Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Best way to block all traffic except north america?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Best way to block all traffic except north america?

ezethezeth Member, Patron Provider
edited March 2021 in Help

Hello. I want to have a website with whmcs and only allow people from North America. What would be the best way to do this?

I am thinking mindmax vpn detection and only allow IPs (with no vpn) that are in North America, thoughts?

Comments

  • raindog308raindog308 Administrator, Veteran

    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Thanked by 1ezeth
  • eriseris Member

    ipset

  • ezethezeth Member, Patron Provider

    @raindog308 said:
    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

  • jarjar Patron Provider, Top Host, Veteran

    One liner to handle it:

    ip route add blackhole 0.0.0.0/0

  • raindog308raindog308 Administrator, Veteran

    @ezeth said:

    @raindog308 said:
    Perhaps the configserver firewall which allows:

    • Country Code blocking - Allows you to deny or allow access by ISO Country Code

    https://www.configserver.com/cp/csf.html

    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    You probably can’t unless you have access to the databases used by Netflix, etc.

  • umiumi Member

    You can create those databases by tracerouting visitor's networks.

  • @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    That is nigh on impossible, really. There are lists of IP ranges that are DC that host VPN providers but a reliable, well maintained, list with few false positives will likely cost money (and not a small amount since the only indication I can see on MaxMind's page is "contact sales") to subscribe to or effort to create and maintain yourself.

    That will be far from 100% effective. Even that there are lot of things that will fall through the cracks. A lot of browser extension hacks and other malware these days are as part of their payload turning residential PCs into high latency network access relays, transfer through which is sold on. Reliably detecting and blocking people using those is not practical. Big services like Netflix won't care, as such relays are usually unsuitable for high quality video, but they are useful to people who want to disguise their location in order to access something that works with lower bandwidth and higher latency (like whatever you are hosting, most likely). You'll never keep them all out, even MaxMind's dataset probably won't.

    Unless for some reason you expect massive legal trouble or other expense if someone from elsewhere has access to the information, I would stick with the more feely available GeoIP lists, pump those into your firewall, call that "due diligence enough" and if someone gets in via a VPN then that isn't your responsibility.

  • yoursunnyyoursunny Member, IPv6 Advocate

    Make iPhone app.
    Ask user to enable location.
    If GPS says they are in North America, allow access.

    Ask user to enter postal address.
    Search their address to ensure it's not a virtual mailbox such as UPS store.
    Mail a PIN number to their address, with return service requested.
    If user enters PIN number correctly, allow access.

    Both approaches have been adopted by major banks, and they work pretty well.

  • If you're using CloudFlare they pass the geolocation of the visitor in a header: https://support.cloudflare.com/hc/en-us/articles/200168236-What-does-Cloudflare-IP-Geolocation-do-

    Supported on the Free Plan.

  • @MeAtExampleDotCom said:

    @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    That is nigh on impossible, really. There are lists of IP ranges that are DC that host VPN providers but a reliable, well maintained, list with few false positives will likely cost money (and not a small amount since the only indication I can see on MaxMind's page is "contact sales") to subscribe to or effort to create and maintain yourself.

    That will be far from 100% effective. Even that there are lot of things that will fall through the cracks. A lot of browser extension hacks and other malware these days are as part of their payload turning residential PCs into high latency network access relays, transfer through which is sold on. Reliably detecting and blocking people using those is not practical. Big services like Netflix won't care, as such relays are usually unsuitable for high quality video, but they are useful to people who want to disguise their location in order to access something that works with lower bandwidth and higher latency (like whatever you are hosting, most likely). You'll never keep them all out, even MaxMind's dataset probably won't.

    Unless for some reason you expect massive legal trouble or other expense if someone from elsewhere has access to the information, I would stick with the more feely available GeoIP lists, pump those into your firewall, call that "due diligence enough" and if someone gets in via a VPN then that isn't your responsibility.

    These are good comments, except I'd add that paid access may not be as expensive as feared. For example, I've used https://iphub.info which is pretty OK.

    As written in the quote, a bit depends on how accurate you want to be. For one site I look after, I do approximately this:

    • Geofence using DNS
    • Build a rough iptables list from https://www.ipdeny.com
    • For the pages that I want to protect, do a MaxMind lookup and reject based on geo
    • For the pages that I really want to protect, like login pages, additionally lookup on iphub and reject anything non-residential (cache in memcached to avoid too many API calls etc.)

    Beyond that it gets a bit reactive. I periodically do an automated scan of the logs and sometimes block entire ASNs (DO, Vultr, Linode, AWS, GC, ...). If you're using a monitoring service that hosts with any of these, you might need to be a bit careful, but in my case I don't care.

    Even after doing this, note that there are places that will give you a residential IP, most commonly using US cable internet (and specifically Comcast/Spectrum). Just check WHT to see the offers. The other day there was a 1-minute burst where I was suddenly getting peppered by "residential" Comcast/Spectrum/Charter IPs with the same request pattern. These tend to be the most difficult ones to filter out. I use stick tables and stuff with the UserAgent, but don't expect I'll catch everything.

    As also said earlier, the steps you take do depend on why you're trying to do it - legal obligation, prevent hacking/scraping, your own annoyance, etc. The above is what I've done and works OK for my specific needs/user base/locations.

  • darbdarb Member

    @ezeth said:
    What would be the best way to do this?

    Always many ways to skin a cat ...

    Cloudflare allows you to block by region, so it is even quicker and easier to accomplish this as well as the many other security benfits it offers.

    @ezeth said:
    Many thanks, what do you recommend I should do to block people trying to bypass it with a vpn?

    Never been on the backend of whmcs, but if it is php based, CIDRAM can block VPNs/TORs as well as a multitude of other criteria.

  • IF you are using cloudflare dns, then simply add Country: America to firewall settings.

  • jsgjsg Member, Resident Benchmarker

    @ezeth said:
    Hello. I want to have a website with whmcs and only allow people from North America. What would be the best way to do this?

    I am thinking mindmax vpn detection and only allow IPs (with no vpn) that are in North America, thoughts?

    Can't tell you because I'm not from North America.

  • Ironic when the most nefarious traffic that I see comes from USA.

  • Efficient way is by using an ipdeny.com list for USA (as was previously mentioned). Load this list in IPSET, then allow this IPSET in IPTABLES. Drop everything else.

  • People who want to see your page will find a way to see it. You can block other world and slow them.

    I haven't tryed cloudflare, but I think it's the most easy. Config server which is recommended by raindog is quite easy too. Ipset + Maxmind isn't hard either. There are many options. None is 100% effective.

    Thanked by 1webcraft
  • mikecmikec Member

    You can export the IP list for USA & Canada from https://www.ip2location.com/free/visitor-blocker and use ipset and iptables to filter.

  • Use a GeoDNS service and set the IPs accordingly.

Sign In or Register to comment.