5

Is there any (simple) way to deny FTP connections based on the general physical location? I plan to use FTP as a simple cloud storage for me and my friends. I use an odroid c2 (similar to raspberry pi but uses arm64 architecture) running Debian 8 with proftpd and ufw as my firewall. Ftp server runs on a non-standard port which I prefer not to mention here. I want to do this to increase the security of my server.

Muffin
  • 63
  • 5

3 Answers3

6

Use pam and geoip module

This PAM module provides GeoIP checking for logins. The user can be allowed or denied based on the location of the originating IP address. This is similar to pam_access(8), but uses a GeoIP City or GeoIP Country database instead of host name / IP matching.

Ipor Sircer
  • 14,376
  • 1
  • 27
  • 34
2

You could do this to some extend with CIDR[1] IP ranges since these can be mapped to countries[2].

You can then use an app like iptables[3] to control any incoming traffic on any port (independent of the protocol). This tutorial describes it in some more detail.

In combination with CIDR the command would look something like this:

iptables -A INPUT -s 64.110.50.0/24 -j ACCEPT

Depending on how many friends you have, you may be able to narrow this down by the IP blocks reserved by your friends' Telco/Internet provider.

(BTW CIDR rules are what Amazon's cloud services use, and they highly recommends to make AWS instances more secure in this manner. So your question has a lot of merit, but since I just joined I cannot up-vote it - or rather my vote doesn't show).

Additional links for reference that I cannot embed as I only get two links to use as a newbee:

1) en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
2) blog.erben.sk/2014/02/06/country-cidr-ip-ranges
3) en.wikipedia.org/wiki/Iptables

quax
  • 21
  • 2
2

I would suggest using ProFTPD's mod_geoip module, to at least restrict connections to the geographic content/country (and city, if you can). This is similar to @Ipor's answer, using the same geoip libraries/databases, except that it doesn't require PAM configurations, and is more flexible.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Castaglia
  • 553
  • 1
  • 5
  • 12