MFT Server IP Blocking Or Whitelisting Based On Originating Country
When companies provide a secure FTP or SFTP service on the cloud, a potential attack surface is exposed to a certain extent. Various hardware and software-based solutions are available to mitigate the threat of network intrusion and denial of service attacks. Regarding IP restriction, individual IP or IP range blocking is hardly enough. Businesses often seek geolocation-based or country-based blocking or white-listing to reduce the scope of risk origination while easing the burden of service management. The geo-blocking feature comes in handy, especially when you know the connecting users come from one or more specific countries and nowhere else.
Our secure managed file transfer server offering, TurboFTP Server, comes with a country-based IP blocking feature. IP Geolocations in terms of country, city, and Internet service provider are not static assignments and will change over time. The precision of the geolocation database requires ongoing and dedicated efforts. TurboFTP Server comes with a database with at least a 90% correction rate on the country information. A Professional (or above) license of the server is required to enable this feature.
How to turn on IP blocking on countries?
The IP country blocking feature is an additional option in the IP Access settings of server or domain levels. Please note the IP access settings at the server level apply to remote administration only. Please use the following steps to enable IP country blocking on a domain.
- Select a domain to configure IP restriction and go to the Domain -> IP Access tab. Select the checkbox Enable IP access restriction.
- If you don't want to put in any IP access rules, make sure to add an Allow All rule by clicking the Add Allow All button. By default, TurboFTP Server blocks all requests if there is no matching rule.
- Enter the two-letter ISO 3166-1 country codes in the IP country filter field, and choose whether Allow or Deny request IPs originating from the specified countries. Suppose we only want traffic from US territory; we can put in the code "US". If more than one country is involved, separate them with a comma. Finally, click Apply to submit the change.
Does the Geo-IP blocking feature degrade the MFT server's performance?
Indeed, like the IP access restriction by IP range, the geo-location query also takes extra CPU cycles to complete. However, with TurboFTP Server, the query occurs locally in system memory rather than remotely through some cloud APIs. Also, the lookup process is mathematically optimized and runs with as little I/O and computation resources as possible. We measured that on a modern CPU, hundreds of queries, i.e., mappings of an inbound connection's IP to an ISO 3166-1 country code, can be done in a milli-second. That said, compared to the computation cost of establishing an SSL (secure socket layer) or an SSH (secure shell) connection, the impact on the performance is almost negligible.
With country-based IP blocking or white-listing, you have more power in fencing unauthorized access attempts and protecting your Internet-facing secure FTP service. Additionally, no more wasted resources for saying 'Hello' to parties you don't want to allow.
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.