How easy and reliable is geo blocking?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › How easy and reliable is geo blocking?

RobBB

98 posts

Master Geek

#208851 2-Mar-2017 10:28

I have begun setting up a bit more security, and one of the tools I am using is Fail2Ban (https://www.fail2ban.org/wiki/index.php/Main_Page) an am using ti to set up IP's to block via at the router. One of the things I do is get an email with a whois fro the IP when it gets blocked and it is pretty obvious that after only a couple of days 90%+ of the attempts come from 2 places, Russia/Ukraine and China with the majority from China. It's at the point that for every 10 attempts 8 would be China, and one from either Russia/Ukraine a na 10th from a random country in the world although in that last 10% about half would be India or Korea.

At the moment I am only monitoring ssh attempts, not mail or http etc, but since the site is not live or even advertised these are I guess random attacks and I imagine the volume will increase.

So if I could reliably block China and the old USSR countries 90% of my attackers would be stopped before they even get picked up by Fail2Ban.

Does anyone have any experience doing this sort of thing, how complex is it, how reliable is it? I should point out that I can only afford free options in terms of price. So fre data sources, OOS software and am running on Linux server and Mikrotik router.

cheers,

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1728791 2-Mar-2017 10:50

Some routers do it but you will notice that looking up IP will slow things down too...

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

#1728797 2-Mar-2017 10:56

IP address blocks per country are *fairly* static, at least close enough for these purposes.

I would just generate a list of the offending country(ies) IP address blocks from some online service and use that either on the Mikrotik or IPTables.

Here is one such service: http://www.ip2location.com/free/visitor-blocker

For SSH another good idea is to move it to some high port (>10000) as it will greatly reduce the number of attempts against it. And make sure you are using key-based auth instead of password.

chevrolux

4962 posts

Uber Geek
Inactive user

#1728825 2-Mar-2017 11:53

check out this dude...

http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/

came across it when searching the same. Haven't implemented any of it just due to lack of time/caring.

RobBB

98 posts

Master Geek

#1728844 2-Mar-2017 11:59

freitasm:

Some routers do it but you will notice that looking up IP will slow things down too...

Why would looking up IP slow down?

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1729016 2-Mar-2017 16:40

Not looking up IP because that would be dumb. But converting IP address to a LONG then checking a range, even if in memory, takes time. Good routers will do it easily but low range home appliances will struggle.

RobBB

98 posts

Master Geek

#1729120 2-Mar-2017 21:07

freitasm: Not looking up IP because that would be dumb. But converting IP address to a LONG then checking a range, even if in memory, takes time. Good routers will do it easily but low range home appliances will struggle.

I see, so added latency to incoming traffic, since we have a game server as the primary reason for being exposed to the world some lag will be added.

RobBB

98 posts

Master Geek

#1729130 2-Mar-2017 21:12

But I am doing that any way, I am banning ip addresses, picking up about 2 ip addresses per hour and adding them to a list, and the router is comparing all traffic to them for dropping or not.

So at some point that individual ip list will become >= the list of ip blocks for those countries.

Sharesies kids

Free kids accounts - trade shares and funds (NZ, US) with Sharesies (affiliate link).

freitasm

BDFL - Memuneh
79263 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1729136 2-Mar-2017 21:19

It's a balance. To convert an IP address to an integer your router will calculate like this (for 203.86.203.11):

First Octet: 203
Second Octet: 86
Third Octet: 203
Fourth Octet: 11

(first octet * 256³) + (second octet * 256²) + (third octet * 256) + (fourth octet)
= (first octet * 16777216) + (second octet * 65536) + (third octet * 256) + (fourth octet)
= (203 * 16777216) + (86 * 65536) + (203 * 256) + (11)
= 3411462923

Then the router will use this integer to search a database of integer ranges (countries can have multiple ranges) for a range this value fits within - this will be the country. This calculation and search take time - the database search is a "BETWEEN" not an "EQUALS".

The other option, adding banned IP addresses to an indexed list and searching this list is very fast, compared to the previous method. This means that whatever you do, a ban-list search will always be faster than a Geo IP block list search. It's all down to CPU cycles, if this function is already built-in, how it is implemented, etc.

RobBB

98 posts

Master Geek

#1729178 2-Mar-2017 22:43

It's not a built in function, so I have mikrotik router, and a firewall rules to drop traffic from a list, on the server I run fail2ban, and it uses a script to update the list on the router. Currently I only ban for 78 days, but because the IP address is not yet advertised (as in not running a web site, not posting links in web forums to it etc) I guess the current attack attempts are just random dumb luck bots trying ip addresses and not in any way a focused attempt to hack. Most are trying to login nas root or admin via ssh so I think trying a dictionary attack of knowns router passwords to see if they get lucky.

Any way I looked at the China ip block list, 5800+ blocks, so for now I will live it just blocking those that attempt to access the server.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1729222 3-Mar-2017 07:31

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

RobBB

98 posts

Master Geek

#1729228 3-Mar-2017 07:55

sbiddle:

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1729236 3-Mar-2017 08:07

RobBB:

sbiddle:

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.

I still don't understand why you have SSH exposed. You can easily access the server off site via VPN which is the simple way to get around not exposing SSH to the internet.

Exposing any ports carries risk, and the way to remove that risk is to not open it up to the entire internet. You can blacklist all you want, but at the end of the day your front door is still unlocked. A VPN locks your door and removes that risk entirely. With a Mikrotik it's literally 60 seconds to have a fully secured IPSEC VPN up and working.

RobBB

98 posts

Master Geek

#1729242 3-Mar-2017 08:18

sbiddle:

RobBB:

sbiddle:

Why do you have SSH exposed to the internet in the first place? This really should be avoided.

Ahh, so simple, all I have to do is never access the server from off site. Problem solved thank you.

I still don't understand why you have SSH exposed. You can easily access the server off site via VPN which is the simple way to get around not exposing SSH to the internet.

How can you not understand? It is so simple and obvious, I am not a networking expert. If I was I would not be asking for advice? Perhaps you could have started off with something like "Hey, ssh is not a good idea, are you aware of how easy and secure a VPN setup would be with that router?"