Web
Article

How to Block Entire Countries from Accessing Your Website

By Zack Wallace

If you run a website, then by default it is accessible to the whole planet.

Many websites are simply not relevant to people in other countries. So, you should not expect significant traffic from them as a matter of course.

If you have a local bookstore and your primary market is local people walking into your store, then there is no need to let any other countries index or waste bandwidth on your server. The same might be true of a carwash, or babysitters, or lawn mowing.

If you run a personal or even private website, such as a family blog, you may want to highly restrict traffic by default.

Here is a screenshot of Awstats telling me that China is responsible for the second-largest volume of traffic to a certain web forum I manage. This is just for January 2015.

Awstats China

While it is certainly possible that Chinese people may find the content of the forum useful, there is really no explanation for this activity. We don’t cater specifically for China or advertise to attract Chinese residents. The site does not even offer Chinese translation or speak to Chinese issues.

I also happen to know that 99% of all brute force user password hack attempts are from Chinese IP addresses. Approximately 50 to 100 brute force attempts at ‘guessing’ the passwords to legitimate user names comes from Chinese IP addresses every day on this site.

The difference between 1.9 million pages and 134,000 pages is pretty large, and 1.86GB of bandwidth is not the end of the world. But when I know that 99% of it is bogus, bots, brute force hacks, vulnerability scanners, and web crawlers, then why wouldn’t I just block China from accessing my site?

There are some reasons against blocking access to countries too. The obvious example are hotels. Even though they cater only to local people who walk in the door for a stay, foreigners traveling to the area will be searching for hotels before they get there. The same argument can be used for fancy restaurants, resorts, car rentals, commuter services and so on. You will have to decide (and check your web stats!) whether blocking particular countries will benefit you or not.

Below are many of the common ways to block countries, with some pros and cons and code samples.

Versioning. A slightly sarcastic daily email for discerning web people. Sign up today!

.htaccess

If you are a web admin, you may know that trying to do some things (like block entire countries through .htaccess) is a losing game. Legit hackers use proxies or bot farms to do their dirty work. Just because an IP is from China, it doesn’t mean blocking that IP will do a lick of good in the long run.

Web admins will rarely block an IP simply because that IP did naughty things once. A real hacker would not use their own personal IP and there is no guarantee that the IP will always remain with an unscrupulous user.

Legitimate users might use proxies too! Be aware if you block a not-so-bad country just because you think they are irrelevant to your traffic, you may have users using proxies or VPNs in that country.

It is also a losing game because there are over four billion IPv4 IPs out there and no easy way to segregate them by country. In other words, your .htaccess or Apache config file (or other ACL/firewall) is likely to grow to hundreds of thousands of lines of text if you wanted to block countries yourself this way. It’s not practical, nor performant.

If you want to see how many lines it would take in .htaccess to block a country, try using ip2location. To block the US, you need over 150,000 lines of text!

The bottom line is this, do not use .htaccess or Apache config or any other web server ACL to try and block countries. It may be fine for a handful of IPs, but these files are read on every request and are not cached; it will hurt you eventually.

TIP: If you are interested in going the .htaccess route anyway, and want to get an accurate, ‘right from the source’, daily updated list of IPs by country, you might start by reading what this guy has done to automate things.

The actual code to block an IP using .htaccess can be as simple as this:

Order Deny,Allow
Deny from 1.1.1.1
Deny from 2.2.2.2
Deny from 3.3.3.3

You can generate code by using this tool.

You can get much more advanced, such as limiting based on what protocol is used, but this is the basic idea. Your .htaccess file would grow out of control!

Use a Hosting Company That Has Blocking as Part of Their Built-in Controls

This sounds nice, but is very rare. Most hosting companies provide servers in such a way as to make this a feature they cannot offer. The two main types are:

Bare Metal

A bare metal or VPS is a machine that you have complete control over. From software firewalls to hosting software and control panels, it’s all in your hands.

These might be a DigitalOcean Droplet or a bare metal server from InMotionHosting or Rackspace for example.

