All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
GeoIP WebServer Nation Block
Browsing through my website error logs I see the occasional CN or RU IPs popping up trying to weasel their way to a non existent url admin page. Sure Fail2Ban is setup and SSH is locked down but I have literally no interest in anyone accessing this site outside of it's intended market (not even a little).
Enter the GeoIP module (Apache or NGINX). This wonderful beast that it is does a fantastic job of just setting default to none and only permitting the country(ies) of my choosing. I especially like that the lookup is done locally vs phoning home everytime it wants something.
If your not on the list you get the boot to a redirected page of my choosing (whatever that maybe!). Then a crontab later to update that IP database once a month and bingo bango it's ready to go.
Site performance is about 50ms slower than before.. not enough to worry about in exchange for the pleasure of knowing it's inaccessible to whole nations I want off my site! Tested it by blocking myself and it worked like a champ.
So what gives why the heck didn't I know about this earlier! I feel like this should be a more popular module than it is!
P.S. Ya ya, I shouldn't "punish" a whole nation for some bad apples, blah blah, I don't care. It's my server and I'll do with it as I want to.
Comments
What is this about?
You should not punish a nation because of some bad apples!1!1
An easy way to block access to your site from all IPs expect those from your nation of choice. This is of particular use if you want to limit access to a product to a specific nation or your getting a lot of exploit attacks for your site.
firehol blocklists (ipset). done.
(ed: wrong link)
firehol's iprange+ipset can do the trick as well, you only need to obtain the entire ip ranges of a country, optimize it for ipset with iprange (pretty much required for big ranges) and drop it without even bothering the webserver and even before conntrack if you want to, possibly saving resources. A couple of scripts are included for updates in firehol's project, it's pretty easy to craft your own and/or create your own cron job anyway. It's not a polite thing to do in networking-speak, yet it works and you obliterate any connection from them. It's possible to otherwise mark matching connections and redirect them to a different webserver/site/page if you prefer so.
EDIT: damn, I've been Falzo'd
haha, sorry mate. and I even ninja edited my wrong url.... ;-)
if someone's looking for country IP lists, those from ipserve seem to work good and are maintained: http://ipverse.net/
But then how am I support to prank them via redirects?
I think dam bots don't care a dime for thou redirects.
Unless they are poorly written and end up downloading a 1gb test file slowing down their crawl
which is crowding the internet with more unneeded traffic anyway :-P