New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Why and how they block access from China
Recently, I found some sites unavailable from China. The site is legal for both China and U.S. and most of them are e-commerce site. When I try to browse them, I've got the following info like below,
Access Denied
You don't have permission to access "http://www.XXXXXX.com/" on this server.
Reference #18.17e0fc7d.1388995628.878368c
I am wondering why they block chinese visitors? and further, by which method they achieve this.
Comments
Chinese internet users do not have a good reputation and some of them conduct internet scams.
and further, by which method they achieve this.
Block IP
They are blocking China's IP using .htaccess.
This is one reason. Another one is that many websites target US/Canadian or EU or other selected countries' residents, often offering "special" or "free" deals to get their contact details and don't want to waste resources on useless (from their point of view) Chinese users.
I wouldn't use "useless" but I prefer to say "non prospective buyers from (Enter the Country/Region)"
Spam, scam, ddos, hack and etc comes mostly from Asian countries.
And then there is the language barrier and cultural differences that sometimes makes dealing with the Chinese customers quite stressful and time consuming.
While we do have problems dealing with chinese people more than with others due to cultural differences and usual mistrust that comes from there which I can only blame on propaganda, the only real problem is economic, they only buy the lowest plans which they dont renew most of the time.
We also have issues with multiple accounts opened to benefit form a promo, and many other things it seems that time is free there to save 10 cents We are now adapting the promos especially to avoid making them interesting for the chinese, but we do not block chinese ranges.
That being said, romanians are close or at least were, so, cant really complain
Maybe this is why Romania was a friend of China for 40+ years
Basically, don't buy from them if they don't want your business
I'm sure your money will be loved somewhere else!
In my honest experience, Chinese customers are quite hard to deal with. They expect everything to be allowed, even when it's forbidden and we've told them a thousand times. Then they open PayPal disputes...
I guess it is due to the fact that their whole life was restricted in China and now when their economy have increased significantly after the successful Chinese industrial revolution, they find freedom and democracy outside China as "advertised" by many western countries.
I always enjoyed the Chinese clients at catalyst. That said, go through any of my server logs and you'll find chinanet as by far the #1 source of brute force attempts on all services. Just the reality. I've more chinanet IPs blackholed than I've got ecatel.
Since the old president of Romania, Nicolae Ceauşescu was executed by a group of soldiers who were supported by CIA in 1989, they have become more friendly to the US. xD
It's my turn. Jews own the US.
btw, I like your new offers. the Xenpower and the 1G Xen from Dallas. Dallas Xen performs much better than the one with E5 CPU in Italy.
Here is one way how to block entire countries using iptables. http://www.lowendguide.com/3/networking/block-an-entire-country-with-iptables-2/
just use cloudflare and block the whole bloody country. one-click , easy.
Even cheaper and easier - put somewhere on your site information about certain events that happened on a certain square in China - the Great Firewall of China will block your website for the chinese people for free
cloudflare is easier because Great firewall has already blocked cloudflare. instant block without having to wait.
This is probably why they are banned:
http://lowendtalk.com/discussion/19608/edkweb-hosting-offers-1gb-hosting-5-year#latest
Read the rules (or at least the forum) rather than just post the link to a junk website everywhere for "SEO" purposes...
Discussion not found.
Thanks, E3 and SSD array show the difference :-)
**Block a Country using CSF Firewall**
CSF is an iptables manager and be warned at startup it will flush all iptables already in use
i am running Ubuntu 12.04 i also have it on running 13.04
this is not a complete CSF Tutorial, but this is all you need to block Countries
another warning: CSF is in testing mode at startup TESTING = "1" set this to "0" after you know every thing works
install CSF
check if it works. (If no fatal errors, you're good!)
perl /usr/local/csf/bin/csftest.pl
Let's open up CSF's configuration file.
nano /etc/csf/csf.conf
The ports opened by default are the following (if your port is not listed, add it):
About 30% down you will find the Country Code section
Look for the line: CC_DENY = ""
Blocking IP addresses
If you would like to block an IP address or range, open csf.deny.
nano /etc/csf/csf.deny
Blocked IP addresses or ranges all reserve one line in csf.deny file. If you would like to block IP address 1.2.3.4 as well as IP range 2.3.., you should add the following lines to the file:
IP ranges are represented using the CIDR notation
Allowing IP addresses
If you would like an IP address or range to be excluded from all blocks and filters, you may add them to csf.allow file. Please note that allowed IP addresses are allowed even if they are explicitly blocked in csf.deny file.
