Should You Block Connections to Your Network From Foreign Countries? (linuxsecurity.com) 134
Slashdot reader b-dayyy quotes the Linux Security blog:
What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing GeoIP filtering on your nftables firewall with GeoIP for nftables.
GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."
This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.
GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."
This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.
No (Score:5, Insightful)
You should block all unexpected connections.
Country level is worthless against proxies anyway.
Re:No (Score:5, Informative)
Most spam does not come from proxies. Simply blocking China / Russia from my website caused an approximate 90% reduction in attempts to get at my wordpress admin page (which isn't in the default location) and attempts to login via ssh (which only accepts certificate logins). That's not an insignificant security measure especially when it comes to what is traditionally dumb brute force attacks.
But hey if you ever tell us how to identify what is expected and unexpected, let us know. Most people who think they can do this have on at least one occasion locked themselves out of their own network.
Re:No (Score:5, Informative)
Stuff like fail2ban is better for that, not tied to any location.
Re:No (Score:5, Informative)
Fail2ban is great and all but if you get some of the traffic I was getting where someone was clearly cycling through several /16's and what I think was an /8, you'll find fail2ban will either croak, or bring your machine to its knees. Preemptively banning countries can save you a whole lot of time babysitting your machine while fail2ban catches up. Fail2ban would have put 100,000 entries in iptables in the first few seconds for me. I only had to enter a few thousand entries to block all of that. Funny thing is, the main site that was getting all of this traffic was for, get this, a beekeeping association. The state has a link to their site and someone in Russia or China seems to think they can steal their credentials and use it to gain access to an account on one of the state's servers(they can't), and every year around election time the games begin. I didn't have to play that game this past year thanks to preemptive blocking.
Like having police doesn't prevent ALL bank robber (Score:3)
Yeah. I'm an old security sysadmin and in my experience there are a LOT of scans / attacks coming from Russia and China. If you don't do business with people in those countries, blocking them is a simple way to greatly reduce the threats you have to actually deal with.
It's kinda like having a police force doesn't prevent anyone from EVER robbing a bank, but compared to the number of robberies that happen when there aren't police protecting places it's a big improvement. See the looting that goes on wheneve
Cities vs countries (Score:2)
The IP databases are frequently wrong for the city.
That's because the ISPs, such as Comcast, Frontier, and smaller ones can use the same outside global address range on the carrier NAT for several cities, and they can change the inside routing daily. Comcast can easily use part of their IP ranges for Dallas one day and switch it for Waco the next day.
Comcast doesn't get up and move to a new COUNTRY every week. We know what *country* Comcast is in. We also know which IP ranges Comcast has. When when Comca
Re:No (Score:5, Funny)
the main site that was getting all of this traffic was for a beekeeping association.
What? You've got a honeypot and you're complaining that people are connecting to it?
Re:No (Score:5, Interesting)
Re: (Score:2)
Do you have a range list you can share? I've been wanting to do this for a while for the exact reason described by another poster above - my fail2ban lists are huge after only a few days of operation.
Re: (Score:2)
Based on your question, I went back and looked at my iptables config. My original source for the IP ranges no longer exists, so mine are out of date. In fact, fail2ban has blown up my iptables rules. It took more than a minute to run iptables --list. So my approach is no longer as successful as it once was. There used to be a site that not only had good geographic blocking ranges, but managed to combine them into a relatively small number of rules. Now, the best I can find puts China, Russian Federation, an
Re: (Score:2)
The efficient way to do this is to use "ipset" to deal with many entries in just one iptables rule. It keeps your rule set tidy and is far faster than a list of iptables rules. Ipset uses hashtables for nearly instant lookups in arbitrarily large sets of addresses or CIDR-ranges. Read up on it and then go to https://github.com/firehol/blo... [github.com] if you're looking for curated blacklists.
Re: (Score:2)
Thanks for checking. I'll have a poke around, I'm sure there are several lists that are decently maintained somewhere.
Re: (Score:2)
Fail2ban is great and all but if you get some of the traffic I was getting where someone was clearly cycling through several /16's and what I think was an /8, you'll find fail2ban will either croak, or bring your machine to its knees. Preemptively banning countries can save you a whole lot of time babysitting your machine while fail2ban catches up. Fail2ban would have put 100,000 entries in iptables in the first few seconds for me
Good lord please tell me fail2ban has enough sense to use ipsets.
