Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

As I just learned…..

2,757
519
NAS
DS 718+, 2x-DS 720+
Router
  1. RT2600ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
Just had support fail to login and get blocked….. !!!

Even with remote access turned on…
Even with SSH Enabled….
Even though I disabled the “Country Block” in firewal….
Even though I added that IP in firewall as an Allow TCP/UDP….
Even though I Gave them a correct admin login….
Even though I Gave them a correct password….

They got blocked, and subsequent attempts from that IP will automatically be blocked in future! The way they got blocked seems to follow a typo in login or password.

How did that happen?

BECAUSE: I changed the “3 Strikes” auto block rule: to: “1 Strike & you’re OUT!” And: made that rule a Perpetual Block!

Also, I knew they had tried & failed because I have every login attempt: Successful or un-Successful… Router or NAS, emailed to me! That’s how I knew this was occurring at all!!

Removed block: added IP to auto block ‘allow’ list: And Told them to: “TRY AGAIN, being careful while typing!” (I can always remove it all later!😉)!

Just shows how this could be something worthwhile for increased Security!!!
Remember this: For: “The Future”, if that hardware is abandoned!
 
As I just learned……
Software Support was using logins, passwords from The last time they accessed the system remotely!
They must have have new remote access info, but ignored new login/password, tripping the “1 Strike & You’re OUT” rule.
Correct login/Password for this access: has been resent to Software Support for correct access!
One step forward……
 
Last edited:
But if the logins you want ARE SUCESSFULLY CREATED….
Then it’s a tool you can use to BLOCK bad guys!!!
 
Last edited:
That’s why you have a second login!
So in case you block yourself you can fix it!!
Once fixed it becomes a tool to block others!
 
Last edited:
Forces you to be: “Damn Careful” when adding logins!!!’😉
I’m quite comfortable using: “Forever”!!
And therefore: more successful at blocking others!!

What you are suggesting: is less secure!
 
Last edited:
Because my way of thinking blocks on first failure, and yours doest’t - if it allows more chances!
 
How much additional work does a 'one-strike' policy impose on a malicious attacker? If they’re blocked after one failed login, couldn’t they simply continue making attempts from other IP addresses?
 
Last edited:
Yes. But he doesn’t know he’s been blocked yet. He has to infer it! Then on that first next attempt that fails, that too is blocked! One at a time!
VS: 3 try’s (the stock setting, or more if you allow for a lockout-timeout - over time!)
 
The successful attacker will exploit a vulnerability that bypasses all this IP blocking nonsense. Failed logins are only a threat where poor password practices exist.
 
Last edited:
That seems to be just an excuse not to use it! Any port in a Storm! If what you say was the only fix: that is the case… my existing ‘1 strike & You’e Out’ rule does no damage… it’s just something else that ‘sits there’ that could help - does no harm sitting there. Should someone try that approach! If it’s not there— it can’t help!
 
Last edited:
The successful attacker will exploit a vulnerability that bypasses all this IP blocking nonsense. Failed logins are only a threat where poor password practices exist.
For context in a more generalized setting... Is it fair to summarize that 'one-strike' IP blocking may deter unsophisticated password-guessing attacks, but determined attackers will most likely pursue other options?
 
Not disputing that!
But if it’s not there - it can’t help!
And it must have been considered useful by Synology, as they added it! I just “Tightened” it up!😁
 
Doubt that will deter an attacker unless you send them a notification that their IP has been blocked. But why would you do that? Besides, they rotate IPs from the compromised botnets. IP blocking is Kabuki theater.

And then there are the scammers that sell useless block lists... Maybe you could do that with the one-strike blocked IPs you log. Might even buy a fancy-schmancy Synology drive with the proceeds 🤣
 
The thing that comes to mind is the potential cost of false positives. If a legitimate user is blocked because of a simple mistake, there is some operational overhead in restoring access. That may be an acceptable tradeoff in your environment, but it suggests there is at least some cost to a one-strike policy. It will be interesting to see how this plays out.
 
Last edited:
Actually. 1 Strike - isn’t a new idea.., it’s been in place for well over a year. It’s the push of logins to email, successful or not that is relatively new. (5-7 months) They both work good together!
Yes, did have issue when a neighbor tried to install DS CAM and didn’t do caps on login but I was alerted quickly via email that it had happened. I un-blocked & fixed him — and Once successful, app remembered.

All devices needing a login—presently have a login. No new ones are expected.

Simple answer: For new logins: Be careful! No errors are allowed. Use it as a tool!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top