Allowing IP addresses works similarly to blocking them. The only difference is that you should edit /etc/csf/csf.allow instead of csf.deny.
nano /etc/csf/csf.allow
Ignoring IP addresses
CSF also offers ability to exclude IP addresses from the firewall filters. IP addresses in csf.ignore will bypass the firewall filters, and can only be blocked if listed in csf.deny file.
nano /etc/csf/csf.ignore
In order for changes to take effect, you should restart CSF after editing any of the files with command:
csf -r && service lfd restart
If everything went like planned, and you are still able to access the server, open the configuration file once more:
nano /etc/csf/csf.conf
and change setting TESTING at the beginning of the configuration file to 0 as shown below:
TESTING = "0"
Apply the changes with command:
csf -r && service lfd restart
Sources:
Coding with Steve
Digital Ocean - Install and Configure Config Server Firewall (CSF) on Ubuntu
ISO Country Codes
Will Fail2ban work with CSF:
Fail2ban with CSF and blocking of repeat offenders
I think it was deleted, basically someone just register for an account and posted a shared hosting offer on LET...
On most servers we block chinese, russian and some other country's as on those servers there local company's that don't get clients (no ecommerce related) from that region.
As most of the wordpress hacking, port scanning, bruteforcing email etc.. comes from those regions.. and they have no business on particular servers..
Btw, Is there any reliable way to get one's own IPs definitely blocked by the GFW (without risk of active aggressive actions, like DDOS, of course)? Just so that my server's IPs won't be reachable from Chinese IP space without tricks like vpn/proxy.
I'm currently using CSF's CC_Deny function on a few servers for that purpose, which works more or less, but it uses a lot of table entries which could be used for other undesired countries, and quite a few IPs aren't identified correctly this way, so delegating this filtering to the Chinese Government for free would be a nice option. ;-)
Ask them nicely? I've often used CSF to block China and sometimes RU from some vpses, perhaps I should look into CloudFlare as I did not know they allowed per country blocking.
You forgot Tor, Good luck blocking that.
Tor is much easier to block than open proxies since the list of exit IPs is know and published.
http://torstatus.blutmagie.de/ip_list_all.php/Tor_ip_list_ALL.csv
It's not that I want to lock out anyone from China at any cost - I've no problem with the Chinese (or Indians, Rumanians, Pakistanis etc.) in general, but even a minuscule percentage of nasty, abusive guys can be a huge crowd in absolute numbers in a country of over a billion. I just want to reduce the amount of mindless automated routine attacks that come from the most likely countries. A.t.m. CN is by far (~90%) the biggest source of such attacks and none of the accounts/services on these servers has anything to do with that region anyway, so cutting connectivity selectively without loading up CSF with hundreds of IP ranges just for that one country would be quite helpful. It's also much nicer to only receive a couple of LFD emails a day about the more critical manual attacks rather than hundreds about relatively harmless but still very annoying automated intrusion attemps from China. I have a long country string for CC_Deny that in theory blocks almost all risky countries without affecting normal service in any way, but in reality it won't run on most systems as CSF just can't handle that many IP ranges, but it works fine if I only delete CN with its many, many ranges. So if useless Chinese traffic could be blocked directly at the source, I could use the rest of the country list and have almost all the annoying stuff blocked without CSF going belly-up. I'm certainly no fan of government censorship of any kind, but as long as this instrument is in place and we can'T do anything about it, we might as well (ab)use it for an unintended but rather useful purpose... ;-)
>
"Mindless, automated attacks" are just the first step. For one, hackers are as lazy as anybody else or even more so (given the inherent vulnerability of the 'net and tools at their disposal). Assuming that you have not been targeted specifically, this is simply how pros and script kiddies alike START to look for security holes and easy pickings. Automated - yes, but definitely not mindless. Secondly, I think you are being very naïve here, thinking that GFW is your friend and will stop the bad guys from China
Same here, just adding " CC_DENY = "RU,CN,NG" " has stoped about 70-80% of the attacks to my public DNS ad blocking server.
Well, it seems I attract mostly lazy script kiddies. The overwhelming majority of cases is just simple brute force directory attacks with always the same names in the same order. LFD blocks an IP, a few minutes later another IP from the same network shows up and tries again with the same sequence. On some days I had dozens of the same IPs blocked on several of my machines in the same order. Most likely this wouldn't result in any serious problems anyway thanks to strong passwords, but why not just eliminate at least the easy to fix problems and concentrate on the more elaborate and serious ones instead?
Most of them don't seem to have any idea about the target systems (some are even empty backups for backup machines), just scanning whole IP ranges, and CSF is enough to get rid of them, but still it's very annoying and distractive. The guys I'm really worried about are much more professional, less obvious and more difficult to fight off. Of course, you're wright that such simple attempts may also be just "door knocking" for more serious attacks. But if it's just slightly easier to try it on another system, they generally simply move on. Just like at the safari - there's no need to be able to run faster than a lion, you only need to be faster than the slowest member of your group. ;-)