Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Do you geo block? What do you use?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Do you geo block? What do you use?

sureiamsureiam Member
edited April 2018 in General

This tends to get people pretty upset but seems extremely simple to me. 9/10 attacks come from either Russia/eastern Europe or China. If you have no intention of serving customers outside of your intended demographic then why not just block everyone else?

Additionally for the providers here where have you found the most abuse of your services geographically speaking?

So if you do geo blocking what do you use? I have systems in place for webservers but want it instead for firewall. Changing the ssh port, removing root login, setting up fail2ban services and encryption certs is good practice. But perhaps there is a bigger hammer I can also use here that I'm unaware of.

Comments

  • csf

  • hzrhzr Member
    edited April 2018

    I admin or run some forums, websites, etc (and their underlying infrastructure), double digit million uniques per month.

    The most non-automated (shady, linkspam, SEO, spam in signatures, email spam, etc) spam comes from Sri Lanka, Bangladesh, India, Pakistan, Philippines, Russia (a few specific small ISPs), and the dirty afrinic IP space with fake whois (mostly used by VPN providers I think)

    The most automated (scan brute etc) attacks come from China, India, various US home ISPs, random eastern european countries

    No geo blocking. Only blocking based on abuse history. Some netblocks are shadowbanned automatically like all of host1plus/DET/logicweb/cloudinnovation because they only originate spam and abuse and have no legitimate users.

    Thanked by 2mrTom vimalware
  • sureiam said: have no intention of serving customers outside of your intended demographic

    That's the questionable part that gets some people upset. It doesn't do much for the open internet and it doesn't feel good to be told that one is "outside somebody's intended demographic." Since I live in Canada and get this from US marketing geniuses all the time, I don't feel it is right to apply it to others either.

    sureiam said: but seems extremely simple to me. 9/10 attacks . . .

    I'm sure it does. :)

  • pechspilzpechspilz Member
    edited April 2018

    https://github.com/trick77/ipset-blacklist

    I use this on every server exposed on the Internet. It doesn‘t increase security but the auth.log is smaller :)

    Geo blocking can be setup in the config file like
    http://ipverse.net/ipblocks/data/countries/xx.zone" # Ban an entire country, see http://ipverse.net/ipblocks/data/countri

    or any IP v4 list you like.

    Thanked by 2vimalware t0m
  • wavecomaswavecomas Member, Host Rep

    There is markable bandwith loose if full coutries are blocked. If iptables is large, most probably your box can perform sometimes 200-300Mbit/s even if you have 10gig connection... CSF traps or imunify in webhosting server will give much better result.

  • jsgjsg Member, Resident Benchmarker

    No geo based blocking here for diverse reasons one of them being that VPNs have changed the game quite a bit.

    I use a solution based on carefully grown list of offender IP ranges that gets reevaluated now and then. New offenders trigger an email to abuse at their IP range and the range is entered into a grey list and truns black automatically unless a clear positive response is received. An IP in the grey list that offends again turns black no matter the abuse people reaction and additionally said IP range holder is entered to a provider grey list, which then ...

  • @wavecomas said:
    There is markable bandwith loose if full coutries are blocked.

    Not if you use ipsets.

  • @jsg said:
    No geo based blocking here for diverse reasons one of them being that VPNs have changed the game quite a bit.

    I use a solution based on carefully grown list of offender IP ranges that gets reevaluated now and then. New offenders trigger an email to abuse at their IP range and the range is entered into a grey list and truns black automatically unless a clear positive response is received. An IP in the grey list that offends again turns black no matter the abuse people reaction and additionally said IP range holder is entered to a provider grey list, which then ...

    Impressive! I especially like the abuse email report...

    @Ole_Juul said:

    sureiam said: have no intention of serving customers outside of your intended demographic

    That's the questionable part that gets some people upset. It doesn't do much for the open internet and it doesn't feel good to be told that one is "outside somebody's intended demographic." Since I live in Canada and get this from US marketing geniuses all the time, I don't feel it is right to apply it to others either.

    Many people have businesses or sites that can't deal with foreign individuals or have no desire to do so. Not sure why you would take that personally.

  • jsgjsg Member, Resident Benchmarker

    @sureiam

    Might sound like work I know but actually it's less cumbersome once the engine is nicely running. I also like the fact that the providers tell me a lot not so much by what they say which usually is canned but by how they react, how quickly the react and whether they really cut off the offenders.

  • sureiamsureiam Member
    edited April 2018

    @jsg said:
    @sureiam

    Might sound like work I know but actually it's less cumbersome once the engine is nicely running. I also like the fact that the providers tell me a lot not so much by what they say which usually is canned but by how they react, how quickly the react and whether they really cut off the offenders.

    Ya it's a bit of work for sure but worthwhile! Glad it's been done by someone! Any insight into the most responsive providers?

