This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
In theory version 6.10.0 offers a 5 minute delay after multiple logon failures.
Is this a configuration option that is selected or is it part of the base ReadyNAS firmware?
Probably should include in documentation.
Assume that the default 'admin' account has been disabled. Is it really non-functional in favor of other admin accounts? It seems to offer a way to use it but I have not tested. What are the specific rules/guidelines.
Part of the reason for the question was to poke somebody to put this product feature in the OS documentation.
Subsequent to my question I did some testing.
You are correct – once the lockout period has started you need to wait the five minute elapsed timeframe.
I have made this configuration suggestion at least four times over the past five years and it has been endorsed by other senior contributors but there has been no progress on actually providing a configurable option.
The root concern deals with brute force logon attempts.
“admin” is a well known logon credential for any Netgear device. A brute force hack will then only need to guess the password, not two elements such as username and password. Connected on the same subnet, an attack would normally only take milliseconds per attempt.
The five minute timeout substantially increases the time between attempts and reduces the number of allowable attempts to 36 per hour. Assuming a reasonably complex and random character password, this approach would make the system practically immune from cracking because of the 36 tries per hour.
One of my feature requests was the ability to actually disable the “admin” username once other admin accounts have been established. That would provide additional protection.
As an editorial comment, posting to the Ideas Exchange Board is a non-starter. Currently there is no feedback or response -- just post and assume it went into the circular file.
The Security feature is currently not configurable. You may want to post this Idea on the Ideas Exchange Board. There might be a way to do it through SSH but is not Supported.
Once a lockout has been initiated, any other login attempts will be disregarded until the lockout has lapsed.
Part of the reason for the question was to poke somebody to put this product feature in the OS documentation.
Subsequent to my question I did some testing.
You are correct – once the lockout period has started you need to wait the five minute elapsed timeframe.
I have made this configuration suggestion at least four times over the past five years and it has been endorsed by other senior contributors but there has been no progress on actually providing a configurable option.
The root concern deals with brute force logon attempts.
“admin” is a well known logon credential for any Netgear device. A brute force hack will then only need to guess the password, not two elements such as username and password. Connected on the same subnet, an attack would normally only take milliseconds per attempt.
The five minute timeout substantially increases the time between attempts and reduces the number of allowable attempts to 36 per hour. Assuming a reasonably complex and random character password, this approach would make the system practically immune from cracking because of the 36 tries per hour.
One of my feature requests was the ability to actually disable the “admin” username once other admin accounts have been established. That would provide additional protection.
As an editorial comment, posting to the Ideas Exchange Board is a non-starter. Currently there is no feedback or response -- just post and assume it went into the circular file.