Often when you buy a bare metal or VPS, you do not get to change how the back end is routing. I have not found a host that has country blocking as part of its default plan and configuration. At best they give you a basic firewall for adding IPs to blacklists or whitelists.

Shared Hosting

You might get a server configured with Plesk control panel or cPanel. These are simply control panels for dealing with databases, emails, backups and many other things. A shared server typically comes with a control panel, but you can’t enable networking controls, which would then affect the other websites hosted on the shared server with the same IP.

At best, a control panel will let you easily add IPs to a firewall, or allow editing of .htaccess, but I’ve not seen one with one-click controls to block traffic by country.

Here is my cPanel IP blocker:

cPanel IP Blocker

In short, the hosting company itself is not likely to help you out here and you won’t be able to block IPs through a control panel one by one!

Country blocking does seem like something you’d think a web host could allow, which is why I included this category, but surprisingly I can’t find any that do.

Content Delivery Networks

This is not an all-encompassing solution for your entire website, but it does partially solve the issue. If your website delivers static content like media files, images, or other files, you can use a CDN with built-in geo tools to block access to certain countries.

A big player here is Amazon CloudFront. Read the details page and scroll to the section titled ‘Geo Restriction’. Quote:

Geo Restriction or Geoblocking lets you choose the countries in which you want to restrict access to your content. By configuring either a whitelist or a blacklist of countries you can control delivery of your content through Amazon CloudFront only to countries where you have the license to distribute.

Most good CDNs will have some form of Geo-restriction. Another example is Akamai, which not only allows blocking by country code, but you can also block based on their US embargoed country list.

If you have a CDN delivering your content, you probably are not that worried about bandwidth (unless you pay extra for it at the CDN!). But it helps in other ways, such as with licensing if you aren’t allowing your media to be viewed or heard in certain countries.

Apache Modules

You don’t have to fill your .htaccess file with thousands of lines of IPs. Instead, you can install a C library and an Apache module to do the heavy lifting for you.

MaxMind provides a popular free database that is often used for IP lookups. Their GeoLite2 is a free database that is updated monthly. Their paid product is more accurate and updated more frequently if you require that.

By using this database and installing one of their various APIs, you can handle traffic as you see fit.

For our purposes, you would need to install the C library API as well as the Apache module. Once those are working and enabled, place the database file somewhere, and then you can set up your country blocks with code as simple as this in the .htaccess or Apache config file:

MaxMindDBEnable On
MaxMindDBFile DB /path/to/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code

SetEnvIf MM_COUNTRY_CODE ^(RU|DE|FR) BlockCountry
Deny from env=BlockCountry

This would block Russia, Germany, and France. Get your two-letter ISO country codes here.

This would perform much better than your server having to parse thousands of lines of text on every request in the .htaccess file!

You do need advanced access to your server to install the library and module, so this is no good on shared hosts or where you don’t have such access on a VPS.

This would also work if, for some reason, you wanted specific blocking rules at the folder level.

The Application Layer

The fastest blocking will happen when it is off your server entirely, handled at the routing level or by separate DNS servers or a proxy, before the traffic ever even hits your web server. The next fastest will be with the software firewall as part of the operating system, before the traffic routes to your web server software.

We’ve talked about blocking at the level of the web server such as with Apache configs or .htaccess, but now we reach the very top, the 7th level of the OSI, at the Application Layer.

You can block at the application layer by using the same MaxMind APIs mentioned before. This time, you can install the PHP or .NET or Perl APIs to help you make geo-location decisions right in your application logic.

This may be necessary if you need to make decisions like show a different page for different countries or languages or have completely different offerings based on country and need to change the core logic of your application in some way.

Read this for an idea of how it’s done in PHP.

This is going to be one of the slowest methods, since you have to do a lookup on their IP and verify it before your code can fully compile a page. Multiply this by thousands of visits a day and you may be dealing with some lag in performance if you are not highly optimized.

I don’t prefer doing full blocking at the application layer. By the time the person gets blocked, they have already communicated with your server, sent some data, used bandwidth, taken a few CPU cycles, etc. But in some special cases, this may be exactly the method you require.

