Hi all,
I am looking for the way how to properly secure the RB2011uas-2hnd-in with Synology NAS behind it.
The Synology runs some ftp and web services (all SSL - ftp, file station, audio station) on different ports, which I want to be accessible from the WAN.
So, there is dstnat forwarding the right ports from outside to the NAS.
Please, is there any way how to prevent brute force attack on the forwarded ports on the router level?
Unfortunately, usually a web browser opens many connections to the one port in order to access NAS web services. So I do not know how to recognize between granted accesses through SSL and brute force attack testing the access to the NAS.
Thank you for your help in advance
Ideally you wouldn’t want to expose a service that is not already secure. Trying to add security back in, at the network layer, isn’t really the best solution. Do you have reason to believe that the NAS does not offer an acceptable level of security?
If someone were trying to brute force a password (which is the attack you mention) you would want your NAS to simply lock out an account after a certain number of failed logins. This wouldn’t be done at the router.
So I do not know how to recognize between granted accesses through SSL and brute force attack testing the access to the NAS.
Exactly.
If you’re worried about people probing for open ports you can make a firewall rule using the PSD (Port Scan Detection) option, and add the offending addresses to a blacklist. This would help you prevent people from finding out which ports are open.
Synology NAS has IP block functionality driven by not successful login. So, I will use it.
Regarding port scanning detection and blacklisted IP – I will do that…
Thank you for the hints
