Synology: About My IP Block List

Synology About My IP Block List

So many people have been asking me about my IP block list and how I make it. Today I’m going to tell you all about it. Up until this point I’ve been successful at blocking most, if not all of the attacks directed at my Synology NAS. But how did I create my list? Those of you who have been following my work/website for some time now may know I have two Synology NAS devices. A DS720+ on which I host this website, and a DS718+ which I use for various experiments and, at this very moment, for testing the DSM 7.1 version.



My DS718+ NAS is currently isolated: it has its own Internet connection and functions separately from my other devices. Its ports are open to the Internet to receive any and all kinds of attacks. And it has a 120 characters long password (if anyone was wondering), making it essentially foolproof to any outside attempts to access it. My DS718+ is bait for anyone looking to do sketchy things, and those arrogant enough to think they can actually get in are blocked and sent to a black hole of oblivion they can never escape. I then use this info to generate a list of malicious IPs you too can use to boost security on your NAS. My deny IP list is essentially an extra layer of protection that blocks attacks to your NAS before they even reach your device. My deny IP list is also updated regularly to provide the best security for you.

Below is my DS718+ Synology NAS dedicated to my deny IP list work – a genuine blackhole for malicious users.

Dedicated Synology NAS deny ip list

Here is a picture of my router: a TL-R600VPN SafeStream Gigabit Multi-WAN Desktop VPN Router. It has no Desktop LAN access and no Wireless connection, and functions on a separate Internet connection, all for my deny IP block list.

TL-R600VPN SafeStream Gigabit Multi-WAN Desktop VPN Router



Software that converts an IP address into a hostname and provides location and other information.


Collection of Internet-connected devices, which may include personal computers, servers, mobile devices and Internet of things (IoT) devices that are infected and controlled by a common type of malware.


A proxy server is basically another computer which serves as a hub through which Internet requests are processed. By connecting to the Internet through proxies, the home IP address of your machine will not be shown. Instead the IP of the proxy server will be shown. Proxies are often used to access your NAS and router.


Also known as Secure Shell or Secure Socket Shell, SSH is a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network. Many bad people will attempt to log into your NAS by trying to SSH your IP.


IP addresses or domains that are known sources of spam.


A bad person that tries to connect to your open FTP ports.


A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

StealthWorker BOTNET

The malware forms a botnet called Stealthworker or GoBrut. It can infect both Windows and Linux machines and perform brute force attacks on targets sent by the botmaster. What began as a simple brute forcer specifically targeting phpMyAdmin web app has updated its arsenal, turning it into a multi-service brute forcer.

Note: I personally inspect all the IPs in my IP deny list once a month and test them using several sources to check their status.
Note: The mariushosting deny IP list is successfully used by over 1500 users.

This post was updated on Thursday / August 10th, 2023 at 9:43 AM