App layer blocking comes in any imaginable form, you can find APIs and data files for whatever language you require. Some pre-built software, especially e-commerce software, more than likely has geo-targeting tools built right in, such as Prestashop. They will change things like the displayed currency based on the geo data.

Do I Really Have to Deal with APIs and Such?

Of course not! One of the coolest ways to do this at the application layer is with any number of available (and free) web APIs.

For example, freegeoip.net will send you geo data just by accessing their URL in the form of “freegeoip.net/{format}/{IP_or_hostname}” where the format is csv, xml, json, or jsonp.

All you would have to do is grab the user’s IP, send it to the URL and parse the response! Freegeoip allows up to 10,000 queries an hour but if you need more, you can download their server for free and run your own service!

Not only can you grab the country code, but you can read right down to the city, ZIP, time zone, and GPS coordinates.

Naturally, this method introduces its own lag as you wait for a response from an entirely different domain, but we’re not talking seconds here! It’s pretty fast, and apparently they can serve 10,000 queries an hour for many users at once, so that is something.

Routing Tables

I briefly mentioned blocking at the firewall level; this is certainly an option too. This may be one of the least automatable solutions, unless you are a hardened server admin.

This would naturally reduce the overhead from your web server software (such as Apache), and you wouldn’t have to do the coding yourself at the application level either.

I would generally think that trying to keep routing tables up to date with accurate IPs would become a maintenance headache. I wouldn’t go this route unless the number of IPs you need to block are minimal and you are very comfortable editing the firewall tables and automating their updates.

In any case, check out ipdeny.com where you can download country lists as zone files. Their zone file is really just text with one CIDR address per line.

For some instructions on using iptables and scripting this process in Linux, read this.

Even though this removes some overhead from the web server, having thousands of lines to deal with in the router can introduce overhead of its own kind. This really isn’t the best method I think.

This method does have a different effect though. Any blocked IPs are not just blocked from port 80 web traffic, but literally blocked from any access to your server whatsoever! Other methods might block China from visiting your web page, but it doesn’t stop them from trying to log in to root over SSH!

This hardened security is much better set up with a negative security model, just block everything except a few valid access points in your router, rather than trying to block huge chunks of the planet!

This method is also not for shared hosting or locked down servers where you can’t access the routing programs or perform mass updates to them.

ModSecurity

ModSecurity is a web application firewall for Apache, IIS, and Nginx for protecting against many types of attacks and allows for HTTP traffic monitoring, logging, and real-time analysis.

You can install and configure this on a bare server if you have the skillz! If you have a host that gives you WebHostManager (WHM), you can configure it from within the WHM interface.

ModSecurity is configured with its own language called ModSecurity Rule Language which is designed to work with HTTP transaction data.

ModSecurity is a huge topic all on its own, with many different forms of protection it can offer. For our purposes though, it has built-in support for the previously-mentioned MaxMind database for GeoIP lookups and rules.

Here is a sample rule for ModSecurity to block China:

SecGeoLookupDb /path/to/geo/data/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block China IP address'"
SecRule GEO:COUNTRY_CODE "@streq CN"

For this to work, you have to pay attention to which MaxMind database you use, and your implementation of ModSecurity.

If you use WHM, here is what you would do.

First download the legacy country database found here. It’s important to get the legacy database in *.dat format, as the Apache ModSecurity module can’t use the newer *.MMDB format yet.

A faster way is to first create a folder to store the database file, I used /usr/share/geoip/ which is pretty common.

Use this command to download the file each month (it updates on the first Tuesday of the month).

wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

Many people will download the latest version on Wednesday or Thursday, just in case they are behind in updating the file.

Once it downloads, extract with this command:

gzip -df GeoIP.dat.gz

The switches tell it to “deflate” and overwrite the existing file.

Now, log in to WHM and go to Security Center->ModSecurity Configuration. Scroll down to “Geolocation Database” and put in the path from above.

ModSecurity Geolocation Database

You might also make sure the Rules Engine is set to process rules. Then save the changes.

Next go to the ModSecurity Tools section. You will see the current “Hits List” showing actions performed by any active rules. Click the “Rules List” button and then click “Add Rule”.

