• Home
• Downloads
• My Works
• Gallery
• Portfolio
• Forums
• Links
• Tags
• Contact Me

Whitelist/Blacklist access to your site or a page by country.

A while back I had a user on FreeWHT message me for help about a problem with an attack from IPs in a specific country. According to the user the IPs were opening millions of HTTP connections which can easily be construed as a low level DDOS attack, although most attacks span across multiple countries making this such attack easier to combat.

There are a few different options when handling such an attack:

One is at the firewall and is usually the most effective if you have access to a hardware firewall or a powerful server. Another is by using mod_geoip for Apache and a simple .htaccess file in your web directory. A third option of setting up a second server in front of your main server(s) and using it as a proxy to filter our legitimate connections (basically it acts as a firewall but with the resources of a server so that it can process millions of connections at a time). This is the best and cheapest form of DDOS protection but this is beyond my scope of expertise. For more information though you can check out an awesome video here. I also just found this link while trying to find the link above (I really should bookmark that), it appears to let you run the proxy locally but then again the issue of processing power comes into play here.

If you are not technically savvy enough to do any of the above you can purchase DDOS protection yourself (either via a proxy service or a hardware firewall), but the price is really only worth it if your mission critical servers are your main source of income and must be protected at all costs.

With all of that said now on to the meat and potatoes of this post...

Now if you're using CSF as your software firewall, you are in luck... maybe. There is an option in the configuration for CC_DENY and CC_ALLOW. These settings add whole countries (by GeoIP country code) to the DENY or ALLOW list. NEVER ADD A COUNTRY TO THE ALLOW LIST! Why this is an option I don't know but it allows that country access to all ports even blocked ones. Using these options is said, by ConfigServer, to be resource intensive and should only be used on a powerful dedicated server. Since that isn't an option for most VPS or low end dedicated users out there we will move on to the next option...

Apache's mod_geoip and .htaccess have been my favorite combination since I found out about them on MaxMind's website. Getting mod_geoip installed was always a pain for me but luckily I found an Optmod (Optional Module?) for EasyApache so now I have a simple script I use to install mod_geoip on my cPanel servers:

Code:

wget http://docs.cpanel.net/twiki/pub/EasyApache3/CustomMods/custom_opt_mod-mod_geoip.tar.gz && tar -C /var/cpanel/easy/apache/custom_opt_mods -xzf custom_opt_mod-mod_geoip.tar.gz

After running that via SSH, I can now login to WHM and run EasyApache and the option for mod_geoip is there to select and install. Of course, once it is finish mod_geoip is not ready to use just yet. While in SSH, edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and perfom the following:

Find:

Quoted by: httpd.conf

LoadModule geoip_module modules/mod_geoip.so

(If it is missing then mod_geoip was not installed by EasyApache.)

Add below:

Quoted by: httpd.conf

GeoIPEnable On GeoIPDBFile /GeoIP.dat

Now return to your root directory (/) and grab the latest GeoIP.dat file using the following command:

Code:

wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz && gunzip GeoIP.dat.gz

You can either setup a cron to run this command once a month (released on the first of each month) or manually run this each month.

Now for the easy part, the .htaccess file. When adding the following code always add it to the top of your current or a new .htaccess file in the web directory (public_html) unless you want to restrict access to a specific directory.

Option 1: Blacklist countries with a 403 error.
This will redirect all users of a site to a 403 (Access Denied) error. Keep in mind that this is not a good idea for an attack since it will still be serving a page to the attackers thus doing little to the attack. This option is good for spam, not attacks.


Option 2: Blacklist countries with redirect.
I've never actually tried this method but in theory it should work better than Option 1.


Option 3: Whitelist countries for your whole site.
This option is a good method if your site has an intended target and all other traffic is useless. Not a good idea for most public sites but useful for specific directories such as if you have your order form or a download in a specific directory which should only be accessed by users from certain countries.


Option 4: Whitelist countries for a specific page.
This option is what I use for all of my order forms for my web hosting sites since we restrict our sign-ups to certain countries only. Also good for forums or blogs that want to allow all users to view but not comment. I personally like this option because I also add a link to the 403 error page explaining the error so I don't get flooded with e-mails or complaints about how my server is broken. ;)


Of course if you are really creative and smart you can find multiple different ways to implement these options to do your bidding. ;)

---

UPDATE - After re-reading this post I've realized a grave error in the information provided: this method will not mitigate any form of DOS attack because your server will still be creating sessions even for the error pages. So no, this method as posted will not alleviate the effects of a DOS attack but can be used with other methods to help filter traffic. Instead of deleting/altering the post I am keeping it up because while it may not do much for a DOS attack, the information is still extremely helpful and useful.

htaccess, linux, servers, tutorials, security, geoip, cpanel, apache

Comments

This article hasn't been commented yet.

©2011 JMD.CC | Archive | Site Map | Total Articles: 138 | Total Comments: 5 | Login