How to geo-block countries??

[jim.thornton]

On my server, I only have a few websites. However, there is absolutely no need for me to have any traffic from China or Vietnam. However, those two countries are majorily trying to brute-force my server. So, I would like to lock things down a little further.

I'm using CFD/LFD and blocking out IP's after something like 5-10 failed attempts. However, the just go and assign a new IP and then go again. It's almost non-stop. I get at least 100 emails per day for all of the IP blocks that are entered into the firewall.

Is there a way to geo-block those two countries totally? And then, if I can take it a step further and make it so that any country outside of North America has to enter a captcha or something in order to be able to get to the websites on my server???

Can someone tell me how to setup either of these issues (and if the second is even possible)?

 

[Richard G]

You can also geo-block with CSF.
However, not all providers do use geo-information so there will be ip's from these country's who are not listed as bein in or from these country's.
Have a look at the CC_Deny option.

The second option is maybe also possible via a custom script. I'm not sure, I can't do any scripting.

 

[24x7server]

CC_Deny option as mentioned above would work best in this situation.

But, if you are getting hits from on particular website then you can also think about enabling Cloudflare for it.

 

[jim.thornton]

CC_Deny option as mentioned above would work best in this situation.

But, if you are getting hits from on particular website then you can also think about enabling Cloudflare for it.

Thanks for the response. I don't know why I said CFD, but your message was correct, I'm using CSF/LFD.

I looked into the CC_DENY option and their forum was saying that it adds a lot of overhead to the server. Is there a better way of accomplishing what I want to accomplish? What about maybe installing mod_security? I did that once before but regular visitors were getting blocked out because the sites are Joomla & Wordpress and all of the lookups where causing it to trigger and lock them out.

Any advice would be great. I just feel like I'm playing with fire to leave these attempts there. Right now I have CSF/LFD automatically blocking the IP's permanently. I also have DA blocking them for the different services that are being attacked as well.

 

[24x7server]

mod_security is also a good option but sometimes it blocks legit traffic too. In such cases, you will need to whitelist some rules which are getting triggered false positively for your clients.

 

[jim.thornton]

mod_security is also a good option but sometimes it blocks legit traffic too. In such cases, you will need to whitelist some rules which are getting triggered false positively for your clients.

Which do you think is the "better" option? Geo-blocking or mod-security for what I'm looking for?

 

[Richard G]

I just feel like I'm playing with fire to leave these attempts there

I don't think you need to worry anyway. We all have times that we get loads of these attemps and attacks, they com and go. I monitored them myself for years. And for now, I just temp block them for several hours and I don't even let CSF send me tempbans anymore, only perm-ban emails.
Because in all those years, nothing ever happened. Not this way. Only with users having very weak passwords or being infected with some malware on their home pc's, or some (malicious or leak) Wordpress/Joomla addon, there was some spam sometimes.

Last time was 2 years ago, so nah... enforce strong passwords for your users.

Mod_security might also be a good thing, but as 24x7server already said, it needs some attention and configuring. I never used it yet.
Als protect your DNS servers if you are running some. Especially take care this one is in effect if you don't have slave servers.

        allow-transfer {"none";};

This can also be used when running the multiserver setup from directadmin.

 

[zEitEr]

Which do you think is the "better" option? Geo-blocking or mod-security for what I'm looking for?

The better would be to block unwanted traffic before it reaches apache/nginx server, so a filter based on CSF is more desired at least in my opinion and practice.

 

[jim.thornton]

The better would be to block unwanted traffic before it reaches apache/nginx server, so a filter based on CSF is more desired at least in my opinion and practice.

Is there any filter that you can suggest?

i have CSF/LFD running (I think they are filters) and blocking attempts to dovecot, exim and a bunch of different services. I have it set to like 10 attempts or something and then perm block the IP.

 

[zEitEr]

CSF/LFD is what I prefer to use. As it was already mentioned CC_Deny option would be the best, if you have sufficient RAM and CPU.