Copy this rule:

# Test IP address and block by country code
SecRule REMOTE_ADDR "@geoLookup"  "phase:1,chain,id:10,drop,log,msg:'Blocking China IP Address'"
SecRule GEO:COUNTRY_CODE "@streq CN"

Click the checkbox to “Enable Rule” as well as the checkbox to “Deploy and Restart Apache” and then Save.

ModSecurity Rule

Within no time, you should see your new rule blocking some traffic.

ModSecurity Hits List

Just be sure to know that if you use this technique, it will block for ALL domains hosted under WHM! If you want to block based only on particular domains, you’ll need additional configuring. None of my domains hosted on this WHM server need readership from China, so I’ve chosen to block for all domains.

Also note that if your WHM doesn’t have the menu like mine does, you may not be up to date. Make sure you’re on the latest, which at this time happens to be 11.48.0 (build 12).

If you don’t have WHM, you would have to install and configure ModSecurity manually and likely use the other (non-legacy) database as well.

Also…

You should check out the offerings at ConfigServer as well. Not only do they have their own security and firewall product, but it integrates with cPanel products. They even have a plugin for WHM/cPanel for added control of ModSecurity.

The WAF (Web Application Firewall) space has many options and is a large topic on its own. There are many contenders here and even bare metal appliances that do this work such as from Barracuda.

Use a Proxy Service on Your Domain

Our last method involves hiding your domain behind a proxy service that essentially handles all the source traffic before forwarding them on to your server.

This works at the DNS level and often all you need to do is change DNS settings to use them.

The most famous player here is going to be CloudFlare by a landslide.

Not only does your site work by going through their proxy, but they also provide security features and content delivery and many other controls. If you have a small(ish) site and don’t require their advanced features, there is almost no reason why you shouldn’t protect your site behind their completely free plan. View plans for details. And did I mention they are pretty good at dealing with DOS attacks?

They also act as a reverse proxy, with CDN services and serving your content with geo-targeting servers. Because of this, they can inject content into your site such as additional analytics or various “apps” you can add. An example of an app is the ‘A Better Browser’ app which would notify your users if they use an out of date browser. They do this without you having to code anything additional into your site or build that logic yourself.

Blocking a country couldn’t be easier. Just log in and go to ‘Threat Control’, then where it says ‘Add custom rule’, start typing the full country name and then click it from the dropdown list. Click the big red ‘Block’ button and you’re done!

CloudFlare Block

Block any countries you need to and then you’ll see them listed in your ‘Block list’.

CloudFlare Block 2

This may be the fastest and easiest way to enable some level of protection, CDN support, reverse proxy caching, and country-blocking abilities on a domain. You can stick your domain on CloudFlare and get it protected and setup in about 10 minutes.

I will mention one other player here and that is Incapsula. They do a lot of the same stuff and compete directly with ClourFlare. They also have a free plan you can use on unlimited domains with basic features. With CloudFlare you have to change your NS records, but Incapsula requires only a CNAME, which may better fit how your DNS is handled.

If you are serious about using proxy services (and you should highly consider it anyway), do research on both CloudFlare and Incapsula for the best option for your needs.

tl;dr – There just happens to be a fairly in depth analysis of CloudFlare vs. Incapsula vs. ModSecurity on Slideshare by Zero Science Lab, check it out.

A Summary Note about Security

I spent a little more time on ModSecurity and CloudFlare because I tend to believe those are your best options today. I don’t think you should be bothering with .htaccess or firewall rules. Some situations may require geo-restrictions at the application layer so that is a good option where necessary.

At the end of the day, you should really be looking in to CloudFlare, Incapsula, and ModSecurity to provide you with a large degree of protection against today’s attacks and security issues. Or look in to other WAF solutions.

When you install ModSecurity with WHM, there are many default rules that begin protecting you from things you never even thought about. For example mine started blocking requests using the protocol “COOK” as opposed to GET or POST. Why? Because apparently this protocol is sometimes handled by a built-in compiler in the OS and is exploitable over the web. Who knew? It was probably a successful hack at some point in time, not sure if it’s long-since been fixed though.

