Allow blocking of countries on QTS

Tell us your most wanted features from QNAP products.
Post Reply
fbernard
New here
Posts: 6
Joined: Wed Apr 26, 2017 9:15 pm

Allow blocking of countries on QTS

Post by fbernard »

Hello,

since I'm no subnetting expert, and the list of IP ranges for most countries can be fairly long (let's say Russia and China for example), and since I'm quite sure no-one needs to connect to my NAS from these countries, it would be nice to have either a white list (people can connect from countries in that list) or a black list (no connection from, say, Russia and China).

I'm kinda hoping my internet provider will include some of this functionality in the next version of its router, but that might be a nice addition to QTS.

For the moment, when I see a failed connection attempt in the warning logs, I check to see where it comes from (don't know why I still do that, it's always Russia), I find the corresponding IP range in a list such as this one :
https://www.wizcrafts.net/russian-iptab ... klist.html

and I convert the "92.37.128.0/17" line into 92.37.128.128.0/255.255.128.0 and enter that in the permanent ban list in QTS.

Now I know that in Apache for example, mod_security allows blocking whole country codes, using a freely available (and updated?) geolocation database (source : http://www.aboutdebian.com/security.htm, search for "Blocking Countries" )

If that was doable in QTS, it would make things far more secure in my opinion (and yes, I have enabled auto-banning after failed attempts, port 443 is the only port available from the outside)
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Allow blocking of countries on QTS

Post by dolbyman »

best would be to NOT expose your NAS to the internet and use VPN (router or NAS based)
Pereto
Starting out
Posts: 34
Joined: Wed Apr 16, 2014 11:33 pm

Re: Allow blocking of countries on QTS

Post by Pereto »

It would be great to have that functionality. On Synology equipment you can do
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Allow blocking of countries on QTS

Post by schumaku »

Yeah, the not so funny and bad guys or are compromising systems and rent server space all over the world. The added security by adding a country list is almost null and nil.
martinZ
New here
Posts: 9
Joined: Sun Feb 07, 2016 12:42 am

Re: Allow blocking of countries on QTS

Post by martinZ »

Bump. QNAP seems to do a much better job than my last unit for logging activity. This would be a nice additional feature.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Allow blocking of countries on QTS

Post by dolbyman »

sorry to say . but qnap does not read this section .. so bumping will have no effect
iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: Allow blocking of countries on QTS

Post by iam@nas »

mod_secrurity2.so is installed (QTS 4.3.6) but not loaded in Apache ...

QTS support black and white listing and one may better use a self made white list instead of trusting GeoIP databases which often contain errors. After blocking *.ru there's a good chance that not all .ru sources are blocked and that also some non-.ru sources are blocked. So one will soon need to create support tickets ... or stop using these lists.

It takes some time to ask the clients about their IP providers and white list them but at the end of the day the white list will protect you better than country blocking. Hopefully you have no clients with 'rent-a-server' IPs.
Or one can look up the successful connection attempts of the last month and use them to build a white list.
Richz7
Starting out
Posts: 33
Joined: Fri Sep 07, 2018 6:59 pm
Location: UK

Re: Allow blocking of countries on QTS

Post by Richz7 »

Hi BeautyPic,

You've never noticed strange activity in your connection logs ? Logon for users such as 'admin' failing with incorrect passwords coming from strange IP addresses ? I hate to ask, but your NAS is connected to the internet ???

Unfortunately I do not have any current examples to show you but for me they tend to go in cycles of loads of attempts then none, and round again.
Thanks and Regards,

Rich
36Tb Raid 5 TVS-673
Post Reply

Return to “Features Wanted”