Page 1 of 1

Allow blocking of countries on QTS

Posted: Fri Nov 09, 2018 4:02 am
by fbernard
Hello,

since I'm no subnetting expert, and the list of IP ranges for most countries can be fairly long (let's say Russia and China for example), and since I'm quite sure no-one needs to connect to my NAS from these countries, it would be nice to have either a white list (people can connect from countries in that list) or a black list (no connection from, say, Russia and China).

I'm kinda hoping my internet provider will include some of this functionality in the next version of its router, but that might be a nice addition to QTS.

For the moment, when I see a failed connection attempt in the warning logs, I check to see where it comes from (don't know why I still do that, it's always Russia), I find the corresponding IP range in a list such as this one :
https://www.wizcrafts.net/russian-iptab ... klist.html

and I convert the "92.37.128.0/17" line into 92.37.128.128.0/255.255.128.0 and enter that in the permanent ban list in QTS.

Now I know that in Apache for example, mod_security allows blocking whole country codes, using a freely available (and updated?) geolocation database (source : http://www.aboutdebian.com/security.htm, search for "Blocking Countries" )

If that was doable in QTS, it would make things far more secure in my opinion (and yes, I have enabled auto-banning after failed attempts, port 443 is the only port available from the outside)

Re: Allow blocking of countries on QTS

Posted: Fri Nov 09, 2018 4:05 am
by dolbyman
best would be to NOT expose your NAS to the internet and use VPN (router or NAS based)

Re: Allow blocking of countries on QTS

Posted: Mon Nov 12, 2018 4:46 pm
by Pereto
It would be great to have that functionality. On Synology equipment you can do

Re: Allow blocking of countries on QTS

Posted: Tue Nov 27, 2018 9:06 pm
by schumaku
Yeah, the not so funny and bad guys or are compromising systems and rent server space all over the world. The added security by adding a country list is almost null and nil.

Re: Allow blocking of countries on QTS

Posted: Wed Dec 05, 2018 11:36 pm
by martinZ
Bump. QNAP seems to do a much better job than my last unit for logging activity. This would be a nice additional feature.

Re: Allow blocking of countries on QTS

Posted: Wed Dec 05, 2018 11:52 pm
by dolbyman
sorry to say . but qnap does not read this section .. so bumping will have no effect

Re: Allow blocking of countries on QTS

Posted: Sun Feb 03, 2019 12:40 am
by iam@nas
mod_secrurity2.so is installed (QTS 4.3.6) but not loaded in Apache ...

QTS support black and white listing and one may better use a self made white list instead of trusting GeoIP databases which often contain errors. After blocking *.ru there's a good chance that not all .ru sources are blocked and that also some non-.ru sources are blocked. So one will soon need to create support tickets ... or stop using these lists.

It takes some time to ask the clients about their IP providers and white list them but at the end of the day the white list will protect you better than country blocking. Hopefully you have no clients with 'rent-a-server' IPs.
Or one can look up the successful connection attempts of the last month and use them to build a white list.

Re: Allow blocking of countries on QTS

Posted: Mon Feb 04, 2019 7:15 pm
by Richz7
Hi BeautyPic,

You've never noticed strange activity in your connection logs ? Logon for users such as 'admin' failing with incorrect passwords coming from strange IP addresses ? I hate to ask, but your NAS is connected to the internet ???

Unfortunately I do not have any current examples to show you but for me they tend to go in cycles of loads of attempts then none, and round again.