Why is Security Advisor's Login Analysis show 'No Data'??

[Hydraulics]

Hi all,

I'm hoping someone can help me understand Synology's Security Advisor 'Login Analysis' section. For reference, I currently do not have my Synology login page available externally. I do have a reverse proxy set up for a several applications (i.e. Jellyfin, Bitwarden, Grocy, Firefly) but my main Synology page is not accessible.

I've had Security Advisor on for the last two months and there is 'no data' listed under the login analysis page. In the 'advanced' tag I do have a regular scan schedule setup with daily and monthly reports. In the reports, the login analysis is always 0 under 'high' and 0 for medium. Must I enable something in settings? Should I see a list there? I thought everyone who logs in should be listed there and country location? Pictures are below for reference

What does this mean? Does the fact that there is 'no data' for the login analysis mean that there are no external login attempts being made on my NAS? And that I am safe? Or is there some larger config issue that I should look into?

Greatly appreciate your help,

 

[Telos]

Did you enable?

 

[Hydraulics]

Under Security Advisor > Advanced I had the "Security Baseline" setting set to "for home and personal use" see pic below. And in the checklist of that default setting, I have both options for Login analysis checked.

I'm unsure if there's anything further I need to do?

 

[Telos]

Perhaps you never triggered the rules?

Login in as a user and mistype the password 4 times (your cut-off shows 3). Then check as admin if there is a record of multiple password attempts.

 

[Hydraulics]

thanks, so I went to my DSM page and logged in and tried logging in 4 failed attempts (I made up a fake username and passwordto to see whether it would work without a matching username). After 4 attempts I got an email that the IP was temporarily banned. So that's good news. However, I didnt see any mention of this in the 'Login Analysis' section. maybe it may be updated tonight when my security log is emailed to me?

I was just wondering because other people have said they had alerts from unknown people trying to access their DSM and they were able to check the logs to see which countries it was coming from. I thought I had configured something wrong because I didnt see any access attempts from anyone. Does this mean that those who are getting access attempts are somehow configuring their DSM to be accessible via the internet (e.g., using a reverse proxy or just having the port open wit hthe DSM service listening to it)?

 

[Telos]

It should work for internal and external attempts... so a reverse proxy should be covered.

In my example I used a valid username with invalid passwords (my cutoff is set at 2). I did not receive an email as that comes from the blocking feature.

 

[WST16]

With me, it gets triggered when I log in (remotely) from an unusual location (usually new, first time locations triggers it).