Best Practice for Blocking Countries?

Gordon55M · Post by **Gordon55M** » Tue May 30, 2017 4:19 pm

Using VestaCP, what is the best practice for blocking specific countries from accessing the server/VestaCP? I've researched the forum and Google and get mixed answers and would like some more input and advice. The sites on this server only need USA traffic (Unless someone from outside the country want's to fly in and participate in small local 5K fun-runs). I typically get a lot of traffic and bots from outside the country which has become an annoyance. I haven't been compromised, but they tend to eat up a lot of bandwidth and server resources. I'd like to just eliminate them from being able to even hit the server if they come from outside the US.

Similar suggestions I've found:
Using .htaccess: viewtopic.php?t=8519
Using IPTables: viewtopic.php?t=13585
NGINX with GeoIP module: https://www.lowendtalk.com/discussion/4 ... ip-vestacp

Any thoughts or guidance on best approaches? I'm using Ubuntu 16.04 64 Bit btw.

locus · Post by **locus** » Wed May 31, 2017 11:50 pm

Look into ipset for doing this at the iptables level as its very efficient.
While your there - also block the emerging threat list.
http://rules.emergingthreats.net/fwrule ... ck-IPs.txt

BBuchanan1013 · Post by **BBuchanan1013** » Fri Jun 02, 2017 1:04 am

I have to agree with Locus. However, my two cents:

Having a mass amount of IP's in the firewall will cause a slow down as each connection is checked against a Large list of IP's.
The same goes for .htaccess.

You could just ignore the bots and set a trap (worth mentioning project honeypot). But just remember, there's a trade off.

Big list -> slow down on checking
small list -> more prone to bots getting through
improper setup -> no one gets through or everyone gets through

Vesta Control Panel - Forum