Best Practice for Blocking Countries?

[Gordon55M]

Using VestaCP, what is the best practice for blocking specific countries from accessing the server/VestaCP? I've researched the forum and Google and get mixed answers and would like some more input and advice. The sites on this server only need USA traffic (Unless someone from outside the country want's to fly in and participate in small local 5K fun-runs). I typically get a lot of traffic and bots from outside the country which has become an annoyance. I haven't been compromised, but they tend to eat up a lot of bandwidth and server resources. I'd like to just eliminate them from being able to even hit the server if they come from outside the US.

Similar suggestions I've found:
Using .htaccess: viewtopic.php?t=8519
Using IPTables: viewtopic.php?t=13585
NGINX with GeoIP module: https://www.lowendtalk.com/discussion/4 ... ip-vestacp

Any thoughts or guidance on best approaches? I'm using Ubuntu 16.04 64 Bit btw.

[locus]

Look into ipset for doing this at the iptables level as its very efficient.
While your there - also block the emerging threat list.
http://rules.emergingthreats.net/fwrule ... ck-IPs.txt

[BBuchanan1013]

I have to agree with Locus. However, my two cents:

Having a mass amount of IP's in the firewall will cause a slow down as each connection is checked against a Large list of IP's.
The same goes for .htaccess.

You could just ignore the bots and set a trap (worth mentioning project honeypot). But just remember, there's a trade off.

Big list -> slow down on checking
small list -> more prone to bots getting through
improper setup -> no one gets through or everyone gets through