If you install ModSecurity from scratch, it comes with no rules by default. The most common thing to do is install a rule set that is ready-made. The best is the OWASP ModSecurity Core Rule Set (CRS). This protects against many known hack techniques and bad behaviors such as requesting content with the COOK protocol!

If you use ModSecurity, you have to watch out for false positives. Be prepared to deal with them and watch for blocked traffic you would normally have allowed. Keep an eye on the logs for anything interesting.

Further Reading

If you’re looking for some additional, related reading, why not try:

Conclusion

I didn’t have the space to provide exact install and code examples for every method of blocking countries, but I hope you found something useful just the same.

There are some web admins who would slap me silly for even suggesting blocking countries at all, but it is totally up to you and you may have perfectly valid reasons for doing it on your own domains, so I don’t care!

I would also like to know if you know any web hosts that have built-in, out-of-the-box support for geo-restrictions with no fuss or advanced setup. I couldn’t find any!

If I missed some techniques, feel free to share them. If you’d like a more in-depth article on using a particular technique in a particular environment, maybe we can kick up that discussion in the forums.


Comments
felgall

Any attempt to block access can be bypassed just as easily or easier than applying the block in the first place. All the person needs is VPN access to a location that you don't have blocked so that all their traffic appears to come from there.

The measures you suggest will prevent you wasting bandwidth on people who have accidentally selected your site when they are really looking for one located elsewhere but it will not stop someone who deliberately wants access to your site..Chances are that a small percentage of the visitors your stats say are located in the US are actually located elsewhere.

zackw

You are correct, a VPN in a non-blocked location will work just fine.

For everyday bot farms and web bugs and other automated tools that originate from a blocked country, you'll be fine.

The hacker(s) in charge are probably not going to care or even know you are blocking them, and they certainly won't go out of their way to make sure they can get to just one lone site somewhere who is blocking them.

In my case, for the forum I mentioned in the article, China traffic was 2nd largest, now it's off the scale entirely.

Parking your car in the garage will stop 99% of car thieves, but of course there is still the 1% who will jump through all the hoops to steal it anyway. The methods in the article are for the 99%, not the 1%.

evertalbers

Makes me wonder what blocking countries would do for your SEO.

zackw

My guess is nothing at all.
I've never seen "worldwide availability" used as a significant SEO metric. SEO is about content after all.

evertalbers

But what if you block the country where the Google, Badu or Bing index robot works from?

zackw

That's a few too many "what ifs". I doubt Google's USA web crawler works from China for one thing. But also, if I'm blocking a country, I wouldn't care how good my SEO is for their visitors, since I'm no longer catering to their users anyway.

The bots themselves will still find me via any other non-blocked sources anyway. It's not like Google only has one location where bots originate.

If you had a local business and blocked every IP in the world except for those in your own zip code, then yes chances are good the bots won't find you any longer. But even then, you can submit your sitemaps to Google and others directly, so who knows?

sambohost

Hi, see what type of your site is. If you use wordpress then you can find a plugin to redirect if the site load in other target country.Or set it in Google Webmaster tool Geotargeting.

TechnoBear

That allows you to set your geographic target if your domain name is not country-specific. But all it does is tell Google which area you want to target in SERPs. It will have no effect on visitors, and certainly can't be used to block visitors from other countries.

zackw

You probably can certainly find a plugin for geotargeting, but the point is that this method is very high level. By the time a plugin blocks a visitor, they have already used server resources and wasted bandwidth.
This application-level filtering is best used only for websites where you must change your content based on visitor origin, like switching currencies, or applying location-based content or filtering or language changes.