Re: (Score:2)
Fail2ban port scanner detector that bans by subnet:
https://github.com/nyetwurk/sy... [github.com]
You can do the same thing for ssh or postfix
Re: (Score:2)
Nyet, that's not what WaffleMonster meant. There's a better way to ban large numbers of separate addresses: Ipset [netfilter.org].
Re: (Score:2)
Yeah, F2B needs a "if more than X on a /24, then ban the whole /24" - that would cut the number of IPs a lot. I guess then "if more than X /24s on a /16, then ban the whole /16" would help in the more extreme cases. I guess you could generalise with /32s up to /16s too - something like "if more than X% of a /Y is banned then ban the whole thing.
FWIW, I did a whole lot of looking into this a few years ago - it seems the spammers do indeed have a lot of contiguous IP addresses at their disposal.
Re: (Score:3)
Who should? You gonna hire a professional? What if ehrichweiss is the professional that you hired to do it?
Re: (Score:2)
Well you must be budgeting for some serious hardware already, so yeah, maybe... Or just go to cloudflare for a quick and easy solution.
Re: (Score:2)
Re: (Score:2)
Indeed it is. Fail2ban is how I know 90% of my traffic originated in China and Russia. Now my weekly logs are 90% smaller.
Re:No (Score:5, Interesting)
Most spam does not come from proxies. Simply blocking China / Russia from my website caused an approximate 90% reduction in attempts to get at my wordpress admin page (which isn't in the default location) and attempts to login via ssh (which only accepts certificate logins). That's not an insignificant security measure especially when it comes to what is traditionally dumb brute force attacks.
Exactly. I got tired of the non-stop brute-force attacks on my ssh login so I've blocked all connection attempts not from my country. Not that they'd have gotten in anyway, like you I allow on certificate logins. But I got tired of the noise in my logs. Now it's a trickle.
Even if geofiltering won't eliminate risk, a reduction is still a reduction.
Re: (Score:2)
You're right, unless you have configured things very badly these attempts will just amount to noise and wasted resources rather than any actual threat. I used to see some ssh brute force attempts that exceeded the ability of sshd to process new connections, making it impossible to log in.
I now only have SSH enabled over IPv6, and have a separate IP for the admin interface (with SSH) vs the public facing interface (ie HTTP) since IPs are plentiful... I haven't seen any noise in the logs as noone has worked o
Re: (Score:1)
If this is within reach to be implemented, there is no doubt about such a routine being plain common sense security fundamental.
Re: (Score:2)
I actually got a static IP for my administration machine so I could prevent attacks on my ssh login entirely by locking out all other IPs than my own. If I need to connect remotely I tunnel through my system.
Re: No (Score:2)
PROTIP: Those are not the "hackers" that will be a threat to you. The ones you need to do something about, use smarter means than straight up dictionary attacks.
Re: No (Score:5, Insightful)
But those attacks cluttering up the logs hide the ones that I should be worrying about.
Blackholing china, russia cuts down a huge amount of noise.
Re: (Score:2)
Re: (Score:2)
PROTIP: Those are not the "hackers" that will be a threat to you.
REALTIP: All attackers will try to get lucky.
Re:No (Score:4, Informative)
At my company, we had a public facing server get hit by a zero day exploit. The exploit kit was able to get userland access, but in the end it failed to get anywhere because our geoblocking had prevented it from being able to establish command and control with a server somewhere in China.
Although they had used some kind of a proxy to deliver the exploit, ultimately their proxy must not have been suitable to relay information back to them.
So yes, yes, yes, and yes, absolutely 100% for sure, have geoblocking in place. Anywhere that you can interrupt the kill chain in a cyberattack is good, even if it's not in the early stages.
Fortunately the server didn't really have anything in the way of sensitive data stored on it, and they didn't have root access, but it nonetheless could have been used as a pivot point for further attacks within the DMZ.
Re: (Score:2)
Re: (Score:2)
That is what I did. I blocked all Russia, China, India, and "pacific ream" sites from connecting to my server. Attempts to hack my system dropped to nothing.
Re: (Score:2)
I had a similar experience.
I was getting scanned on port 22 at least 2-5 times a day. I blocked the approximate Russia and China subnets and the scans almost dropped to zero. Another thing that helped was to listen on a non-standard port. I very seldom saw a thorough port scan.
Re: (Score:2)
Wordfence shows me most admin hack attempts come from foreign countries, and it turns out I get virtually NO legitimate traffic from those countries. If I blocked them outright I would perhaps deny .5% of visitors, a few VPNs, and 90+% of my attackers.
Until they figured out they were being blocked, and then they would move their business into non-blocked, North American, Western Europe, the more US-friendly Asian hosts.
I think I'd rather figure out how to divert these scumbags into an unwritable honeypot. A
Re: No (Score:2)
This. Attacks may originate in some specific countries but most attackers that might target your personal network is likely probing for openings using a botnet of proxies all over the world ( and if you get hit chances are your machines will join that botnet ).
Re: (Score:1)
It's homework to be done, before any "but if" happens.
Re: (Score:2)
Country level blocks do have value, but there're only a small piece in the overall puzzle.
Sure, they won't stop targeted attacks ( as you mentioned, proxies ), but they will lessen the chatter you get from drivebys. Combined with things like non-standard port numbers ( where applicable ), rate limiting, and other defensive tools, they do help.
On top of all of that, a significant number of phishing sites are hosted in Russia and China, so by blocking them at the parameter I reduce my user's risks.
Re: (Score:2)
Country level blocks do have value, but there're only a small piece in the overall puzzle.
I'll take as many small pieces as I can get. I finally was able to move my server behind a physical firewall and that stopped all that. Now if I could only block phone calls from India I would be good.
Definitely yes. (Score:3)
Blocking US networks from trying to deliver e-mail reduced my spam by over 87%. Blocking US http/s and ssh reduced scans and attacks by even more.
I could do fine-grained control and filtering, but it isn't worth the bother.
Google and a few more deliver from local servers, and that's most legit network traffic that's going out of the US anyway.
Re: No (Score:2)
Yes, this. I run a home network with services that need to be accessible from outside the network, so it's much simpler than an enterprise network. I block all external IPs across multiple open ports using fail2ban (they get one shot at connecting and then are banned forever). There might be a better way to do that, but given my setup and home router, that works for me.
The only incoming connections are through a VPN, and authentication requires a certificate on the client device. All services allow traffic
Re: (Score:2)
Country level is worthless against proxies anyway.
If it's another country the proxy is in then you certainly have a gain. And when it comes from within your own country then whoever runs the proxy and assists criminals can get prosecuted more easily. You may not get the criminals behind the proxy, but you can get the proxy owner and that's worth something.
But you're right of course and it's generally a stupid idea to block connections based on country when everything should be blocked unless there is a very good reason not to.
To make this about countries i
Re: (Score:2)
That sums it up nicely.
The question asked demonstrates a complete non-understanding of the problem though.
Re: (Score:2)
As admin of place that has hundreds of servers, 95% the bad stuff comes from list of countries most places in USA could safely block, if they're using proxy it's from some other 3rd world toilet that also can be blocked. Cleaner logs, much less spam, much less attacks of all types makes it a very worthwhile practice.
Re: (Score:2)
You should block all unexpected connections.
Agreed, if only everyone complied fully with the provisions of RFC3514 the Internet would be a much safer place.
Country level is worthless against proxies anyway.
Exactly, good enough is the same as doing nothing cuz after all good enough != perfect.
Filtering systems like Pi-hole are worthless against IP literals AND proxies so don't waste your time.
Shit gets thru spam filters so better to manually filter hundreds of shitmails per day because filters are not perfect.
And we all know AV is worthless against unknown signatures "anyway".
Proxies in China and Russia too (Score:2)
You should block all unexpected connections. Country level is worthless against proxies anyway.
Russia and China seem like great places for proxies, not much cooperation with US law enforcement. I imagine most of the probing from these locales are proxies not "state sponsored" or anything dramatic.
Re: No (Score:2)
There is a big difference between a corporate network and your personal network.
A corporate network will almost certainly provide VPN access. If that access can be compromised from any location geoip blocking is not going to stop an attacker.
Your typical personal or small business network, however, is a coincidental target of opportunity. You get attacked because being compromised offers - if nothing else - another machine to use for further attacks. To combat this you donâ(TM)t need to make yourself i
Re: (Score:2)
A VPN wouldn't be an "unexpected connection" though, and that was the topic at hand.
