13

I have a website that needs to block a particular country based on IP address. I am more than aware that IP-based blocking is not a foolproof method for blocking visitors, but it is a necessary step in the right direction.

Since I'm using PHP, what I would do is use a GeoIP database like geoplugin.net. However, I'm curious to know if there's a better way of doing this.

The website is on a shared webserver (I don't have root access) and it is running Apache on centOS. I guess my question is "can an .htaccess file be configured to block by IP using an external source to lookup IP addresses."

Nathan Osman
  • 2,705
  • 7
  • 31
  • 46

3 Answers3

4

http://www.blockacountry.com

Use cautiously...I'm sure there are plenty of people on here that think you are doing the wrong thing by blocking whole countries.

Jason Berg
  • 18,954
  • 6
  • 38
  • 55
  • 1
    Hmm, not always. Sometimes you're mandated by law to deny access to countries. Like Pandora, for example. – Mark Henderson Aug 03 '10 at 21:37
  • P.S. With the script that they generate, you should really get rid of the `ErrorDocument 403` directive, or replace it with your own, becuase it redirects you to their own website and then launches popups. – Mark Henderson Aug 03 '10 at 21:38
  • I wrote this with this answer in mind: http://serverfault.com/questions/163502/chinese-hacker-bots-attempting-to-exploit-our-systems-24-7/163638#163638 – Jason Berg Aug 03 '10 at 21:40
  • Yes. This works quite well - and yes, I'm aware that blocking countries this way is not recommended, but it's a requirement and there's not much I can do about it. Good answer, by the way. – Nathan Osman Aug 04 '10 at 22:20
  • 2
    This is a great example of a non future-proof answer. http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers – Brian Webster Aug 09 '12 at 23:14
0

There seems to be a geoip module for apache, but the server admin might have reasons against installing it.

halp
  • 2,098
  • 1
  • 19
  • 13
0

If you find the additional rules causing CPU overhead and latency issues, TechGuard makes an in-line appliance for IP address blocking of inbound and outbound traffic, including commercial block lists of millions of IP addresses tied to malicious activity in countries allowed by your policy. It does all this without impacting network latency or TCP connections, while automatically updating what is equivalent to 12,000 IP ranges a day.

Doug Wulff
  • 1
  • 2
    Welcome to Server Fault! Please read our [faq] in particular [May I promote products or websites I am affiliated with here?](http://serverfault.com/faq#promotion). Two answers and two recs for the same website is close to the line. – user9517 Sep 07 '12 at 21:05
  • I'm with @Iain: possibly useful answer, but phrasing sounds an awful lot more like marketing copy than the voice of bitter experience. – pjmorse Sep 23 '12 at 17:43