PDA

View Full Version : Is automatic IP banlisting necessary for WebDAV?




ThePiratkapten
Sep 7, 2013, 12:10 PM
Hi!

I have a QNAP nas. I plan to store my documents on it so that I can access them everywhere via WebDAV. The nas has a feature called "Network Access Protection" which will block an IP address after five attempts to login. This is however not available for WebDAV. What I am wondering is, am I safe without it?

My reasoning goes like this: The two main threats for unauthorized access are (1) Bots and (2) Hackers.
1. Bots would have to try more than a billions of billions of passwords before they succeed, they should try another target before they get in?
2. Hackers usually don't hack home-users, but rather companies and authorities? Even if they try to hack me, they would probably find a way through NAP and the password?

I have already taken some security precautions.
- Maximum password length (only 16 characters, which is bad)
- Non standard port forwarded
- Only WebDAV with SSL is forwarded
- The account only has access to one folder, with a 1GB limit.

So, what do you think? Is NAP neccessary for me?



960design
Sep 7, 2013, 04:49 PM
Automatic IP blocking is a common source of DOS attacks. It's easy to spoof an IP and attack your 'site' using a wardialing technique that will auto ban just about every IP available.

Tarpitting is a much better, although not perfect solution.

freejazz-man
Sep 12, 2013, 10:00 AM
It's a basic security precaution put in place by just about any company running publicly accessible services, unless they aren't already using stronger authentication methods than just username and password (three-factor, for example). I'd recommend putting it in place if you are concerned about your data being compromised by such a method.

The fear that someone will leverage this to a resource exhaustion, or denial of service attack is a bit high-minded as they can likely already achieve such disruption through the publicly available services on the QNAP. Also - the network activity required to spoof 'every single IP address' is a lot and just as likely to prevent network access as anything else.

gnasher729
Sep 13, 2013, 02:30 AM
It's a basic security precaution put in place by just about any company running publicly accessible services, unless they aren't already using stronger authentication methods than just username and password (three-factor, for example). I'd recommend putting it in place if you are concerned about your data being compromised by such a method.

The fear that someone will leverage this to a resource exhaustion, or denial of service attack is a bit high-minded as they can likely already achieve such disruption through the publicly available services on the QNAP. Also - the network activity required to spoof 'every single IP address' is a lot and just as likely to prevent network access as anything else.

The idea is not to try to block every possible IP address. The idea is to block IP addresses of legitimate users: Hacker watches company X for a week and gets IP addresses of anyone logging in. Hacker then imitates login attempts of all those legitimate users and gets them blocked.

freejazz-man
Sep 13, 2013, 09:39 AM
Yes, I worked as a security analyst at an MSSP and then a bank, what you are talking about is silly for a number of reasons.

It's basically a highly ineffective resource starvation attack that would only serve to frustrate the OP instead of actually compromising their network.

Also - how is an attacker going to know about the IP addresses used by the OP's clients, or whomever? What do you mean by watch?

It's not a realistic scenario and it's not an attack, it's an inconvenience at most.

Resource starvation attacks have their purpose in a multilayered approach to compromising a network, however that's not what we are talking about here. We aren't trying to halt an authentication server in order to gain access to deeper resources, or prevent an alarm from going off. We are talking about someone going out of their way to make life difficult for the OP. It's just not realistic.