CloudiBee

open source for cloud lovers

Linux

GeoIP Based Country Blocking for Apache

By cloudibee Aug 23, 2018 ,

The Chinese won’t leave me alone and it’s cluttering Fail2Ban, so I’m resorting to just embargo blocking China. This isn’t likely to work in the long run, so I’ll have to back out the changes.

Here are the sources for the following information:

https://dev.maxmind.com/geoip/legacy/codes/iso3166/

Installation

I installed geoip modules for apache via the urpmi package management. As of now, I haven’t configured an update for the geoip. I’m not sure it’s really necessary.

I created a /etc/httpd/conf.d/geoip.conf file and tested it:

   [root@shuttle conf.d]# geoiplookup 1.1.1.1
   GeoIP Country Edition: AU, Australia
   GeoIP ASNum Edition: AS15169 Google Inc.

Enable GeoIP

Edit the geoip.conf file. Just tack this onto the end:

   <IfModule mod_geoip.c>
   GeoIPEnable On
   GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
   GeoIPScanProxyHeaders On
   </IfModule>

Enable Country Blocking

In /etc/httpd/conf/conf.d/geoip.conf:

     <IfModule mod_geoip.c>
     GeoIPEnable On
     GeoIPDBFile /usr/share/GeoIP/GeoIP.dat

     <Directory />
     # SetEnvIf GEOIP_COUNTRY_CODE AN BlockCountry
     SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
     # add any number of countries here based on your requirement
     # you can refer to the country codes in GeoIP website.

     Deny from env=BlockCountry
     </Directory>

     </IfModule>

Block China

The country code for China, according to the ISO 3166 Country Codes is “CN”. So the file actually looks like this:

<IfModule mod_geoip.c>
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
GeoIPScanProxyHeaders On
</IfModule>

<IfModule mod_geoip.c>
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat


<Directory />
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
# SetEnvIf GEOIP_COUNTRY_CODE BL BlockCountry
# add any number of countries here based on your requirement
# you can refer to the country codes in GeoIP website.

Deny from env=BlockCountry
</Directory>

</IfModule>

Again, this is probably going to be backed out. I’m not sure exactly which door the Chinese are knocking on. It’s just listed as “ssh” and fail2ban is not specific about which port is being bothered. I’m assuming it’s 22, but that’s been disabled forever, there’s nothing on the internet-facing port 22 on my router.

More Information

This information about various configuration options may prove handy at some point.

More later.

By cloudibee

Related Post

Linux

Linux Change Password Command: Change password expiry in Linux

cloudibee Apr 7, 2021
Linux

Top Open Source Email Servers

cloudibee Jan 31, 2021
Linux

How to Determine Redhat Versions Command

cloudibee Jan 30, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Guide

A Simple Guide to Decluttering Your Life

Pest control

Unveiling the Secrets of a Pest-Free Home

Health

Navigating Healthcare Choices: A Simplified Guide

Smile

Unlocking the Secrets to a Bright Smile