Linux: GeoIP Blocking

scottalanmiller

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

1337

@scottalanmiller said in Linux: GeoIP Blocking:

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

Geo blocking sucks when you are traveling.

Dashrender

I geo block email from outside the US, and over the past few years this has started to bite us. So many companies are using 3rd party senders that come from outside the US. That said, it still keeps most of the non english stuff at bay.

scottalanmiller

@Pete-S said in Linux: GeoIP Blocking:

@scottalanmiller said in Linux: GeoIP Blocking:

@gjacobse said in Linux: GeoIP Blocking:

Makes sense-
And stepping back almost ten years and PRE-Mangolassi/NTG, why it wasn’t working on the Untangle Box I had running.

Now, I have more experience, exposure and use with Linux.. and logically- even then I knew that if someone wanted access bad enough, they’d find a way... nothing is secure unless it’s off, unplugged, and non-physical.

GeoIP blocking isn't totally bad, you just have to be realistic and weigh the value vs. the effort and risk. If it's for a system only you access and you are confident (or accepting) that you won't be blocked for showing up as something unintended then whatever, go for it. We've got systems that we lock down 100% and just pinhole to management systems with a whitelist. GeoIP would be less restrictive in that case. So you can totally make it work.

But if you are talking a website and you might be turning away customers without realizing it, it's generally pretty bad. I've had lots of companies refuse my business (Target, Office Depot, Volaris) because they mistakenly (or intentionally) felt that wherever I was made me a person that they didn't like and wouldn't do business with.

Geo blocking sucks when you are traveling.

Yeah, like crazy. But the Target one of those is the only one that burned me and wouldn't let me place orders from abroad. Volaris and Office Depot blocked me while not traveling because they thought that I was.

My old NYC office used to show up as Hanover, DE and my current one shows up as Toronto even though I'm in Dallas. My ISP's IP range seems to be registered in Canada.

gjacobse

It can be problematic of course... and you have IP spoofing.

Of the systems I have running, the piHole and private NextCloud systems are all I am concerned with.

Looking at the piHole logs today, I’m getting hammered from

Lavrov.in
The IP addresses vary.

JaredBusch

The best way to geo block is with ipset tool

https://linoxide.com/linux-how-to/block-ips-country-ipset/

Obsolesce

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

JaredBusch

@Obsolesce said in Linux: GeoIP Blocking:

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

Aside from the log noise as mentioned already, many systems have no need to be accessed outside of a small subset of addresses. There is no reason not to implement things like a geoblock.

Web servers? Of course not.

Obsolesce

@JaredBusch said in Linux: GeoIP Blocking:

@Obsolesce said in Linux: GeoIP Blocking:

Really, the only use for it is to check off a checkbox when you have to follow policy for laws as example. Like how Netflix or news sites do it for licensing or gdpr reasons for example. Then if people VPN to get by its fine, u did ur part.

Aside from the log noise as mentioned already, many systems have no need to be accessed outside of a small subset of addresses. There is no reason not to implement things like a geoblock.

Web servers? Of course not.

There are better ways to reduce log noise and access to your non-webserver public services as you mentioned than geoblock.

marcinozga

I use it in pfsense router. It works against script kiddies, bots/botnets, at least partially. It's just another layer of security. And like it was mentioned before, it reduces log noise, with almost no effort.