Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 7, 2013, 12:10 PM   #1
ThePiratkapten
macrumors newbie
 
Join Date: Apr 2013
Is automatic IP banlisting necessary for WebDAV?

Hi!

I have a QNAP nas. I plan to store my documents on it so that I can access them everywhere via WebDAV. The nas has a feature called "Network Access Protection" which will block an IP address after five attempts to login. This is however not available for WebDAV. What I am wondering is, am I safe without it?

My reasoning goes like this: The two main threats for unauthorized access are (1) Bots and (2) Hackers.
1. Bots would have to try more than a billions of billions of passwords before they succeed, they should try another target before they get in?
2. Hackers usually don't hack home-users, but rather companies and authorities? Even if they try to hack me, they would probably find a way through NAP and the password?

I have already taken some security precautions.
- Maximum password length (only 16 characters, which is bad)
- Non standard port forwarded
- Only WebDAV with SSL is forwarded
- The account only has access to one folder, with a 1GB limit.

So, what do you think? Is NAP neccessary for me?
ThePiratkapten is offline   0 Reply With Quote
Old Sep 7, 2013, 04:49 PM   #2
960design
macrumors 6502a
 
Join Date: Apr 2012
Location: Destin, FL
Automatic IP blocking is a common source of DOS attacks. It's easy to spoof an IP and attack your 'site' using a wardialing technique that will auto ban just about every IP available.

Tarpitting is a much better, although not perfect solution.
__________________
TI-99/4A, tape cassette, 12" B&W Zenith
960design is offline   0 Reply With Quote
Old Sep 12, 2013, 10:00 AM   #3
freejazz-man
macrumors regular
 
Join Date: May 2010
It's a basic security precaution put in place by just about any company running publicly accessible services, unless they aren't already using stronger authentication methods than just username and password (three-factor, for example). I'd recommend putting it in place if you are concerned about your data being compromised by such a method.

The fear that someone will leverage this to a resource exhaustion, or denial of service attack is a bit high-minded as they can likely already achieve such disruption through the publicly available services on the QNAP. Also - the network activity required to spoof 'every single IP address' is a lot and just as likely to prevent network access as anything else.
freejazz-man is offline   0 Reply With Quote
Old Sep 13, 2013, 02:30 AM   #4
gnasher729
macrumors G5
 
gnasher729's Avatar
 
Join Date: Nov 2005
Quote:
Originally Posted by freejazz-man View Post
It's a basic security precaution put in place by just about any company running publicly accessible services, unless they aren't already using stronger authentication methods than just username and password (three-factor, for example). I'd recommend putting it in place if you are concerned about your data being compromised by such a method.

The fear that someone will leverage this to a resource exhaustion, or denial of service attack is a bit high-minded as they can likely already achieve such disruption through the publicly available services on the QNAP. Also - the network activity required to spoof 'every single IP address' is a lot and just as likely to prevent network access as anything else.
The idea is not to try to block every possible IP address. The idea is to block IP addresses of legitimate users: Hacker watches company X for a week and gets IP addresses of anyone logging in. Hacker then imitates login attempts of all those legitimate users and gets them blocked.
gnasher729 is offline   0 Reply With Quote
Old Sep 13, 2013, 09:39 AM   #5
freejazz-man
macrumors regular
 
Join Date: May 2010
Yes, I worked as a security analyst at an MSSP and then a bank, what you are talking about is silly for a number of reasons.

It's basically a highly ineffective resource starvation attack that would only serve to frustrate the OP instead of actually compromising their network.

Also - how is an attacker going to know about the IP addresses used by the OP's clients, or whomever? What do you mean by watch?

It's not a realistic scenario and it's not an attack, it's an inconvenience at most.

Resource starvation attacks have their purpose in a multilayered approach to compromising a network, however that's not what we are talking about here. We aren't trying to halt an authentication server in order to gain access to deeper resources, or prevent an alarm from going off. We are talking about someone going out of their way to make life difficult for the OP. It's just not realistic.
freejazz-man is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > Mac OS X Server, Xserve, and Networking

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Automatic and Jawbone Team Up to Integrate Automatic Data Into Jawbone UP App MacRumors iOS Blog Discussion 11 May 15, 2014 02:08 PM
Any apps that can connect via WebDAV on one server and copy to WebDAV on another? blueroom iPad Apps 2 Mar 21, 2014 11:29 PM
WebDAV & VPN unplugme71 Mac Basics and Help 2 Aug 26, 2013 10:09 PM
WebDAV 10.8.3 testowo Mac OS X Server, Xserve, and Networking 0 May 1, 2013 01:12 PM
WebDAV issue 10.7.5 and 10.8x rogerco OS X 1 Oct 5, 2012 10:17 AM

Forum Jump

All times are GMT -5. The time now is 10:47 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC