A site I built for a designer was targeted by a brute force attack. The malicious ip addresses came from countries in the former Soviet Union, Thailand, and Vietnam. So I blocked ip addresses coming from those countries in the htaccess file. It worked!
I was thinking of doing this routinely for all websites that don’t have a reason for traffic from those regions. Are there any negative ramifications of doing this?Could it block search engine bots,etc…?
The only downside is nobody from those countries can access the site. You might want to look at using a WAF service like Incapsula or Cloudflare to protect your site instead.
I have no problem blocking visitors from foreign IPs, especially from countries where a majority of the population doesn’t speak English (or whichever language your site is written in). I would rather keep my site a little safer and possibly block a few legitimate users outside of my target audience than risk exposing my site to potential known threats.
Granted, blocking IPs can be a heavy-handed approach since it’s probably safe to assume that there are networks of NATed devices behind each public-facing IP address, but it’s free, quick, and easy.
On the other hand, this practice is more reactive than proactive.
… and proxy servers can be used to get around the country IP blocks. This may be quick, it may be easy, but it won’t deter anything but the simplest attacks.
Security is a trade-off and there are better ways to block bad bots like monitoring IP addresses in real time and blocking specific ones based on the number of requests per time period … Your host should have better implementations to block these attacks, too!
Regards,
DK
There are some sites where there could be legitimate traffic from Uzbekistan, but a site for, say, a restaurant in Providence, RI couldn’t possibly have a need for this traffic. So it sounds like there isn’t really a downside to blocking traffic from these countries for a local site. Though, the peanut gallery thinks this approach is heavy-handed. The site I added the country wide IP blocking to did have other forms of locking out attackers, but I was getting hundreds of lockout notices a day.
Thanks for the other tips.
E
Yes, if the target audience is local only there isn’t much need to fine tune IP blocking for foriegn countries.
The only legitimate ones that even remotely might be blocked are expatriots wanting to see what’s up in the old stomping grounds.
Alan,
Oh? Are you referring to me (a “Yank-iwi,” i.e., a Yank in NZ)?
Yes, targeting the audience is essential for every website and impacts range from languages (autonegotiation of the language presented or translation engines) to server location (for download speed) to blocking access via requesting IP address. Unfortunately, the latter (blocking access by IP) gets complex (look at the number of IP blocks assigned to the US or China) and CANNOT be successful because proxy servers enable a service request to be originated in the proxy server’s country.
IMHO, hosts do a better job of blocking attacks (they have the resources - $ and apps and knowledge) than any webmaster. Concentrate on the “localization” of your website to suit your target audience rather than trying to block “black hats.” The “black hats” have far more tools at their disposal than you can ever hope to block … and making it a challenge will only encourage them to attack until they beat your blocks (and, likely, deface your website).
You also asked about blocking search engines. Yes, it can be done (again, more trouble than it’s worth) but it’s rarely done correctly (in the httpd.conf or httpd-vhosts.conf - which are read on Apache’s start - rather than .htaccess - which must load and get parsed many times for EVERY request). Moreover, the {USER_AGENT} value is easily spoofed so “black hats” get around this easily and only the “good guys” will be blocked. Please refer back to the “black hat” comment in the prior paragraph.
In summary, Website security is a trade-off between cost, convenience and security (data integrity). Unless you have unlimited funds and your visitors can accept delays in data presentation, concentrate on building a website with good (secure - check and double check any input data from a visitor) code and keeping it behind very strong passwords while hosting with a company which knows how to secure their servers from server attacks.
Regards,
DK
Within a few days of registering a new domain name and getting a parking page setup on my server I was getting probed by Russian/Ukranian and Chinese bots looking for vulnerabilities in files that did not exist. When I blocked referrer strings containing tlds from those countries on another site my forum spam dropped to next to nothing.
My hope for IPv6 is that blocks of IP addresses will be allocated by country so it will be easy to block anyone coming from regions of the world where law is not respected. As far as proxy servers go, there is not much that can be done about that unless you want to spend the time to see if the requesting IP address allows anonymous connections and if so, block them. It wouldn’t be feasible to do that on page requests but on login/registration or posting pages that could be done. Not a complete solution.
"Cloudflare to protect your site instead. "
Thanks for the mention. I just thought I would clarify that our country block would only challenge visitors with a challenge page from a country you “block” in our Threat Control, so human visitors could still enter the site by passing the captcha.