Country block/allow with iptables and ipset

Here is a simple way to restrict access to your server from country’s that you don’t want to be able to connect to your services. On website www.ipdeny.com you can find IP lists for specific country’s. With a simple script, you can regularly update those lists so that they are up-to-date with new addresses. In my case, I needed a way to allow some services only available from specific countries. You can also change logic a little bit and blocking only specific county. 

This will work on Linux server with installed iptables and ipset. Ipset will contain all addresses provided from ipdeny.com. 

First, if you don’t already have it, install ipset.

[root@server ~]# dnf install ipset

Then, you’ll need to create ipset array which will contain all addresses. 

ipset create allow_cc hash:net family inet hashsize 1024 maxelem 65536

Continue Reading

Build NGINX with GeoIP2 support from source

I used GeoIP library with Nginx for quite some time, but it came to EOL. GeoIP2 is now avalible. It is great tool for blocking unwanted traffic from your webserver. This was done on Centos 7. If you don’t want to pay for getpagespeed’s payed version, than you must build this module from source.

First, you’ll need to know your curent NGINX version


[root@myserver ~]# nginx -v
nginx version: nginx/1.16.1

Then, download exact same version of NGINX from this site and unpack it. In my case:


[root@myserver ~]# wget http://nginx.org/download/nginx-1.16.1.tar.gz
[root@myserver ~]# tar -xvzf nginx-1.16.1.tar.gz
[root@myserver ~]# cd nginx-1.16.1.tar.gz

Then you should download ngx_http_geoip2_module – geoip2 module for NGINX:


[root@myserver ~]# wget https://github.com/leev/ngx_http_geoip2_module/archive/master.zip
[root@myserver ~]# unzip master.zip

You should install GCC and Development Tools for dependencies.

[root@myserver ~]# yum groupinstall ‘Development Tools’
[root@myserver ~]# yum install gcc

Continue Reading

Magento – lock administration to specific country

Brute force attacks on Magenta administration are also very common issue, like with WordPress, well maybe a little less :). If you can’t lock your administrations on specific fixed IP addresses, than you can probably lock administration so that is accessible only from your country. Russia and China for example, are countries from which those kind of attacks are very common. So it is good idea to block them.

For this example, I’m doing this on Apache 2.4 with GeoIP module installed. Before you proceed, you should have installed geoip.

To have Magento administration accessible only from Germany (for example), add code bellow to your apache vhost configuration. This geoip was installed on CentOS 7, you should change path to GeoIP.dat accordingly to your installation. You should also change country code to the one that you want access from.

GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^DE$
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/? [NC]
RewriteRule .* - [R=403,L]

© 2022 geegkytuts.net
Hosted by SIEL


About author