p2409

We're using Apache GeoIP to block access from a whole host of countries we a) don't do business in and b) noticed were coming up regularly in the server logs (always attempts at hacks). It's been a real success: by blocking China, then most other 3rd world countries (all of Africa) and Brazil as well we were able to cut down on attempts by over 90%. The biggest issue remaining is the US: we don't want to block access to the US, but notice many of the remaining hack attempts come from there. My summary is we'll just have to deal with this by hardening the site. It's unfortunate that in the www you have to take such a drastic move as blocking a whole country from accessing your site, but it appeared on our site at least, that nothing but dodginess came out of these places. I'd like to throttle the people behind these attacks, but as that's unrealistic, I'm content to block them from seeing the site. I know they can still get around the blocks with IP spoofers etc. but at least the automated bots are generally shut out - they work on simple, massed attempts at hacking: kind of like spam in general, of which these people are the human equivalents.

zackw

And that's where hooking up with Cloudflare or Incapsula will come in handy. If there is an attack that they see happening across thousands of their sites, they will know it's bad and can block it for the rest of their customers. But when you are on your own, there is a certain amount of bad traffic that is unavoidable. Anything connected to the public Internet is going to be scanned for attack points at some time.

Michelle_Reefcole

Having lived in China for 4 years i can honestly tell you they are far more valuable as readers and customers than many other countries like India.

I don't get any problems with China but i do get enormous problems with Indian's stealing content and basically raping my website and republishing it on theirs without permission.

Around 20% of my traffic came from India so when i blocked the entire country i thought i would lose 20% of my traffic.

Actually, my traffic has increased by over 30% after blocking India because i am preventing Indians from stealing my work and ideas.

On top of this, your site will not get as many low quality links from low authority spam sites in India.

zackw

I wouldn't disagree. One has to figure it all out for themselves what is best for their own website.

elmoluz

Zack,
I would like to thank you for your most inspired and helpful tips regarding website security.
Thank you and god bless my friend.

Yours sincerely,
elmoluz

Ecxelon

I have tried the root with cloudflare as i have a paid plan, however when i try adding a country to block, it comes up with a message saying that this feature is only available for the enterprise plans!

Can you confirm this please?

zackw

Yes, they seem to have changed the rules. Everything looks different.

Apparently the country block on non-enterprise plans will only give users a "challenge" page to allow them to enter your site.

This ain't so bad, since most bots wouldn't be able to solve the challenge and so it's still a decent block regardless.

Tony

Hi Zack,
The more I read your arcticle the harder it was to resist to reply.
Congratulations for really good high level overview on the topic. It gave me great insights.

There was one point in the article, where maybe I can add my 2 cents.
When you write about restricting access with firewalls in chapter Routing tables, you say that this is very tidious work for a sys admin.
I think it could be done in a smart way in some cases. If you administer Linux iptables, Cisco ASA and PIX, Cisco FWSM, Cisco router access lists, pf, ipfw and ipfilter for BSD, and HP ProCurve ACL firewalls, you can use a tool FWBuilder. You can dowmload a file ipdeny.com and create firewall rule with FWBuilder fast as they claim here. You can even block only port 80 or 443 for a whole country.
I didn't done that yet, but as far as I know FWBuilder it should work.

But as you also say in the article, there is another pitfall in this approach.
If you block access for a whole county on a VPS firewall, you will block access to all web sites on this VPS, which is not desirable sometimes.

Thanks again for investing your time in and sharing this article.
Tony

zackw

I'm all for adding new tools to the toolbox!
Automation is the SysAdmin's superpower!

toma

Thanks for your article, as i really looking for a solution, some people from Africa, use my classified website to post fraud etc, i am mod security option, and i want like to block 3 countries, did i need to add 3 rules ? or is there a way to add multiple countries in one rule ?

Thanks

Olami

if your site is wordpress, there is an htaccess code to block a country specific ip address, but consider your Search Engine Optimization first, beforw blocking any country. and also if it is other platform, you can ask your developer or go for documentation to know how to about it

oldsp1ce

This is good to know information. Thanks a bunch!

zackw

Yes I believe you can use multiple countries in the same rule. Just change to this for example:
SecRule GEO:COUNTRY_CODE "@streq CN LT EG RO PK

That should block all those countries.

webwarrior

Great article, Zack, I really get ticked of by Chinese automated hacks, and also do not care about SEO for those countries.
I believe Google has a local server in each country anyway, and I don't really care about other search engines.
My content is for Australia only and I do not want business from any other country, as I for instance will not go and fix someone pc in another country!

