How to Block Entire Countries from Accessing Your Website

Hi Zack,
The more I read your arcticle the harder it was to resist to reply.
Congratulations for really good high level overview on the topic. It gave me great insights.

There was one point in the article, where maybe I can add my 2 cents.
When you write about restricting access with firewalls in chapter Routing tables, you say that this is very tidious work for a sys admin.
I think it could be done in a smart way in some cases. If you administer Linux iptables, Cisco ASA and PIX, Cisco FWSM, Cisco router access lists, pf, ipfw and ipfilter for BSD, and HP ProCurve ACL firewalls, you can use a tool FWBuilder. You can dowmload a file ipdeny.com and create firewall rule with FWBuilder fast as they claim here. You can even block only port 80 or 443 for a whole country.
I didn’t done that yet, but as far as I know FWBuilder it should work.

But as you also say in the article, there is another pitfall in this approach.
If you block access for a whole county on a VPS firewall, you will block access to all web sites on this VPS, which is not desirable sometimes.

Thanks again for investing your time in and sharing this article.
Tony

I’m all for adding new tools to the toolbox!
Automation is the SysAdmin’s superpower!

Thanks for your article, as i really looking for a solution, some people from Africa, use my classified website to post fraud etc, i am mod security option, and i want like to block 3 countries, did i need to add 3 rules ? or is there a way to add multiple countries in one rule ?

Thanks

if your site is wordpress, there is an htaccess code to block a country specific ip address, but consider your Search Engine Optimization first, beforw blocking any country. and also if it is other platform, you can ask your developer or go for documentation to know how to about it

This is good to know information. Thanks a bunch!

Yes I believe you can use multiple countries in the same rule. Just change to this for example:
SecRule GEO:COUNTRY_CODE "@streq CN LT EG RO PK

That should block all those countries.

Great article, Zack, I really get ticked of by Chinese automated hacks, and also do not care about SEO for those countries.
I believe Google has a local server in each country anyway, and I don’t really care about other search engines.
My content is for Australia only and I do not want business from any other country, as I for instance will not go and fix someone pc in another country!

Blocking 99% of the problem, gives me more time to patch the other holes in systems like WordPress…

Hope to see more articles from you.

1 Like

I would also like to know if you know any web hosts that have built-in, out-of-the-box support for geo-restrictions with no fuss or advanced setup. I couldn’t find any!

I have some sites on a wiredtree.com VPS. They have csf / lsf installed for the firewall in cPanel / WHM by default. There’s a Country Code Lists and Settings section in the WHM settings where countries can be denied or allowed by their two letter code for all ports or specified ports.

However, there is a warning note with this feature saying that it can result in significant performance
overhead because of the large number of iptables rules it can create.

A warning not to be taken lightly.
Even if the code is not creating a rule for each individual IP and is using subnet masking / htaccess regex patterns, it could get very large indeed if used too casually.

1 Like

I would agree with the warning, an entire large country could be hundreds of thousands of IP entries. But still surprised to see there really is a host that has the option.
I I’d like to see a performance dual between one account and another, with one blocking a bunch of countries!

Nice post! It really helped me out with some problems I had :slight_smile:

The thing is, I used mod_security via WHM I and would like the opposite, block all countries except for US, MX, AR, CL, BR, CA, ES, CO… How do I do that?

Also, I’m new to this set of rules, so if you can point me in the right direction (I searched) I would like to know what all the lines mean.

Thank you !

I tried using the multiple country code you suggested and that did not work…

Does anyone know how to put multiple countries in one single line?

This is supposed to be it. So unless modsecurity has changed the way it works or something, that is possible. You’d have to start at the beginning and make sure it’s even working at all, the rule is formed well, etc. Just block one country and see if it works before adding multiple countries.
If you’re on a webhost with WHM/cPanel, get on support with them and see if they will check out that modsec is functioning and that your geoip data is readable by the script.

a tooltip how to get into CloudFlare ‘Threat Control’ (to block countries access to your website):

  • log into your ‘CloudFlare’ account;
  • choose your website domain (if you already add it into ‘CloudFlare’);
  • click on ‘Firewall’ icon at the top menu;
  • scroll down to ‘Access Rules’ panel;
  • OK, here you can add unwanted countries to blocklist

Welcome to the forums, @Alexander_Vassilyev.

Are you giving instructions for the Enterprise Plan, or are you saying this method works for all CloudFlare accounts?

1 Like

Last I checked, only the higher plans allow full blocking. The free plans only discourage traffic with a click-through, so not really a full block.

Thaks for your article , very useful to me.

To block various countries, this worked for me:
SecRule GEO:COUNTRY_CODE “@rx ^(UA|ID|YU|LT|EG|RO|BG|TR|RU|PK|MY|CN)$”

To block everything except some countries:
SecRule GEO:COUNTRY_CODE “!@rx ^(US|MX|AR)$”

Using regular expresions let me block various countries or allow acces only to certain countries. This page will be usefull to see a detailed list of operators in modsecurity:
http://nature.berkeley.edu/~casterln/modsecurity/modsecurity2-apache-reference.html#N10883

Hope this help

1 Like

I once deployed a political solution for webtraffic from oversees for a small NZ manufacturing company which had real issues with IP theft - it worked really well - on the bottom of the front page below the copyright - we embedded the words “Free Tibet” - and like magic the traffic from a whole country stopped overnight :wink:

Fabulous article. I keep referring to it on a monthly basis. Do you know if there’s a way to block a country, but allow only 1 ip address from that country in? There’s a customer of mine that sells courses and occasionally has one or two people that want to buy from India for example. Could this be included in the SecRule chain in the same rule ID?

Thanks again for the awesome ModSecurity post.