|Sep 7, 2013, 12:10 PM||#1|
Is automatic IP banlisting necessary for WebDAV?
I have a QNAP nas. I plan to store my documents on it so that I can access them everywhere via WebDAV. The nas has a feature called "Network Access Protection" which will block an IP address after five attempts to login. This is however not available for WebDAV. What I am wondering is, am I safe without it?
My reasoning goes like this: The two main threats for unauthorized access are (1) Bots and (2) Hackers.
1. Bots would have to try more than a billions of billions of passwords before they succeed, they should try another target before they get in?
2. Hackers usually don't hack home-users, but rather companies and authorities? Even if they try to hack me, they would probably find a way through NAP and the password?
I have already taken some security precautions.
- Maximum password length (only 16 characters, which is bad)
- Non standard port forwarded
- Only WebDAV with SSL is forwarded
- The account only has access to one folder, with a 1GB limit.
So, what do you think? Is NAP neccessary for me?
|Sep 7, 2013, 04:49 PM||#2|
Automatic IP blocking is a common source of DOS attacks. It's easy to spoof an IP and attack your 'site' using a wardialing technique that will auto ban just about every IP available.
Tarpitting is a much better, although not perfect solution.
TI-99/4A, tape cassette, 12" B&W Zenith
|Sep 12, 2013, 10:00 AM||#3|
It's a basic security precaution put in place by just about any company running publicly accessible services, unless they aren't already using stronger authentication methods than just username and password (three-factor, for example). I'd recommend putting it in place if you are concerned about your data being compromised by such a method.
The fear that someone will leverage this to a resource exhaustion, or denial of service attack is a bit high-minded as they can likely already achieve such disruption through the publicly available services on the QNAP. Also - the network activity required to spoof 'every single IP address' is a lot and just as likely to prevent network access as anything else.
|Sep 13, 2013, 02:30 AM||#4|
|Sep 13, 2013, 09:39 AM||#5|
Yes, I worked as a security analyst at an MSSP and then a bank, what you are talking about is silly for a number of reasons.
It's basically a highly ineffective resource starvation attack that would only serve to frustrate the OP instead of actually compromising their network.
Also - how is an attacker going to know about the IP addresses used by the OP's clients, or whomever? What do you mean by watch?
It's not a realistic scenario and it's not an attack, it's an inconvenience at most.
Resource starvation attacks have their purpose in a multilayered approach to compromising a network, however that's not what we are talking about here. We aren't trying to halt an authentication server in order to gain access to deeper resources, or prevent an alarm from going off. We are talking about someone going out of their way to make life difficult for the OP. It's just not realistic.
|Thread Tools||Search this Thread|
|thread||Thread Starter||Forum||Replies||Last Post|
|Automatic and Jawbone Team Up to Integrate Automatic Data Into Jawbone UP App||MacRumors||iOS Blog Discussion||11||May 15, 2014 02:08 PM|
|Any apps that can connect via WebDAV on one server and copy to WebDAV on another?||blueroom||iPad Apps||2||Mar 21, 2014 11:29 PM|
|WebDAV & VPN||unplugme71||Mac Basics and Help||2||Aug 26, 2013 10:09 PM|
|WebDAV 10.8.3||testowo||Mac OS X Server, Xserve, and Networking||0||May 1, 2013 01:12 PM|
|WebDAV issue 10.7.5 and 10.8x||rogerco||OS X||1||Oct 5, 2012 10:17 AM|
All times are GMT -5. The time now is 01:23 PM.