-2

Inspired as a continuation of this question:

Is it practical to pre-blacklist certain GeoIP regions?

Why would it not make sense to blacklist every single IP address that shouldn't have access to a certain server or port? If you already know the IP addresses of the people that are supposed to have access, wouldn't it make sense to blacklist the rest just in case? Why is this not done everywhere?

Community
  • 1
Dupontrocks11
  • 121
  • 1
  • For web servers, normally they are meant to be used from unknown IP address. It's not clear what you mean, or the relevance of MAC addresses. – Alexander O'Mara Jun 01 '16 at 18:20
  • 3
    Sure, this is a perfectly acceptable and fairly common practice. It's just one extra layer of security. You do, however, lose some convenience in that you might not be able to connect if you're away from home, and there may be a risk of lockout if your IP changes. – tlng05 Jun 01 '16 at 18:28
  • 4
    If you disallow all IPs except one, I would call that a whitelist and not a blacklist. – Anders Jun 01 '16 at 19:15
  • There are always 2 approaches in this: allow a few access and deny everyone else or deny some (enemies) and allow the rest. Which approach you use depends too much on the situation. – Overmind Jun 02 '16 at 09:32

1 Answers1

1

Because it's common sense that this kind of thing is ALREADY implemented when needed.

  • If you have a PostgeSQL database running, from your firewall you will only allow your php/apache/whatever server to connect on tcp/5432. You will also BIND your application to listen only at the desired ip address, and you will also configure PostreSQL to allow connections from your application server.
  • If you have a *NIX server hosted at a cloud provider with ssh enabled, and you have some valid IP adresses at your company, you will only allow those IP's to reach your cloud instance. You could also implement port-knocking techniques to make it less easy to one scan your services. Other layer of protecion are ssh-keys.

The Principle of least privilege also applies to network. But on THAT GeoIP case, there was a special need. Maybe he need to keep an application available only to his country ip addresses.

It's not done everywhere because it's not needed on every situation.

  • Thanks for the answer, not sure why there were so many downvotes. I was wrong in my thought process, but that's why it was a question.... – Dupontrocks11 Jun 01 '16 at 20:08
  • Yeah, i got it. The only problem is that your method of blocking everyone and allowing only when needed is only valid for critical access. For a web server for example, it would be better to allow by Geo Location if you have a site that runs only on your mother language and has some information about local history for example. There is no need to allow traffic from all the world. –  Jun 02 '16 at 10:44