Recommended Posts

GeoIP Region Blocking using Synology Firewall

 

I noticed internet performance issues today and was checking my router logs, I found excessive logs showing:

Jun 18 20:55:48 dropbear[5405]: Child connection from <My Synology IP>:40894
Jun 18 20:55:49 dropbear[5405]: Exit before auth: Exited normally
Jun 18 20:55:49 dropbear[5411]: Child connection from <My Synology IP>:40896
Jun 18 20:55:51 dropbear[5411]: Exit before auth: Exited normally

I searched and found it was related to numerous invalid login attempts to the synology login page.

This lead me to login to the cli of my synology and check logs for failed attempts.

When checking the logs I found the most concerning log was /var/log/httpd/apache22-error_log

2018-06-18T19:28:42-06:00 nas [Mon Jun 18 19:28:42 2018] [error] [client 193.106.30.99] File does not exist: /var/services/web/wp-rdf.php
2018-06-18T20:11:16-06:00 nas [Mon Jun 18 20:11:16 2018] [error] [client 27.29.158.10] script not found or unable to stat: /var/services/web/login.cgi
2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png
2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon.png
2018-06-18T21:51:26-06:00 nas [Mon Jun 18 21:51:26 2018] [error] [client 172.18.0.2] File does not exist: /var/services/web/apple-touch-icon-precomposed.png

This lead me to consider blocking all geographical regions except my own. Most brute force attempts and vulnerability attacks are outside of my home country, this will reduce the attack surface significantly.

 

My first attempt at implementing the geoip blocking was problematic, I attempted a "deny all" entry after the "allow local network range" and "allow my region" rules, but this ended up blocking all access to the services I had running.

 

I thought I'd share how I implemented it for others wanting to reduce the surface area for attacks.

 

Enable firewall

  • Open Control Panel 
  • Select Connectivity -> Security
  • Go to Firewall tab
    image.thumb.png.bbc1dc858fd5eb2e54e51904f661ec96.png

 

  • Check Enable firewall

 

Add "Allow" Rules for internal network  

  • Select Edit Rules for the default Firewall Profile (Disregard existing rules in screen shot, these will be created in the following steps)
    image.thumb.png.d7d9f85b6605ed3694ffb01656517878.png
  • Create rule to allow your internal/home network
    image.thumb.png.77483c1cc8b933245756fa3afc57b665.png

 

Add "Allow" Rules for your country/countries

  • Create rule to allow specific locations
    image.thumb.png.c6416d2ccf0ceb2f89fd597e015e3046.png

 

Set network interface to deny if rules are not matched

  • Select the network interface that is default to your synology (mine is LAN 1, you can find your interface under Connectivity -> Network -> Network Interface)
  • ***This was the secret to getting the deny all after the allow rules to work***
  • Set "if no rules were matched: Deny Access" 
    image.thumb.png.7b8f0b32a7a3c6f7615c0d791e7b8909.png

 

Click OK and Apply

image.thumb.png.3b98185867ec4b1c025137bf01c27b74.png

 

Test reaching your synology on your internal network and from external networks in your region. You can also validate if the firewall is blocking by using a Tor browser to send traffic from a different country to see if your firewall rules are working properly.

 

 

 

Edited by shrabok
removed duplicate screen shots
  • Thanks 1

Share this post


Link to post
Share on other sites

Very nice guide , i picked up this a while back so i created a  rule that only from work ip address i can connect in and via duckdns ip so when i connect on LTE and WIfi remotely i update the ip first and then i connect.

 

Do this via the firewall wall on my router than on the NAS

Share this post


Link to post
Share on other sites
On 6/19/2018 at 4:12 AM, mrlgm007 said:

Do this via the firewall wall on my router than on the NAS

 

I know this is an old post, but could you show screenshots like the OP did on how to add it to your router instead? It seems there are extra options if you try to do it on the router.

 

Thanks!

Share this post


Link to post
Share on other sites
3 hours ago, bearcat said:

@tjohns34 That would be depending on the actual router used, as there is no "One rule to rule them all" ;-)

 

 

Roger that, that's true. I have a Synology RT2600ac. I could almost follow the screenshots the OP posted from his NAS, since the OS between Synology NAS and Routers are pretty much the same, but when I tried following the steps, my router had more than a few more options. I just didn't want to mess up and possibly lock myself out of the router!  : )

Share this post


Link to post
Share on other sites

Hi @tjohns34,

I have never done a Synology Router, but I would recommend checking the manual for GeoIP blocking configuration, also you could post a screenshot of the additional options and I could provide some feedback on what values to consider.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.