How to protect the server from visitors from unwanted countries
Very often I get quite interesting and non-standard tasks for setting up servers.
Today, for example, I was asked to configure a number of servers to filter any traffic from certain countries. There are many reasons for such protection - reducing spam and attacks, leveling ratios, and much more.
In my case, it was necessary to block the CN completely, to give the full channel to RU, and to the rest of the country - two times less.
')
Of course, it’s inconvenient to drive in all the subnets completely, and they often change. It was most logical to do this with the help of geoip.
The most effective is of course to tie the geoip to the core. In my case, there was Debian on the servers, and according to this, I bring the recipe for it.
We say "yes" and exit. It's time to put everything you need to build, if you have not yet set:
After copying the current kernel config, I just make changes:
geoip match support (IP_NF_MATCH_GEOIP) [N / m /?] (NEW)
Then you need to say "m" to build the module. Then:
In the same way we build library for iptables:
To prepare, you need to download a free database, although it is better to take the paid option - it is more accurate. In any case, the preparation of the base will go with the help of csv2bin, which you need to collect:
Well, actually convert the free version of the database:
wget www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
There are 2 falya geoipdb.bin and geoipdb.idx which should be thrown in / var / geoip:
After that you can work with mod_geoip, for example:
We reject traffic from CN. And you can also mark and change the lane with TC.
If you are not going to have a kernel, or even a VDS, then you can do almost everything the same by putting nginx with mod_geoip on the frontend. First make sure that nginx is built with mod_goip support. He stood by me, who does not have - will have to be rebuilt, but it is not difficult.
The database itself must be converted using geo2nginx.pl (it is in the archive with the source code nginx) and put into the config:
It is easier to use steamed turnip:
geo $ country {
default no;
include /etc/nginx/geo.conf;
127.0.0.0/24 en;
}
CN traffic example:
As always, a quick solution always has a minus - in this case, as a pause before starting nginx, since the database is read into memory.
Today, for example, I was asked to configure a number of servers to filter any traffic from certain countries. There are many reasons for such protection - reducing spam and attacks, leveling ratios, and much more.
In my case, it was necessary to block the CN completely, to give the full channel to RU, and to the rest of the country - two times less.
')
Of course, it’s inconvenient to drive in all the subnets completely, and they often change. It was most logical to do this with the help of geoip.
The most effective is of course to tie the geoip to the core. In my case, there was Debian on the servers, and according to this, I bring the recipe for it.
First, download the source
apt-get install linux-source-2.6.18
tar xjf /usr/src/linux-source-2.6.18.tar.bz2 -C /usr/src/
apt-get source iptables
wget people.netfilter.org/peejix/patchlets/geoip.tar.gz
wget ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2
tar xjf patch-o-matic-ng-20070414.tar.bz2
tar xzf geoip.tar.gz -C patch-o-matic-ng-20070414/patchlets/Now we will collect
cd patch-o-matic-ng-20070407/
KERNEL_DIR=/usr/src/linux-source-2.6.18/ ./runme geoipWe say "yes" and exit. It's time to put everything you need to build, if you have not yet set:
apt-get install build-essentialAfter copying the current kernel config, I just make changes:
cd /usr/src/linux-source-2.6.18/
make oldconfiggeoip match support (IP_NF_MATCH_GEOIP) [N / m /?] (NEW)
Then you need to say "m" to build the module. Then:
make modules_prepare
cp net/ipv4/netfilter/ipt_geoip.ko /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/
depmod
modprobe ipt_geoip
echo "ipt_geoip" >> /etc/modulesIn the same way we build library for iptables:
make KERNEL_DIR=/usr/src/linux-source-2.6.18/ extensions/libipt_geoip.so
cp extensions/libipt_geoip.so /lib/iptables/The smallest - base GeoIP
To prepare, you need to download a free database, although it is better to take the paid option - it is more accurate. In any case, the preparation of the base will go with the help of csv2bin, which you need to collect:
wget people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
tar xzf csv2bin-20041103.tar.gz
cd csv2bin/
makeWell, actually convert the free version of the database:
wget www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
unzip GeoIPCountryCSV.zip
./csv2bin ../GeoIPCountryWhois.csvThere are 2 falya geoipdb.bin and geoipdb.idx which should be thrown in / var / geoip:
mkdir /var/geoip
mv geoipdb.* /var/geoip/After that you can work with mod_geoip, for example:
iptables -A INPUT -p tcp --dport 80 -m geoip --src-cc CN -j REJECTWe reject traffic from CN. And you can also mark and change the lane with TC.
Option with the application: NGINX
If you are not going to have a kernel, or even a VDS, then you can do almost everything the same by putting nginx with mod_geoip on the frontend. First make sure that nginx is built with mod_goip support. He stood by me, who does not have - will have to be rebuilt, but it is not difficult.
The database itself must be converted using geo2nginx.pl (it is in the archive with the source code nginx) and put into the config:
perl geo2nginx.pl < GeoIPCountryWhois.csv > geo.conf
cp geo.conf /etc/nginx/It is easier to use steamed turnip:
geo $ country {
default no;
include /etc/nginx/geo.conf;
127.0.0.0/24 en;
}
CN traffic example:
if ($country ~* cn )
{
rewrite ^(.*)$ baidu.com/;
}As always, a quick solution always has a minus - in this case, as a pause before starting nginx, since the database is read into memory.
Source: https://habr.com/ru/post/73129/
All Articles