Best way to do country bans using a FreeBSD firewall?

All, I know this is a 5 year old thread and this is some serious necromancy reviving it. But I was recently looking for quick and easy ways to do this myself and this thread is the #1 google hit. Inspired by the thread and a boring Sat night I went away and wrote a perl script that will do exactly this "Block bad countries based on lists of IPs blocks pulled from ipdeny.com" which can be run manually or as a cron job. And because I'm a masochist I made it work for IPFW, PF, for freebsd and iptables for linux. As well as ipset because iptables sucks on it's own. Only major consideration is changing the perl location in the first line of the script for linux.

Tested on FreeBSD 10.3 with pf and ipfw and Ubuntu 16 wth iptables.

I've thrown it up here and adding this in case anyone else ends up here and wants a quick easy dirty way to do this. Project is on github here : https://github.com/KaiLoi/update-fw-BC

Enjoy
 
Just be aware that perfect geolocation of IP is actually impossible. I.e. 100% of the data sets out there have errors in them. The errors come from things like a multi-national enterprise or ISP who has, for example, admins in Germany who manage the numbers, but deploys them all round Europe. They have essentially no real obligation to publish even per-country-accurate current information in whois databases, as long as the contact info is valid and they are not camping on unreasonably large chunks of space.

I've even seen extreme examples of (not hijacked, as far as I could tell) California-registered net blocks being used in China. My personal IPv4 netblock, with accurate whois, routinely geolocates as the wrong country. An old work CIDR always geolocated as the wrong country (apart from the subset of users actually at that location), as it was a single whois entry for the whole of Europe (but various national ISP connections from a global private WAN).

You can just about reliably geolocate to one of: North America, South America, Europe, Africa, Asia-Pacific. (I've missed one out there, I'm sure, it's the top level NICs) Even those are not 100% due to some legacy allocations from the InterNIC days.
 
North Korea is easy, you even won't need a table for blocking. They got assigned only one IPv4 block: 175.45.176.0/22. Kim got apprx. 1000 friends with world access, the rest of the country is completely free -- at least free of internet distortion, and they may freely focus on the essence of life.
 
Murph Yea, that's always true, but this script has seriously decimated the hacking attempts against my server. My IDS has gone from raising alerts every 5 min for probe attempts to NONE in the the last 4 days. Not one. I'm blocking most of the the "top 10 hacking countries" (other than the US) listed here http://www.govtech.com/security/204318661.html with Ukraine added.

Nothing is perfect (as it says in the readme of the script). But a lot of internet and online security is about making yourself "less of a target than that guy over there". And so much of modern intrusion and hacking is based out of automated scripts running from one of these countries scouring the net for vulnerable hosts.

If someone is targeting you specifically then there is generally little you can do. But for the "random scans catching my 0-day exposed daemon, until I can get it patched" I cannot recommend blocking the worst sources enough.

Just my 2c worth and why I wrote this.
 
Kai Yup, I do actually have some limited per-country stuff in my PF rules. I send certain countries and ISPs into a SMTP blacklist tarpit (particular countries/ISPs that I believe will not ever have any legitimate email to send to my servers). I don't bother with it for any other services right now, preferring dynamic blacklisting through PF's rate limits, fail2ban, and similar; plus occasional manual blacklisting of specific netblocks here and there.

I just feel it's worth making sure that anyone reading does understand that the data always has errors, and that the design of IP and management of the address allocations makes perfect geolocation impossible; so it must be used with appropriate caution / knowledge, and the risk/consequences of both false positives and false negatives needs to be understood. My guess would be that accuracy is probably better than 90% of NIC-registry CIDR netblocks, but that up to (maybe) 10% has the potential to create pain for someone if they were not expecting it.
 
That's fair. For me, I had so many attempts going on that it made my Intrusion detection systems just total white noise. This has brought it down to a level where, when any of the systems decides to email me with a "this is suspicious" it's usually now worth having a quick looks at. And also I'm more likely to be alerted to a new attack vector or probe that would have been lost in the noise previously. I also use a combo of things like OSSEC, fail2ban etc. as well as regular patching and updates. The script really just throws a big old blanket over the whole thing that keeps most people looking under it to see what's there. :p
 
Back
Top