Linux: GeoIP Blocking

gjacobse

I'm curious if anyone is running GeoIP blocking on any Linux based systems. I've not ever seen it discussed, and I know that things like fail2ban will address most things.

And firewalld -

scottalanmiller

Well those tools are generally what you'd use for GeoIP blocking. Example... if you want to block all of Asia, you'd just add a set of block ranges to firewalld. It's still firewalld, not some special extra software.

VoIP_n00b

GeoIP blocking is completely useless. It’s trival to get around making it of no real value.

DustinB3403

@VoIP_n00b said in Linux: GeoIP Blocking:

GeoIP blocking is completely useless. It’s trival to get around making it of no real value.

While this is true because anyone can use a vpn to appear to come from another country, I wouldn't say that GeoIP blocking is useless, but it isnt very effective against real threats.

gjacobse

Great to know-
I was reading up on some steps to secure a Linux server, and it came up there.

Just pairing up real world to on napkin.

scottalanmiller

@VoIP_n00b said in Linux: GeoIP Blocking:

GeoIP blocking is completely useless. It’s trival to get around making it of no real value.

Yeah, that's why we don't talk about it much. It doesn't have zero value, like it does reduce log chatter, but it always risks legit traffic being blocked (I'm constantly getting blocked from sites that think my Texas connection is from Toronto, for example) and never thwarts a real attack.

scottalanmiller

@gjacobse said in Linux: GeoIP Blocking:

Great to know-
I was reading up on some steps to secure a Linux server, and it came up there.

Just pairing up real world to on napkin.

Yeah, I don't think of it as a "security" step, but just a way to easy log management. Same as changing port addresses.

travisdh1

@DustinB3403 said in Linux: GeoIP Blocking:

@VoIP_n00b said in Linux: GeoIP Blocking:

GeoIP blocking is completely useless. It’s trival to get around making it of no real value.

While this is true because anyone can use a vpn to appear to come from another country, I wouldn't say that GeoIP blocking is useless, but it isnt very effective against real threats.

@VoIP_n00b is leaving out how bad the databases are in the first place. Sure, you can say I'm in Ohio by looking up my IP address, but you'll have me pegged at the wrong end of the state. That's one of the less egregious examples off the top of my head.

gjacobse

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

scottalanmiller

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

1337

@scottalanmiller said in Linux: GeoIP Blocking:

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

Geo blocking sucks when you are traveling.

Dashrender

I geo block email from outside the US, and over the past few years this has started to bite us. So many companies are using 3rd party senders that come from outside the US. That said, it still keeps most of the non english stuff at bay.

scottalanmiller

@Pete-S said in Linux: GeoIP Blocking:

@scottalanmiller said in Linux: GeoIP Blocking:

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

Geo blocking sucks when you are traveling.

Yeah, like crazy. But the Target one of those is the only one that burned me and wouldn't let me place orders from abroad. Volaris and Office Depot blocked me while not traveling because they thought that I was.

My old NYC office used to show up as Hanover, DE and my current one shows up as Toronto even though I'm in Dallas. My ISP's IP range seems to be registered in Canada.

gjacobse

It can be problematic of course... and you have IP spoofing.

Of the systems I have running, the piHole and private NextCloud systems are all I am concerned with.

Looking at the piHole logs today, I’m getting hammered from

Lavrov.in
The IP addresses vary.

JaredBusch

The best way to geo block is with ipset tool

https://linoxide.com/linux-how-to/block-ips-country-ipset/

Obsolesce

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

JaredBusch

@Obsolesce said in Linux: GeoIP Blocking:

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

Aside from the log noise as mentioned already, many systems have no need to be accessed outside of a small subset of addresses. There is no reason not to implement things like a geoblock.

Web servers? Of course not.

Obsolesce

@JaredBusch said in Linux: GeoIP Blocking:

@Obsolesce said in Linux: GeoIP Blocking:

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

Aside from the log noise as mentioned already, many systems have no need to be accessed outside of a small subset of addresses. There is no reason not to implement things like a geoblock.

Web servers? Of course not.

There are better ways to reduce log noise and access to your non-webserver public services as you mentioned than geoblock.

marcinozga

I use it in pfsense router. It works against script kiddies, bots/botnets, at least partially. It's just another layer of security. And like it was mentioned before, it reduces log noise, with almost no effort.