Re: (Score:1)
"Nobody has static IP's at home" - think about: even dynamic IPs will be allocated from the local ranges. Country-level filtering has huge potential to improve security of the global-per-se Internet.
Re: No (Score:2)
No, this slashvertisement is aimed at very small businesses, small time site operators, and home enthusiasts. And from what I've seen in my system logs over
Re: No (Score:1)
I say it has reduced them by 0%.
They were not attempts, unless you allow really bad passwords and known user names.
And the ones that were *not* just attempts, did not use such primitive methods, and were not stopped at all.
But keep believing in your tiger repellent stone.
The only thing you did, is maybe save a bit of processing power by cutting off some connections early. At the cost of you now officially being a nationalist!
Re: (Score:2, Interesting)
The only thing you did, is maybe save a bit of processing power by cutting off some connections early.
Yeah, you keep ignoring the massive reduction in log pollution which potentially makes it more practical to see if you are the target of more specific or refined attacks.
Re: (Score:3, Insightful)
Ignorant and wrong point of view, you might have vulnerabilities unknown to you, blocking the cesspools full of thieves and crackers of the internet is smart move. There is no reason a former soviet country needs to be emailing most people in USA or looking at their web pages, and that includes most business as they are small and medium business that don't have international sales. Not to mention the blocking of spam and having cleaner logs.
You have a naive point of view to uphold self-imagined principle
Depends (Score:4, Insightful)
Do you gain any value from connections from said country? Is it likely to affect your business income?
Re: (Score:3)
There are FAR too few IT organizations that ask themselves questions like this before they start flipping switches and applying new methods of deciding not to let stuff on their network (I spent some time helping track down the issue with an IT department that kept over-tightening their internal firewalls to the point that the gear they bought from us wouldn't work. Great work, guys!
Re: (Score:1)
Hey, security-wise, you are proper to start from the utmost necessity. That's professional.
Thanks for your help.
Re: (Score:2)
On SSH ports? No.
SMTP and HTTPS? Yes.
It doesn’t have to be an all or nothing proposition.
Re: (Score:2)
Indeed. My point is that it's simply important to ask these questions.
Naturally, especially Texas (Score:3, Funny)
Of course you need to geoblock hostile areas, like those that produce carbon-polluting oil, Saudi Arabia and Texas.
Re: (Score:2)
Re: (Score:2)
Traitors! Imagine, voting with their feet and disobeying the will of the peeple.
Re: Naturally, especially Texas (Score:2)
California is #3 right behind Texas and Alaska, so good luck with that endeavor.
Re: (Score:2)
Modern pollution is the same dance just a different tune. [wp.com]
Useful, depending on the size of the enterprise (Score:2)
That said, every once in a while we get a random "how come we can't get mail from X", where X turns out to be a local small business whose marketing company set up their web and mail on Cheapest Hosting Ever, in some random foreign country. Or "Bob is on vacation in ForeignCountry and can't VPN in."
So, depending on sc
Re: (Score:2)
Sophos SG and XG routers have this as an option as well. We've set it up to block incoming connections from IPs in other continents and it helps with spam, brute-force, and probe attacks. That said, every once in a while we get a random "how come we can't get mail from X", where X turns out to be a local small business whose marketing company set up their web and mail on Cheapest Hosting Ever, in some random foreign country. Or "Bob is on vacation in ForeignCountry and can't VPN in." So, depending on scale, the upkeep for exceptions may or may not be worth it.
Or "SiteGround's headquarters is in Eastern Europe, so we need to block their Chicago IPs for er some reason ... "
Re: (Score:1)
Generally, the most common geo blocking setups are based on a propaganda view which is being promoted very heavily. They block out China and Russia as the "horrible hostiles". They still emit threats, but they are way down the list.
Lat Am, Philipines, Malaysia, etc produce orders of magnitude more SPAM and have orders of
Are we at that point in isolationism yet? (Score:2)
Wait, I am still trying to come to terms with the fact that US passport now lets me enter as many countries as one from Somaliland. Let me get used to total isolation in small steps, please, before we fully cut off from the world and live happily within these here borders.
From the Dept of Duh (Score:4, Interesting)
"Should You Block Connections to Your Network From Foreign Countries?"
Unless they're needed, hell yes. Why is this even a question?
