Allow blocking of countries on QTS
Posted: Fri Nov 09, 2018 4:02 am
Hello,
since I'm no subnetting expert, and the list of IP ranges for most countries can be fairly long (let's say Russia and China for example), and since I'm quite sure no-one needs to connect to my NAS from these countries, it would be nice to have either a white list (people can connect from countries in that list) or a black list (no connection from, say, Russia and China).
I'm kinda hoping my internet provider will include some of this functionality in the next version of its router, but that might be a nice addition to QTS.
For the moment, when I see a failed connection attempt in the warning logs, I check to see where it comes from (don't know why I still do that, it's always Russia), I find the corresponding IP range in a list such as this one :
https://www.wizcrafts.net/russian-iptab ... klist.html
and I convert the "92.37.128.0/17" line into 92.37.128.128.0/255.255.128.0 and enter that in the permanent ban list in QTS.
Now I know that in Apache for example, mod_security allows blocking whole country codes, using a freely available (and updated?) geolocation database (source : http://www.aboutdebian.com/security.htm, search for "Blocking Countries" )
If that was doable in QTS, it would make things far more secure in my opinion (and yes, I have enabled auto-banning after failed attempts, port 443 is the only port available from the outside)
since I'm no subnetting expert, and the list of IP ranges for most countries can be fairly long (let's say Russia and China for example), and since I'm quite sure no-one needs to connect to my NAS from these countries, it would be nice to have either a white list (people can connect from countries in that list) or a black list (no connection from, say, Russia and China).
I'm kinda hoping my internet provider will include some of this functionality in the next version of its router, but that might be a nice addition to QTS.
For the moment, when I see a failed connection attempt in the warning logs, I check to see where it comes from (don't know why I still do that, it's always Russia), I find the corresponding IP range in a list such as this one :
https://www.wizcrafts.net/russian-iptab ... klist.html
and I convert the "92.37.128.0/17" line into 92.37.128.128.0/255.255.128.0 and enter that in the permanent ban list in QTS.
Now I know that in Apache for example, mod_security allows blocking whole country codes, using a freely available (and updated?) geolocation database (source : http://www.aboutdebian.com/security.htm, search for "Blocking Countries" )
If that was doable in QTS, it would make things far more secure in my opinion (and yes, I have enabled auto-banning after failed attempts, port 443 is the only port available from the outside)