I run a site that only deals with customers in certain locations.
Lately my load balancer is being hammered by requests from Phillipines/Russia/China. Mail bots, brute force attacks etc.
Is there a simple way of blocking these three countries from accessing my site? (Country code block?) I see a lot about using IP Tables, however im using Firewalld on my CentOS7 load balancer..
Any recommendations?
Thanks, Chris
I would not worry so much about which countries, but to look at the actual IP addresses and IP blocks that are sourcing the objectionable behavior.
Trying to block countries is problematical and error-prone. You'd be trying to track down specific ISPs in each country and their IP address blocks.
I'd use logs and other sources to make lists of the misbehaving IP addresses, roll those up into subnets and then block those subnets. Revisit periodically.
Definitely a job better suited to firewalls and load balancers, but iptables or firewalld can do this, but your host will have to see and process the traffic, instead of it being blocked farther upstream.
Think more like fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) and less like "block China"
I have used a firewall in the past for this. Trying to do this on a CentOS or dedicated web server is difficult as this tends to be more of a network problem.
I would look into firewall solutions and blocking IP ranges that way. I know this doesn't really directly answer your question, just relaying what I have done in the past.
You will be punishing entire countries for a small bunch of bad guys. And even worse, you will be missing the bad guys from other countries too.
As tep says, Fail2Ban is ideal for this. Also make sure you have a WAF in place like mod_security or naxsi. Then add repsheet in the mix for good measure and you have not just attack signature based protection, but also behavioral/reputation based monitoring.
If you really want to block countries but struggle with the firewall route, see if your webserver can do it, like Nginx can.
Routing unwanted countries to a less expensive app: https://www.digitalocean.com/community/tutorials/how-to-use-nginx-as-a-global-traffic-director-on-debian-or-ubuntu
Blocking unwanted countries: http://nginxlibrary.com/ip-based-country-blocking/
Preferably don't block legitimate users from those countries! It could be an American/European/Whatever your target market on business or holiday.
I had this problem and as stated by tep, Managing the IP blocks can be tricky. However I found a place that aggregates and manages lists of IP blocks per country using BGP (Major internet routing protocol) and I've found them to be very accurate.
Then to make my life easy I wrote a script that pulls a user defined list of countries from the above site, aggregates and formats the IPs and injects them into your favourite firewall package. Currently it supports pf, ipfw, iptables, ipset and now the iptables replacement nftables. You can grab it off github here:
https://github.com/KaiLoi/update-fw-BC
I just run it out of cron and after selecting the top 10 hacking countries for my lists, hacks against my servers have pretty much evaporated. fail2ban on my server is bored out of it's tree. ;)