Blocking 99% of the problem, gives me more time to patch the other holes in systems like WordPress...

Hope to see more articles from you.

douglsmith

I would also like to know if you know any web hosts that have built-in, out-of-the-box support for geo-restrictions with no fuss or advanced setup. I couldn’t find any!

I have some sites on a wiredtree.com VPS. They have csf / lsf installed for the firewall in cPanel / WHM by default. There's a Country Code Lists and Settings section in the WHM settings where countries can be denied or allowed by their two letter code for all ports or specified ports.

However, there is a warning note with this feature saying that it can result in significant performance
overhead because of the large number of iptables rules it can create.

Mittineague

A warning not to be taken lightly.
Even if the code is not creating a rule for each individual IP and is using subnet masking / htaccess regex patterns, it could get very large indeed if used too casually.

zackw

I would agree with the warning, an entire large country could be hundreds of thousands of IP entries. But still surprised to see there really is a host that has the option.
I I'd like to see a performance dual between one account and another, with one blocking a bunch of countries!

Carlos_Rene_Rangel_S

Nice post! It really helped me out with some problems I had :smile:

The thing is, I used mod_security via WHM I and would like the opposite, block all countries except for US, MX, AR, CL, BR, CA, ES, CO... How do I do that?

Also, I'm new to this set of rules, so if you can point me in the right direction (I searched) I would like to know what all the lines mean.

Thank you !

Carlos_Rene_Rangel_S

I tried using the multiple country code you suggested and that did not work...

Does anyone know how to put multiple countries in one single line?

zackw

This is supposed to be it. So unless modsecurity has changed the way it works or something, that is possible. You'd have to start at the beginning and make sure it's even working at all, the rule is formed well, etc. Just block one country and see if it works before adding multiple countries.
If you're on a webhost with WHM/cPanel, get on support with them and see if they will check out that modsec is functioning and that your geoip data is readable by the script.

Alexander_Vassilyev

a tooltip how to get into CloudFlare ‘Threat Control’ (to block countries access to your website):
- log into your 'CloudFlare' account;
- choose your website domain (if you already add it into 'CloudFlare');
- click on 'Firewall' icon at the top menu;
- scroll down to 'Access Rules' panel;
- OK, here you can add unwanted countries to blocklist

TechnoBear

Welcome to the forums, @Alexander_Vassilyev.

Are you giving instructions for the Enterprise Plan, or are you saying this method works for all CloudFlare accounts?

zackw

Last I checked, only the higher plans allow full blocking. The free plans only discourage traffic with a click-through, so not really a full block.

jcmanjar

Thaks for your article , very useful to me.

To block various countries, this worked for me:
SecRule GEO:COUNTRY_CODE "@rx ^(UA|ID|YU|LT|EG|RO|BG|TR|RU|PK|MY|CN)$"

To block everything except some countries:
SecRule GEO:COUNTRY_CODE "!@rx ^(US|MX|AR)$"

Using regular expresions let me block various countries or allow acces only to certain countries. This page will be usefull to see a detailed list of operators in modsecurity:
http://nature.berkeley.edu/~casterln/modsecurity/modsecurity2-apache-reference.html#N10883

Hope this help

dietmar_petutschnig

I once deployed a political solution for webtraffic from oversees for a small NZ manufacturing company which had real issues with IP theft - it worked really well - on the bottom of the front page below the copyright - we embedded the words "Free Tibet" - and like magic the traffic from a whole country stopped overnight :wink:

Franco_Valentino

Fabulous article. I keep referring to it on a monthly basis. Do you know if there's a way to block a country, but allow only 1 ip address from that country in? There's a customer of mine that sells courses and occasionally has one or two people that want to buy from India for example. Could this be included in the SecRule chain in the same rule ID?

Thanks again for the awesome ModSecurity post.

Recommended
Sponsors
Because We Like You
Free Ebooks!

Grab SitePoint's top 10 web dev and design ebooks, completely free!

Get the latest in Front-end, once a week, for free.