First time posting so please be gentle
I've just bought my first QNAP product, namely a TS-412 running FM 3.6.1. Whilst I'm finding the CPU a bit of a bottleneck, I love it.
I bought it primarily for home use as a private cloud. I have port forwarded the PPTP VPN and SSL (Apache on 443) ports to my QNAP. I have also installed AjaXplorer v4 for Web based accessed. I figured this is a better option than allowing the default WebFM in as this means the Admin GUI is exposed too as they run off the same web server. All is setup and working a-OK.
Because this is exposed to the Internet, I want to ensure its locked down as much as possible. Other than the obvious best practice of strong passwords, I'm using Network Access Protection functionality on all protocols. This seems to work fine except for HTTP(S) protection. I figured that as AjaXplorer uses its own user accounts and so its own authentication, failed auth attempts won't be caught using Network Access Protection (would love to be proved wrong).
Thinking I could make use of the IP banning functionality at the Apache level itself, I thought by setting up .htaccess authentication, failed auth attempts would be caught as Apache is the authenticator. Sadly, they are not being caught making the Web Server a target for dictionary or other brute force attacks.
Is this right or does Network Access Protection only work with the Admin/WebFM web server? If not, how can one make it work with Apache auth?