How Does Synology IP Block List Work?

How Does Synology IP Block List Work

Synology’s IP Block List is one of the best features of Synology NAS devices, made popular by its utility and ease of use. But is it really that easy to use? Does every Synology NAS user understand how the IP Block List works? In the past few months I have received countless e-mails from Synology NAS users complaining about how the IP Block List feature is bugged, isn’t working as it should (read: as they feel it should), doesn’t work past a certain number of entries, is missing some options they feel are pivotal and so on.

The truth of the matter is, right now, the Synology NAS IP Block List is one of its best, most successful features! Even users new to Synology NAS devices venture to use it and do so quite successfully, improving their device security tremendously with just a few clicks. Read on to find out how the Synology NAS IP Block List works and what you can and cannot do with it.

  • What is the IP Block List on Synology NAS? In simple terms, the IP Block List is a feature on Synology NAS devices that allows you to create a list of IPs that are denied access. These are malicious IPs that have tried at one point or another to access your NAS system motivated by wrongful or mischievous purposes. This feature allows you to deny these malicious IPs access to your NAS.
  • Where can you find the IP Block List? Log into your DSM, double click on Security, then go to Account where, under Auto Block, you’ll see the Allow/Block List. If you’ll click on Allow/Block List, a window will appear and contain an Allow List and a Block List. The Block List is where you block malicious IPs.
  • What is the purpose of the Synology IP Block List? It says right above the Allow/Block List: “Create and manage an allow list to add IP addresses that you trust, or a block list to prevent certain IP addresses from logging in.” The Allow List should include IPs you know are safe and are allowed to access your device/system, such as the IPs you use to log into your DSM. The Block List should contain IPs that have unsuccessfully attempted to log into your DSM with the purpose of producing damage, stealing personal or sensitive information and other malicious purposes.

How does the Synology IP Block List work? When you click on Block List, you’ll see you have 3 options: Create, Remove and Export. (The options are the same for the Allow List).

  • Create, with two more options:
    Add IP address (to add an IP address – one entry- you want to block, either forever or for a certain number of days).
    Import IP address list (to add multiple IP addresses you want to block – so multiple entries -, either forever or for a certain number of days).

If you choose Add IP address, you will be adding one entry/one IP to the Block List.

If you choose Import IP address list, you will be adding multiple entries at once, so basically a list of IPs you want to block from accessing your Synology NAS. But here is where there may be some confusion: although it says Import IP address list, you are not actually importing a list, but multiple IPs at once (which are technically a list, but you’re still working with IPs).

After you click on Import IP address List, a window will appear where you have to choose the Expiration time for the block (either Forever or Unblock after (days)) and whether or not you want to Overwrite existing IP addresses on Block List and Allow List. The Overwrite option means you will be overwriting IPs that are already in your Block List so you don’t get doubles. The Synology NAS Block List works with IPs.

Note: Many people get confused by the name IP Block List. Yes, it’s a list in the sense that the blocked IPs make a list, since there’s more of them. But you’re working with IPs. Here are some examples to help you better understand how it works:

Example 1:

If you are importing an IP Block list with 1 (new) entry and you already have 10 000 other entries (blocked malicious IPs), you will have 10 001 entries. Why? Because you are importing that one IP, not a list.
If you are importing an IP Block list with 11 (new) entries and you already have 10 000 other entries (blocked malicious IPs), you will have 10 011 entries. Why? Because you are importing 11 new IPs, not a list.
If you are importing an IP Block List with 1 entry and you already have 10 000 other entries (blocked malicious IPs), but that 1 entry is an IP that’s already in your Synology Block List, you will have 10 000 entries. Why? Because the IP you were trying to block was already blocked, so it will be overwritten in your Synology Block List (if you check the option that says Overwrite existing IP addresses on Block List and Allow List).

Example 2:

If you’ve never known mariushosting.com, and never came across a deny IP list, you’ll realize your DSM has already automatically blocked malicious IPs for you and they will be in the Block List. Say, for example, you already have 500 blocked IPs. When you download and import the deny-ip-list from mariushosting.com which has 10 000 entries, these 10 000 entries will be added to your 500 entries, resulting in a total of 10 500 entries. If you take a look on your IP Block List screen and see you have less than 10 500 entries, don’t worry, it means that there were some doubles/duplicate IPs that were overwritten automatically by the DSM system.

The Synology NAS Block List doesn’t work with lists per se, it works with individual IPs. Which means you’re adding, removing, overwriting IPs, not lists of IPs. When you’re importing the deny-ip-list on mariushosting.com, you’re actually importing malicious IPs that I have collected from multiple sources.

  • Remove allows you to select one or more IPs and remove them from your Block List. For example, if you’re mistaken and block an IP that isn’t malicious, you can remove it from the Block List.
  • Export allows you to export your list of blocked IPs and save it in your computer. It will be saved under the name: deny-ip-list.txt (this is the standard name, the same name of the IP list from mariushosting.com). If you want to share it with some friends or co-workers and make their life easier and help them get even better security on their Synology NAS, you can.

Important: A Synology NAS is a top of the range device, much more powerful than your ordinary computer, which means it’ll have no problem with blocking as many IPs as you need. Whether you have 10 IPs in your Block List or 10 000 or 100 000, your Synology NAS can take it.

This post was updated on Thursday / December 12th, 2019 at 10:57 PM