NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Rejected logon delay
In theory version 6.10.0 offers a 5 minute delay after multiple logon failures. Is this a configuration option that is selected or is it part of the base ReadyNAS firmware? Probably should in...
Thank you your reply.
Part of the reason for the question was to poke somebody to put this product feature in the OS documentation.
Subsequent to my question I did some testing.
You are correct – once the lockout period has started you need to wait the five minute elapsed timeframe.
I have made this configuration suggestion at least four times over the past five years and it has been endorsed by other senior contributors but there has been no progress on actually providing a configurable option.
The root concern deals with brute force logon attempts.
“admin” is a well known logon credential for any Netgear device. A brute force hack will then only need to guess the password, not two elements such as username and password. Connected on the same subnet, an attack would normally only take milliseconds per attempt.
The five minute timeout substantially increases the time between attempts and reduces the number of allowable attempts to 36 per hour. Assuming a reasonably complex and random character password, this approach would make the system practically immune from cracking because of the 36 tries per hour.
One of my feature requests was the ability to actually disable the “admin” username once other admin accounts have been established. That would provide additional protection.
As an editorial comment, posting to the Ideas Exchange Board is a non-starter. Currently there is no feedback or response -- just post and assume it went into the circular file.
Thanks again for takng the time to repond.
The Security feature is currently not configurable. You may want to post this Idea on the Ideas Exchange Board. There might be a way to do it through SSH but is not Supported.
Once a lockout has been initiated, any other login attempts will be disregarded until the lockout has lapsed.
HTH
Thank you your reply.
Part of the reason for the question was to poke somebody to put this product feature in the OS documentation.
Subsequent to my question I did some testing.
You are correct – once the lockout period has started you need to wait the five minute elapsed timeframe.
I have made this configuration suggestion at least four times over the past five years and it has been endorsed by other senior contributors but there has been no progress on actually providing a configurable option.
The root concern deals with brute force logon attempts.
“admin” is a well known logon credential for any Netgear device. A brute force hack will then only need to guess the password, not two elements such as username and password. Connected on the same subnet, an attack would normally only take milliseconds per attempt.
The five minute timeout substantially increases the time between attempts and reduces the number of allowable attempts to 36 per hour. Assuming a reasonably complex and random character password, this approach would make the system practically immune from cracking because of the 36 tries per hour.
One of my feature requests was the ability to actually disable the “admin” username once other admin accounts have been established. That would provide additional protection.
As an editorial comment, posting to the Ideas Exchange Board is a non-starter. Currently there is no feedback or response -- just post and assume it went into the circular file.
Thanks again for takng the time to repond.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
