Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Best way to block all traffic except north america?
New on LowEndTalk? Please Register and read our Community Rules.

Best way to block all traffic except north america?

ezethezeth Member
edited March 30 in Help

Hello. I want to have a website with whmcs and only allow people from North America. What would be the best way to do this?

I am thinking mindmax vpn detection and only allow IPs (with no vpn) that are in North America, thoughts?

Comments

  • raindog308raindog308 Administrator, Moderator

    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Thanked by 1ezeth

    For LET support, please visit the support desk.

  • eriseris Member

    ipset

  • ezethezeth Member

    @raindog308 said:
    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

  • jarjar Provider

    One liner to handle it:

    ip route add blackhole 0.0.0.0/0

  • raindog308raindog308 Administrator, Moderator

    @ezeth said:

    @raindog308 said:
    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    You probably can’t unless you have access to the databases used by Netflix, etc.

    For LET support, please visit the support desk.

  • umiumi Member

    You can create those databases by tracerouting visitor's networks.

  • @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    That is nigh on impossible, really. There are lists of IP ranges that are DC that host VPN providers but a reliable, well maintained, list with few false positives will likely cost money (and not a small amount since the only indication I can see on MaxMind's page is "contact sales") to subscribe to or effort to create and maintain yourself.

    That will be far from 100% effective. Even that there are lot of things that will fall through the cracks. A lot of browser extension hacks and other malware these days are as part of their payload turning residential PCs into high latency network access relays, transfer through which is sold on. Reliably detecting and blocking people using those is not practical. Big services like Netflix won't care, as such relays are usually unsuitable for high quality video, but they are useful to people who want to disguise their location in order to access something that works with lower bandwidth and higher latency (like whatever you are hosting, most likely). You'll never keep them all out, even MaxMind's dataset probably won't.

    Unless for some reason you expect massive legal trouble or other expense if someone from elsewhere has access to the information, I would stick with the more feely available GeoIP lists, pump those into your firewall, call that "due diligence enough" and if someone gets in via a VPN then that isn't your responsibility.

  • Make iPhone app.
    Ask user to enable location.
    If GPS says they are in North America, allow access.

    Ask user to enter postal address.
    Search their address to ensure it's not a virtual mailbox such as UPS store.
    Mail a PIN number to their address, with return service requested.
    If user enters PIN number correctly, allow access.

    Both approaches have been adopted by major banks, and they work pretty well.

    I snagged Deal of the Year: $6.9/year, 6 vCPU, 8GB RAM, 105GB NVMe - but it got away.

  • If you're using CloudFlare they pass the geolocation of the visitor in a header: https://support.cloudflare.com/hc/en-us/articles/200168236-What-does-Cloudflare-IP-Geolocation-do-

    Supported on the Free Plan.

  • tetechtetech Member

    @MeAtExampleDotCom said:

    @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    That is nigh on impossible, really. There are lists of IP ranges that are DC that host VPN providers but a reliable, well maintained, list with few false positives will likely cost money (and not a small amount since the only indication I can see on MaxMind's page is "contact sales") to subscribe to or effort to create and maintain yourself.

    That will be far from 100% effective. Even that there are lot of things that will fall through the cracks. A lot of browser extension hacks and other malware these days are as part of their payload turning residential PCs into high latency network access relays, transfer through which is sold on. Reliably detecting and blocking people using those is not practical. Big services like Netflix won't care, as such relays are usually unsuitable for high quality video, but they are useful to people who want to disguise their location in order to access something that works with lower bandwidth and higher latency (like whatever you are hosting, most likely). You'll never keep them all out, even MaxMind's dataset probably won't.

    Unless for some reason you expect massive legal trouble or other expense if someone from elsewhere has access to the information, I would stick with the more feely available GeoIP lists, pump those into your firewall, call that "due diligence enough" and if someone gets in via a VPN then that isn't your responsibility.

    These are good comments, except I'd add that paid access may not be as expensive as feared. For example, I've used https://iphub.info which is pretty OK.

    As written in the quote, a bit depends on how accurate you want to be. For one site I look after, I do approximately this:

    • Geofence using DNS
    • Build a rough iptables list from https://www.ipdeny.com
    • For the pages that I want to protect, do a MaxMind lookup and reject based on geo
    • For the pages that I really want to protect, like login pages, additionally lookup on iphub and reject anything non-residential (cache in memcached to avoid too many API calls etc.)

    Beyond that it gets a bit reactive. I periodically do an automated scan of the logs and sometimes block entire ASNs (DO, Vultr, Linode, AWS, GC, ...). If you're using a monitoring service that hosts with any of these, you might need to be a bit careful, but in my case I don't care.

    Even after doing this, note that there are places that will give you a residential IP, most commonly using US cable internet (and specifically Comcast/Spectrum). Just check WHT to see the offers. The other day there was a 1-minute burst where I was suddenly getting peppered by "residential" Comcast/Spectrum/Charter IPs with the same request pattern. These tend to be the most difficult ones to filter out. I use stick tables and stuff with the UserAgent, but don't expect I'll catch everything.

    As also said earlier, the steps you take do depend on why you're trying to do it - legal obligation, prevent hacking/scraping, your own annoyance, etc. The above is what I've done and works OK for my specific needs/user base/locations.

  • darbdarb Member

    @ezeth said:
    What would be the best way to do this?

    Always many ways to skin a cat ...

    Cloudflare allows you to block by region, so it is even quicker and easier to accomplish this as well as the many other security benfits it offers.

    @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    Never been on the backend of whmcs, but if it is php based, CIDRAM can block VPNs/TORs as well as a multitude of other criteria.

  • JasonMJasonM Member

    IF you are using cloudflare dns, then simply add Country: America to firewall settings.

  • jsgjsg Member

    @ezeth said:
    Hello. I want to have a website with whmcs and only allow people from North America. What would be the best way to do this?

    I am thinking mindmax vpn detection and only allow IPs (with no vpn) that are in North America, thoughts?

    Can't tell you because I'm not from North America.

    The problem with democracy is that by definition > 85% of the voters are not particularly intelligent.

  • Ironic when the most nefarious traffic that I see comes from USA.

    Then=sequence/consequence; than=compare || Brought=bring; bought=buy
    Paid=NotSkint; payed=some naval thing

  • defaultdefault Member

    Efficient way is by using an ipdeny.com list for USA (as was previously mentioned). Load this list in IPSET, then allow this IPSET in IPTABLES. Drop everything else.

    Fastmako (aff) - another cheap VPS.

  • MGarbisMGarbis Member

    People who want to see your page will find a way to see it. You can block other world and slow them.

    I haven't tryed cloudflare, but I think it's the most easy. Config server which is recommended by raindog is quite easy too. Ipset + Maxmind isn't hard either. There are many options. None is 100% effective.

    Thanked by 1webcraft
  • mikecmikec Member

    You can export the IP list for USA & Canada from https://www.ip2location.com/free/visitor-blocker and use ipset and iptables to filter.

  • DwayneDwayne Member

    Use a GeoDNS service and set the IPs accordingly.

Sign In or Register to comment.