0

I'm looking for a way to block certain countries to access our Apache 2.4 web server running on FreeBSD.

We have brute force attacks from time to time, and they often comes from a handfull of countries.

Are there any pros and cons over choosing restrictions by IPs or by using Apache module mod_maxminddb? Anyone with experience whether to choose one over the other?

Thank you,

Improve this question
1

1 Answer 1

Reset to default
1

As already mentioned in the linked Q&A there are roughly three approaches for geo-blocking

  1. something like the mod_maxminddb Apache module to grant/deny access natively in Apache httpd : https://github.com/maxmind/mod_maxminddb

  2. Block access in your host based firewall. On FreeBSD that would require something like https://github.com/cyclaero/ipdb

  3. Disallow direct access to your web server, leverage one of the many CDN solutions and use that CDN to block/allow access from certain geographic regions

All three solutions of course suffer from the same problem: IP-addresses are not street addresses tied to a physical location and as an access control you won't get 100% reliability.

Solutions #1 and possibly #3 have the advantage that you can easily apply your access control to specific resources on your web site, i.e. allow the complete world access to specific (parts of the) website(s) hosted on your server, while applying geo-blocking to other parts/sites on the same server.

For example: you could allow the whole world access to the generic information about your business, but restrict access to your online ordering forms. A restaurant in Paris for example can decide it won't allow take-away delivery orders from around the world, but might still want to allow travellers to see their dine-in menu and possibly make reservations from their home before they start their trip to Paris.

Solutions #2 and especially #3 will probably reduce load on the web server, as you'll be blocking traffic before it reaches your website.

The firewall solution is a complete block and won't even allow you to display a warning message/banner to site visitors.

Less sledgehammer, more scalpel: don't block countries, but rather only the actual misbehaving IP-addresses with fail2ban which should also be available/suitable for FreeBSD

Improve this answer
1
  • 1
    It is also better to block traffics at the firewall (Solution #2) or CDN level (Solution #2) to reduce web server load. You can use the free IP country list from ip2location.com/free/visitor-blocker for blocking.
    – Michael C.
    Oct 17 at 4:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .