Blocking China and India

DoubleDee · April 9, 2012, 5:03am

My website has been getting a fair amount of visitors from China.

That spells trouble to me.

How do I block visitors from China and India?

Thanks,

Debbie

dklynn · April 9, 2012, 5:57am

DD,

The ip2country websites have lists of IP addresses from all countries. Download their database (or use a look-up tool to log-in) and get those IP address blocks and DENY each block. Unfortunately, you’ll find that there are a huge list of blocks (for each) and really should block in the server’s conf (or your vhosts.conf) file.

Regards,

DK

joeyreyes · April 9, 2012, 5:58am

You can use a geo-targeting script.

Using the script, you can choose to redirect China and India visitors to some other sites like Google.

DoubleDee · April 9, 2012, 6:26am

Do I have to pay to do that?

Unfortunately, you’ll find that there are a huge list of blocks (for each)

How reliably can I say, “Block everyone coming from China”??

and really should block in the server’s conf (or your vhosts.conf) file.

Regards,

DK

I have a VPS, so how would I do that?

Debbie

DoubleDee · April 9, 2012, 6:27am

Can you elaborate some more?

I’m not following you.

Debbie

dklynn · April 9, 2012, 7:58am

DD,

DoubleDee:

Do I have to pay to do that?

Generally, no. To use their FULL and frequently updated database, that would be a yes.

How reliably can I say, “Block everyone coming from China”??

Not. They can easily use a proxy in the US to circumvent showing their own IP. This can quickly become a game and there a lot of experts over there so you can bet on losing the game. It’s just not worth the effort, IMHO.

I have a VPS, so how would I do that?

[indent]Editing your Apache2.conf file to include
<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from {list of IP address blocks}
 </Directory>
[/indent]
Debbie

DoubleDee · April 10, 2012, 4:38am

dklynn:

doubledee:

How reliably can I say, “Block everyone coming from China”??

Not. They can easily use a proxy in the US to circumvent showing their own IP. This can quickly become a game and there a lot of experts over there so you can bet on losing the game. It’s just not worth the effort, IMHO.[/quote]

But don’t I have a reasonable concern??

Why would anyone in Russia, China, Iran, etc want to visit my site - which is for U.S.-only consumption - unless they have nefarious intent?
dklynn:
[quote=doubledee]I have a VPS, so how would I do that?

Editing your Apache2.conf file to include
<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from {list of IP address blocks}
 </Directory>

What does <directory> do?

What is FollowSymLinks used for?

What is AllowOverride used for?

I don’t understand your code above.

The way I have seen it online, you do…


Order Allow,Deny
Deny From_____
Allow From All

It seems like your code doesn’t account for Allowing IP’s that are not on the Deny list?!

Debbie

dklynn · April 10, 2012, 9:24am

DD,

DoubleDee:

But don’t I have a reasonable concern??

Not really - websites are made to be available to the public.

Why would anyone in Russia, China, Iran, etc want to visit my site - which is for U.S.-only consumption - unless they have nefarious intent?

You’d be surprised how well foreigners read/speak English. Perhaps they’re trying to sharpen their language skills? Okay, not all, certainly, but the gov’t trained hackers would quickly get through just about any blocks you could install.

What does <directory> do?

Specifies the location you’re concerned with, i.e., your root directory (and subdirectories) with the /.

What is FollowSymLinks used for?

Enables mod_rewrite.

What is AllowOverride used for?

Ditto.

I don’t understand your code above.

It was pulled from my test server’s httpd.conf and is basic to Apache’s configuration.

The way I have seen it online, you do…
Order Allow,Deny
Deny From_____
Allow From All
Yes, but that would normally have a “wrapper” (the <Directory /> … </Directory> performs that function).

It seems like your code doesn’t account for Allowing IP’s that are not on the Deny list?!

You want me to do your homework for you? The list is LONG and would go in the Deny where you’ve got the _____'s.

Debbie

I did a search for “block Chinese traffic” and received several great links:

http://www.countryipblocks.net/country-blocks/select-formats/ will provide the list of IP blocks by country in selectable formats.

http://www.maxmind.com/app/mod_geoip provides an Apache module which you can install for a quick lookup on your server - directions are on the site.

http://www.parkansky.com/china.htm gives the exact code for China, Russia, etc. by blocking IP address ranges.

All these are TOO MUCH for an .htaccess file so be sure to only test there briefly before moving to your Apache2.conf file on the production server.

One clue, though, since you only want US visitors. Reverse the Allow,Deny and list the US IP addresses in the Allow group and it will save you from my being able to view your website (from NZ), too!

Regards,

DK

DoubleDee · April 10, 2012, 10:11pm

Why?

Why would your code work okay in the Apache2.conf file but not in a .htaccess file?

Again, I don’t understand the difference is the approach.

One clue, though, since you only want US visitors. Reverse the Allow,Deny and list the US IP addresses in the Allow group and it will save you from my being able to view your website (from NZ), too!

Regards,

DK

For now I am okay with most countries, just not China, India, Russia, and a few others plus a few renegade IP’s in NZ…

Can we go over this again…


<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from {list of IP address blocks}
 </Directory>

1.) Am I supposed to replace “<Directory />” with something specific like “Path to Debbie’s Web Root”??

2.) If I leave out…


Options FollowSymLinks
    AllowOverride All

…what would happen?

3.) This code…

    Order deny,allow

…says, "Perform Deny directives first and then do Allow directives next, right?

4.) If there are no allowable IP’s in #3, then isn’t that a problem?

I thought we want to say “Deny these IP’s and then Allow everything else that is remaining”?

5.) Does just the order of this line matter…


    Order deny,allow

Or does the order of the following lines matter to…


Deny from all
Allow from example.com

Thanks,

Debbie

dklynn · April 11, 2012, 12:27am

DD,

DoubleDee:

Why?

I’ve repeated this so many times that I need to add it to my list of rants: The .htaccess file must be read for each and every file request (yes, including .css, .js, .jpg, .gif as well as your .php, .html, .asp, etc.). That slows a server down tremendously. If in the server’s configuration file, it will only be read once.

Why would your code work okay in the Apache2.conf file but not in a .htaccess file?

As above.

Again, I don’t understand the difference is the approach.

For now I am okay with most countries, just not China, India, Russia, and a few others plus a few renegade IP’s in NZ…

[indent]Well, that makes it harder to implement (more lines of code to list all the IP ranges in .cn, .in, ru “and a few others”). Listing the “acceptable” countries would also be difficult (long lines of code) but selecting only your target country would limit the list of countries.

Of course, using the geoIP API would resolve that problem for you … assuming you looked at the links I supplied for you.[/indent]

Can we go over this again…
<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from {list of IP address blocks}
 </Directory>
Did you look at the Deny line(S OF CODE) in the first link?

1.) Am I supposed to replace “<Directory />” with something specific like “Path to Debbie’s Web Root”??

That depends on where you implement. If in your .htaccess file, / IS the “Path to Debbie’s Web Root”. If in the server’s configuration file, either use Apache’s root OR specify only your own web root.

2.) If I leave out…
Options FollowSymLinks
    AllowOverride All
…what would happen?

Nothing … on the assumption that it’s already in your server configuration file.

3.) This code…
    Order deny,allow
…says, "Perform Deny directives first and then do Allow directives next, right?

Right.

4.) If there are no allowable IP’s in #3, then isn’t that a problem?

I thought we want to say “Deny these IP’s and then Allow everything else that is remaining”?

No, allow everything else can be specified but I believe it’s assumed.

5.) Does just the order of this line matter…
    Order deny,allow
Or does the order of the following lines matter to…
Deny from all
Allow from example.com
Example.com? Okay, that should work, too, but only if you visit from example.com (your IP address should resolve to example.com).

Thanks,

Debbie

Regards,

DK

DoubleDee · April 11, 2012, 3:01am

Well, I didn’t know that. That is why I was asking!

That makes total sense.

Sounds like using .htaccess is evil…

Well, that makes it harder to implement (more lines of code to list all the IP ranges in .cn, .in, ru “and a few others”). Listing the “acceptable” countries would also be difficult (long lines of code) but selecting only your target country would limit the list of countries.

Of course, using the geoIP API would resolve that problem for you … assuming you looked at the links I supplied for you.[/quote]

I did look at it.

I have no clue if it is installed on my VPS.

doubledee:

Can we go over this again…
<Directory />
    Options FollowSymLinks
    AllowOverride All
    Order deny,allow
    Deny from {list of IP address blocks}
 </Directory>
Did you look at the Deny line(S OF CODE) in the first link?

Yes…

I also asked why you didn’t have anything for the Allow directive.

I also asked if the absence of specific Allow would cause an issue.

What file am I looking for again? And where would I find it on my VPS?

Debbie

dklynn · April 11, 2012, 9:40pm

DD,

DoubleDee:

Well, I didn’t know that. That is why I was asking!

That makes total sense.

Sounds like using .htaccess is evil…

It is … when it’s abused as many novice webmasters will tend to do. The long lists of individual page redirections, spiders to block and, well, country IP codes to block, tend to make .htaccess far too long. That said, it’s either the only place some webmasters have available to them (not VPS or dedicated and won’t ask their host to install for them) and it makes for a great place to test code before moving it to the server or virtual host configuration file.

I did look at it.

I have no clue if it is installed on my VPS.

It’s not likely but, as a VPS owner, you can install it (or have your host help you with the installation). If you’re as concerned as you seem to be about foreign visitors, it’ll be worth it.

Yes…

I also asked why you didn’t have anything for the Allow directive.

I also asked if the absence of specific Allow would cause an issue.

Asked and answered. Repeat: I don’t believe that it would cause a problem is missing. The code I presented was from my test server’s httpd.conf and it doesn’t cause a problem there.

What file am I looking for again? And where would I find it on my VPS?

That would depend upon the host, their setup and the OS being used. If you’re not familiar with your VPS, I’d recommend that you ask your host to guide you through the edit and restart - safety first!

Debbie

Regards,

DK

DoubleDee · April 12, 2012, 2:45am

Thanks for the help David!!

Debbie