  • FalzoFalzo Member

    +1 , you'll find a lot of blocklist (not only geoip) at https://github.com/firehol/blocklist-ipsets

    Thanked by 2sureiam ehab
  • I block Russia, Somalia, China, India, Bangladesh, Pakistan on my adsense sites. I got lot of spam clicks and Adsense team had warned me once. There are WP plugins or you can set Country block in Cloudflare. Its just matter of minutes. Entire country is blocked. This has benefited in increasing eRPM/RPM of my adsense account as maximum views are now coming only from U.S. and Canada and some parts in Europe.

    Thanked by 1t0m
  • @Sofia_K said:
    I block Russia, Somalia, China, India, Bangladesh, Pakistan on my adsense sites. I got lot of spam clicks and Adsense team had warned me once. There are WP plugins or you can set Country block in Cloudflare. Its just matter of minutes. Entire country is blocked. This has benefited in increasing eRPM/RPM of my adsense account as maximum views are now coming only from U.S. and Canada and some parts in Europe.

    Interesting I didn't even think of that (now fairly obvious) issue. Cloudflare is also not a bad option. Thanks for the insight

  • LOGICWEBLOGICWEB Member
    edited February 2019

    @hzr said:
    No geo blocking. Only blocking based on abuse history. Some netblocks are shadowbanned automatically like all of host1plus/DET/logicweb/cloudinnovation because they only originate spam and abuse and have no legitimate users.

    Hello,

    LogicRemoved has a strict policy on spam or abuse on our IPs. Very strict infact. Our IPs are clear across RBLs, SpamHaus, Cisco Talos, Outlook (SNDS), etc. We absolutely forbid mass mailing on our IPs, forbid false rDNS requests (spammy domains or fake sub-domains). We also forbid fake whois change requests.

    Side note, we have massive demand for bulk IPv4 leasing at LogicRemoved due to the advantages we offer. Geolocation is submitted to at least 5 database providers and pulled daily, updated within a few days once their updates are pushed through publicly.

    Hope that clears out any misconception or confusion.

  • ufw default deny incoming
    ufw default deny outgoing

    Problem solved.

    Thanked by 3t0m Janevski default
  • @eol said:
    ufw default deny incoming
    ufw default deny outgoing

    Problem solved.

    sudo route del default
    Fuck that...
    sudo ip route flush table main
    And peace.

    Thanked by 1eol
  • NotsureIam

  • The grace of God and these two fingers..

  • Look for WAF.

  • Sofia_K said: I block Russia, Somalia, China, India, Bangladesh, Pakistan on my adsense sites. I got lot of spam clicks and Adsense team had warned me once. There are WP plugins or you can set Country block in Cloudflare. Its just matter of minutes. Entire country is blocked. This has benefited in increasing eRPM/RPM of my adsense account as maximum views are now coming only from U.S. and Canada and some parts in Europe.

    Agree (Chennai, India). There are openly advertised companies running "clicks on ads" factories. The thing is the authorities and the public are ignorant about this. The people who work for these companies (mostly crowdsourced) don't even realize that they are doing something illegal even after explaining and these companies are widely advertised on OlX, Quikr etc (like Craigslist, Gumtree)

  • AlwaysSkintAlwaysSkint Member
    edited February 2019

    I block large chunks with csf/ipset. Example: CN,IL,TW,TH,AG,MX,UY,RU.
    I also use IP trap as a sort of honeypot, for the access attempts on Windoze-typical non-existent php files.
    The most attacks come from USA & China.
    Equally bad in my mind are the internal network port scans and broadcast packets, that providers prefer to ignore. Lusers that are mostly Windoze idiots. A subject for another thread?

    Thanked by 3uptime eol ehab
  • @AlwaysSkint said:
    Lusers that are mostly Windoze idiots. A subject for another thread?

    Pretty smart to use a trojan to hack/attack I gotta say.

  • AlwaysSkintAlwaysSkint Member
    edited February 2019

    ^ it's bloody plex,dropbox et al, set to broadcast, likely by default.
    At least with webmin, for example, you need to manually search for other instances.

    Thanked by 1eol
  • I block Apple useragents from the US and all IPs from India and Iran.

    I use the maxmind lists
    I'm satisfied.

  • We export the free firewall list from the following URL to block visitors by country.

    https://www.ip2location.com/free/visitor-blocker

    Thanked by 1ehab
  • You don't need to block anyone and you don't need to do anything else. Just make your services secure (e.g. root login with key/decent password).

    Thanked by 1eol
  • edfoxedfox Member
    edited February 2019

    @gol3m said:
    You don't need to block anyone and you don't need to do anything else. Just make your services secure (e.g. root login with key/decent password).

    Mod edit: snipped

  • LetzienLetzien Member
    edited February 2019

    @edfox said:

    @gol3m said:
    You don't need to block anyone and you don't need to do anything else. Just make your services secure (e.g. root login with key/decent password).

    >

    snipped

    Snipped

  • hzrhzr Member
    edited February 2019

    edfox said: snipped

    Snipped

  • @LOGICWEB Did you really feel that it was necessary to ‘clarify’ on a six month old thread?

This discussion has been closed.