bij EZ-router.
Check settings, Ease of access, EZ-Router if Samba shares are port forwarded.
If this is empty, you would need to check your router.

NFS shares (and Windows shares) will continue to work on the LAN even if port forwarding is disabled,

Best regards,
Kapitein Haak.

[nwilson777]

Hello NWilson777,

As you have not forwarded stuff yourself it was probably done bij EZ-router.
Check settings, Ease of access, EZ-Router if Samba shares are port forwarded.
If this is empty, you would need to check your router.

NFS shares (and Windows shares) will continue to work on the LAN even if port forwarding is disabled,

Best regards,
Kapitein Haak.

EZ-Router is empty. I have a billion router so what and where am I checking on the router?

[aj2]

In your billion router, ports are forwarded to your NAS. If not, maybe DMZ is open to your NAS (worst case scenario). Meaning, everybody is knocking on your door.

Please check your port status at http://www.ipfingerprints.com/portscan.php with your NAS powered on.

I do not know if you use a VPN service, but connected to VPN provider, ADM-defender also add login attempts to black list.

[nwilson777]

In your billion router, ports are forwarded to your NAS. If not, maybe DMZ is open to your NAS (worst case scenario). Meaning, everybody is knocking on your door.

Please check your port status at http://www.ipfingerprints.com/portscan.php with your NAS powered on.

I do not know if you use a VPN service, but connected to VPN provider, ADM-defender also add login attempts to black list.

Ok I don't use a vpn service. On the router I have port 80 forwarded to allow me to access the NAS remotely. On my Mac with the NAS on I ran the port status check and this is what I found... What should I do?



PORT STATE SERVICE

80/tcp open http

111/tcp filtered rpcbind

135/tcp filtered msrpc

139/tcp filtered netbios-ssn

443/tcp open https

445/tcp filtered microsoft-ds

513/tcp filtered login

548/tcp open afp

631/tcp open ipp

1234/tcp filtered hotline

1433/tcp filtered ms-sql-s

1434/tcp filtered ms-sql-m

1524/tcp filtered ingreslock

2049/tcp open nfs

3260/tcp open iscsi

3689/tcp open rendezvous

4662/tcp filtered edonkey

5001/tcp open commplex-link

5050/tcp open mmcc

6000/tcp open X11

6346/tcp filtered gnutella

6699/tcp filtered napster

6881/tcp filtered bittorrent-tracker

7778/tcp filtered interwise

8000/tcp open http-alt

8088/tcp open radan-http

9090/tcp open zeus-admin

9999/tcp open abyss

55555/tcp open unknown

[aj2]

Every device, connected to the internet will be exposed to unwanted guests. Most routers have a decent firewall to block most threats.
Looking the results, you have open ports to your NAS to reach and use services running on your NAS while you are outside of your own network.
Opening ports on your router, will give possibilities to reach your NAS. Not just for you, basically everybody who is connected to the WWW.
If you decide to leave these ports open, so you can continue using services running on the NAS outside your network, accept people are trying to break in. You can protect yourself by using strong passwords (welcome01 and 123456 will not give much protection), and arrange good access rights to your shares and services.

Looking to my web-servers logs, hacking attempts happens about thousand times a day. And to my web-servers, only the basic ports are open to gain access to the websites and the mail servers.

If you do not use a feature on regular base, close the port in your Billion Router. You can use all services and features of the NAS inside your network with all ports closed.

If you decide to keep ports open, accept these hacking attempts continue and have faith ADM-defender will block threats.

[Kapitein Haak]

Hello nwilson777,

Do not worry to much about the open ports you found from your MAC. As you probably have a direct LAN connection between the MAC and your NAS you should find a lot of ports open.
You could first try to create a white list on your NAS (Settings -> ADM defender -> Network Defender -> Black and White list -> Select White list), add the countries from which you would like access to the NAS. For remote support from Asustor you would need to add Taiwan as well . You could try this and see if this helps in the remote access attempts.

Otherwise you could ask someone skilled with routers to check your router for port forwarding.

Best regards,
Kapitein Haak.