This is on the same level as, "If you set yourself on fire, should you extinguish the flames?"
Re: (Score:2)
Re: From the Dept of Duh (Score:2)
Congratulations, on missing the point so spectacularly.
Re: (Score:2)
Thank you for your kind words; I'll print them out and frame them.
Re: (Score:1)
Re: (Score:2)
Useless (Score:1)
No. Nationalism is bad, mmkay. All -ism is. (Score:1)
It is the same logic as blocking all people from the USA "because Trump", and actually, also the same logic as "all Jews ...".
Block by the actual group that is bad. Not by some random group that us much bigger, just because you're too lazy to be specific.
The actual group is defined by the experiences you have with it. Aka its behavioral patterns.
E.g. do not ban everyone from driving fast. Ban people who cannot handle driving that fast on that road from driving fast.
Which is analogous to not using anti-virus
To be specific: (Score:2)
For spam, a simple greylist works wonders. (Think of it as a CAPTCHA for actual human mail clients.)
A amavisd offers enough behavioral patterns to block.
What's left over, is easily filtered with a bit of bayesian filtering and giving a bonus to known e-mail adresses.
Also great are e-mail adress tokens. As in, your adress following the pattern user.hash@server where the hash is based on who you are giving the adress to. E.g. base128(sha256("slashdot.org")).
You can then mark all mails without any (valid) hash
Re: (Score:2)
Re: (Score:2)
Okay. You go ahead and create the global list of specific IP addresses that generate malicious traffic. We'll wait. In the meantime, we'll be using geoblocking because we value our time and are perfectly aware that nobody in China has any legitimate reason to be attempting an ssh connection to our servers.
Consider *outgoing* as well as *incoming* (Score:4, Interesting)
If you have some malware inside your network then it may try to contact a command & control machine or send reports/files/... back to its home. So blocking outgoing is as important as incoming.
This will cause problems until you have got a list of external sites that you regularly talk to. Consider having a machine outside of this protection that people can use if they need to contact an exception. Also your email server might be outside of this as well.
Consider: what are you protecting, how much pain is it worth ?
Finally: have good, tested backups.
It's Becoming a Necessity (Score:2)
Re: (Score:2)
That's surely a problem with RDP, not with people attempting to connect to it.
On an application basis (Score:2)
I don't want geo blocking for all ports, just most. No matter who and where you are, if we're in the same bittorrent swarm, then we are brothers in at least one way. But yeah, keep away from my ssh and openvnp ports, brother.
Someone is copying China! (Score:2)
If you log into the admin console for Alibaba Cloud (China's AWS) and other hosting providers in China, they all have a button "Block foreign connections". They've had this for at least 5 years. Previously, you couldn't shop the real Taobao (China's Amazon.com) site unless you were coming from a Chinese IP address. Not sure if that is still true.
For foreigners in China, this ends up leading to some weird logic. You have a lot of Americans/Europeans hitting your website in China. They are inside China su
Compartmentalize, don’t just block blindly (Score:2)
I was spending some time in Thailand, and going nuts because websites I needed to access geoblocked. Home Depot was the most annoying one— I needed to order a bunch of things for when I returned. I had a VPN though to home and work, so it was easy to bypass.
It is much more effective to compartmentalize things than block entirely— you never know when that foreign connection is actually important. Isolate unexpected users to a separate system with less power and features, and wipe it regularly.
Where is "foreign", exactly? (Score:5, Interesting)
One person's "foreign" is another person's "home sweet home". I'm guessing the OP is in the USA, and a high proportion of cyberattacks actually originate there (which makes sense, considering the high proportion of internet-connected computers). So blocking "foreign" attacks isn't going to solve the problem, just delay it a bit.
For someone like me outside the USA, blocking that whole country doesn't make much sense, even though we know it sure as hell can't be trusted! It would mean blocking Google, Facebook...hmm, perhaps I'd better stop before I convince myself to try it.
Also, my webserver isn't in my country (I'm in London, the server's in Europe, which used to be the same country but sadly no longer). So I would have to change hosts to achieve this.
Russia, China and Brazil together have a MUCH higher population than the USA. That naturally means they also have more criminals (though quite possibly a lower proportion). So by blocking such "foreigners" you would cut yourself off from the majority of humanity. I know some people consider that an attractive idea, but I'm not one of them.
meh, maybe (Score:3)
I have consciously made the decision to let Chinamen brute force my SSH logins. I'm not super worried about these sorts of automated attacks. What concerns me more is private networks that assume traffic is ok if it's coming from inside the network. Traffic needs to be authorized regardless of where it comes from.
