My ftp-NAS has from time-to-time brute-force attacks that makes exploding the log file. Most of the time from China.
Anyway I only want to grant ftp-access from Belgium.
So I have created & uploaded a white-list from https://mikrotikconfig.com/firewall/ (great tool btw). The (white) list is called “CountryIPAllow”.
I have masquerade on port 21 to access the ftp from inside LAN & dynamic hairpin (wich updates my WAN-IP) to access ftp from WAN.
Other ports than 21 are forwarded to other devices so those should not be blocked.
I’ve seen examples to drop requests from a blacklist, but my blacklist if to heavy, so I need to do the inversed rule.
How should I configure the firewall allow “CountryIPAllow” and drop all orther port-21-access ?
There are better options than FTP, but it is your choice. Port 21 is not sufficient for FTP, if it is working (the data part) you might want to investigate why.
It is working in that sense that the login-screen is not showing anymore for other IP’s than BE. My goal was achieved.
I’m not an expert in this domain, and more than happy to accept other/better solutions.
Given how buggy various NAS appliances seem to be, and that regular FTP sends your credentials in plaintext which anyone can snoop, allowing access from even some of the internet is a bad idea - using a VPN would help.
I see, but that is impossible. I have about 50 customers needing to access the ftp from several places. Moreover : my customers do not have IT-department able to setup a vpn. It’s not worth it.
Let me blunt, if you run an ftp server plain you will get hacked. Its like a beacon on the internet.
Now I dont know crap about that stuff, but If I suspect that anybody using your server if hacked would then become vulnerable as well through their FTP connection…not funny!!
Recommend some form of encryption as indicated so at least passwords are protected somewhat.
Now in terms of users, why is it public to the internet? I am assuming you have either family or a close knit group of friends that do so.
Well thats easy then.
All you need to do is insist to use your server they need to provide you with a domain name that you can put in your firewall address list.
Such that your dstnat rule for the server looks like this.
add action=dst-nat chain=dstnat comment=“Access To My NAS”
dst-port=portX,portY,portZ in-interface-list=WAN log=yes
protocol=tcp src-address-list=Authorized_Users to-addresses=local_server_ip
where your firewall address list for external users looks like.