Posted on by Christopher

Country IP Blocking

Country IP Blocks provides an online, search able internet protocol (IP) address database with the ability to export specific country level IP blocks into CIDR, Netmask, IP Range, .htaccess deny, .htaccess allow, Decimal/CIDR and Hex/CIDR formatted files. These files can then be used in cojunction with server (e.g. Apache, Microsoft IIS) and network security devices (e.g. Cisco, Juniper, TippingPoint, Untangle) to create access control lists to block access to networks and systems from specific countries.

Whilst I don’t advocate blocking entire countries, there are known IP address blocks used by spammers, crackers and other Internet filth which may need to be blocked from some websites and systems.

The American Registry for Internet Numbers (ARIN) and the Asia Pacific Network Information Centre (APNIC) manage the majority of Internet routed IP addresses allocations for IP v4 and maintain online allocation databases which are made available to Internet service providers. The Country IP database is updated with this information at least once every 24 hours which means accurate global network data is provided.

In terms of Country IP Blocks site, I specifically like the ability to export IP lists into common access control list formats such as HTACCESS. A simple example of a HTACCESS list which blocks the entire country of Arubu from accessing a specific website:

[shell]

<Limit GET HEAD POST>
order allow,deny
# Country: ARUBA
# ISO Code: AW
# Total Networks: 2
# Total Subnets:  18,432
deny from 200.12.248.0/21
deny from 201.229.0.0/18
#
allow from all

</Limit>

ErrorDocument 403 http://www.website.com/blockedaccess

[/shell]

This .htaccess file would need to be placed into /var/www/your-website.com/html/ and relevant HTACCESS functionality needs to be enabled in /etc/httpd/conf/httpd.conf. “ErrorDocument 403 http://www.website.com/blockedaccess” shouldo also be edited to point at a website or alternative URL which advises the visitor that they’ve been blocked.

Warning: Security by obscurity is not security. Keep in mind that IP level access control lists can be bypassed by using proxy or VPN services in known “allowed” countries. Do not use country IP blocking as an excuse to write in-secure code, not patch your servers and not maintain your intrusion detection and provention devices.

One Reply to “Country IP Blocking”

Comments are closed.