TCPwrappers.... (Score:2)
If its a private website,shell of any kind or service of any kind that people outside the network shouldn't be accessing tcpwrappers is your friend... in hosts.deny block everyone, in hosts.allow allow anyone that needs access. Problem solved, no need to blocking whole countries, the internet was built on the foundation of free access of information for all, not the select.
Learn how to use Linux the way it was meant to be used, the older tools (tcpwrappers, netfilter, ebtables) work, learn how to use them
Re: (Score:2)
Re: (Score:2)
You jump to irrational conclusions. It's wise for a business or person to block countries that are sources of scams, spams and theft when there is no need to have dealings with them. This is more appropriate in this decade than any decade before, because the volume of that unwanted traffic is increasing.
If 95% of that unwanted traffic can be blocked by a simple IP llist, then it is wise to do so and you have no point. The fact is most of those scum do NOT use vpn or proxy, and there is great benefit to r
Re: (Score:3)
Re: (Score:2)
what is your malfunction? I clearly said for people that have no need to interact with lists of countries. Those places you list have need to interact with other countries. Engage your brain, then type.
Blocking lists of countries for people and business that have no interaction with said countries is a very effective way to cut spam, log spew, phishing and attacks by 95% or more. It is smart thing to do.
Block California? (Score:2)
Hell no (Score:3)
Instead, show them different contents. So their governments will block it for us.
I'm building a map of the cloud in my blacklist (Score:4, Interesting)
Every time someone tries to log into my Wordpress, which doesn't exist, another IP address block gets added to an ipset which drops all inbound connections at the firewall. I don't care what country you're from, if you allow people to scan for vulnerabilities from your cloud, your address space is added to the list, forever. I have address space from China Telecom and Tencent in there along with Amazon, Google, Microsoft, Linode, OVH and others. BTW, getting a Let's Encrypt certificate attracts these assholes like shit attracts flies. Yay certificate transparency!
This will end up like the reverse situation with mail servers: You can't send mail from residential ip address space and expect it to get through. Eventually you won't be able to access the web from data center address space.
Re: (Score:2)
I have often thought about trying to build a distributed honey pot thing that faked a WordPress site that a few trusted people could run to generate q ban list. I ban hundreds if not thousands of IPs a week simply from a small handful of inconsequential hobby and test sites. The background radiation of hacking attempts for WordPress is staggering.
GeoIP is not foolproof. (Score:3)
IP address ranges sometimes change country, and the GeoIP database you subscribe to may lag behind a bit.
Therefore, be aware that you could both have some false positives and some false negatives.
Re: (Score:2)
yet the volume of unwanted traffic will still fall 95%. there isn't a downside to blocking whole regions of the earth one has no dealings with and that only are a source of attacks on your business or personal server.
It depends (Score:2)
It depends on your business, and who's responsible for what. If you're running e-mail inside your own network you're weighing the protection you get from a "nuke 'em all" approach vs. the possibility that you might get some legit new customers from outside your country. If e-mail is outside your firewall then it's the provider's problem and you just have to worry about malware in the e-mail content.
The list goes on. There's no pat answer.
I hate to be that guy, but... (Score:2)
But welcome to circa 20 years ago when OpenBSD PF had the "tables" feature.
table china file "/etc/geoip/china"
block in from
I've always been baffled why Linux didn't adopt PF as well. The rule grammar is so much more readable than iptables.
Re: (Score:2)
table <china> file "/etc/geoip/china"
block in from <china>
Nothing New (Score:3)
TFA makes this sound like something that's just become available. In fact geo-blocking has been an option for years now.
This has not always been possible, however. I can recall obtaining an IP address block back in the 1990's. Back then, IP blocks were allocated with no regard to geographical location. As the Internet grew, this had the effect of requiring larger and larger routing tables, which started to approach the limits of what many routers could handle. So IP address blocks were gradually reorganized in a more hierarchical manner, which takes into account geographical locations. As a side-effect, one could then start associating IP addresses with their geographical origin.
Which foreign countries? (Score:2)
You mean like Texas?