Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Open Source Security

Should You Block Connections to Your Network From Foreign Countries? (linuxsecurity.com) 134

Slashdot reader b-dayyy quotes the Linux Security blog: What if you could block connections to your network in real-time from countries around the world such as Russia, China and Brazil where the majority of cyberattacks originate? What if you could redirect connections to a single network based on their origin? As you can imagine, being able to control these things would reduce the number of attack vectors on your network, improving its security. You may be surprised that this is not only possible, but straightforward and easy, by implementing GeoIP filtering on your nftables firewall with GeoIP for nftables.

GeoIp for nftables is a simple and flexible Bash script released in December of 2020 designed to perform automated real-time filtering using nftables firewalls based on the IP addresses for a particular region. In a recent interview with LinuxSecurity researchers, the project's lead developer Mike Baxter explained the mission of GeoIP for nftables, "I hope this project is beneficial to those who may not have the IT budget or resources to implement a commercial solution. The code runs well on servers, workstations and low-power systems like Raspberry Pi. The script has the built-in ability to flush and refill GeoIP sets after a database update without restarting the firewall, allowing servers to run uninterrupted without dropping established connections."

This article will examine the concept of GeoIP filtering and how it could add a valuable layer of security to your firewall, and will then explore how the GeoIP for nftables project is leveraging Open Source to provide intuitive, customizable GeoIP filtering on Linux.

This discussion has been archived. No new comments can be posted.

Should You Block Connections to Your Network From Foreign Countries?

Comments Filter:
  • No (Score:5, Insightful)

    by AmiMoJo ( 196126 ) on Sunday February 14, 2021 @11:39AM (#61062716) Homepage Journal

    You should block all unexpected connections.

    Country level is worthless against proxies anyway.

    • Re:No (Score:5, Informative)

      by thegarbz ( 1787294 ) on Sunday February 14, 2021 @11:45AM (#61062738)

      Most spam does not come from proxies. Simply blocking China / Russia from my website caused an approximate 90% reduction in attempts to get at my wordpress admin page (which isn't in the default location) and attempts to login via ssh (which only accepts certificate logins). That's not an insignificant security measure especially when it comes to what is traditionally dumb brute force attacks.

      But hey if you ever tell us how to identify what is expected and unexpected, let us know. Most people who think they can do this have on at least one occasion locked themselves out of their own network.

      • Re:No (Score:5, Informative)

        by AmiMoJo ( 196126 ) on Sunday February 14, 2021 @11:58AM (#61062770) Homepage Journal

        Stuff like fail2ban is better for that, not tied to any location.

        • Re:No (Score:5, Informative)

          by ehrichweiss ( 706417 ) * on Sunday February 14, 2021 @12:22PM (#61062852)

          Fail2ban is great and all but if you get some of the traffic I was getting where someone was clearly cycling through several /16's and what I think was an /8, you'll find fail2ban will either croak, or bring your machine to its knees. Preemptively banning countries can save you a whole lot of time babysitting your machine while fail2ban catches up. Fail2ban would have put 100,000 entries in iptables in the first few seconds for me. I only had to enter a few thousand entries to block all of that. Funny thing is, the main site that was getting all of this traffic was for, get this, a beekeeping association. The state has a link to their site and someone in Russia or China seems to think they can steal their credentials and use it to gain access to an account on one of the state's servers(they can't), and every year around election time the games begin. I didn't have to play that game this past year thanks to preemptive blocking.

          • Yeah. I'm an old security sysadmin and in my experience there are a LOT of scans / attacks coming from Russia and China. If you don't do business with people in those countries, blocking them is a simple way to greatly reduce the threats you have to actually deal with.

            It's kinda like having a police force doesn't prevent anyone from EVER robbing a bank, but compared to the number of robberies that happen when there aren't police protecting places it's a big improvement. See the looting that goes on wheneve

          • Re:No (Score:5, Funny)

            by Spitemaster ( 1232016 ) on Sunday February 14, 2021 @01:43PM (#61063136)

            the main site that was getting all of this traffic was for a beekeeping association.

            What? You've got a honeypot and you're complaining that people are connecting to it?

          • Re:No (Score:5, Interesting)

            by imidan ( 559239 ) on Sunday February 14, 2021 @04:25PM (#61063652)
            I agree. What I do on my servers is permaban large IP ranges for China, Russia, and Eastern Europe, then let fail2ban pick up the stragglers. Easily 99% of my malicious traffic is from that part of the world, and I don't have reason to expect legitimate traffic from them. By blocking large groups of IPs, I keep the rules simple and keep the workload down on parsing iptables and on fail2ban.
            • by trawg ( 308495 )

              Do you have a range list you can share? I've been wanting to do this for a while for the exact reason described by another poster above - my fail2ban lists are huge after only a few days of operation.

              • by imidan ( 559239 )

                Based on your question, I went back and looked at my iptables config. My original source for the IP ranges no longer exists, so mine are out of date. In fact, fail2ban has blown up my iptables rules. It took more than a minute to run iptables --list. So my approach is no longer as successful as it once was. There used to be a site that not only had good geographic blocking ranges, but managed to combine them into a relatively small number of rules. Now, the best I can find puts China, Russian Federation, an

                • The efficient way to do this is to use "ipset" to deal with many entries in just one iptables rule. It keeps your rule set tidy and is far faster than a list of iptables rules. Ipset uses hashtables for nearly instant lookups in arbitrarily large sets of addresses or CIDR-ranges. Read up on it and then go to https://github.com/firehol/blo... [github.com] if you're looking for curated blacklists.

                • by trawg ( 308495 )

                  Thanks for checking. I'll have a poke around, I'm sure there are several lists that are decently maintained somewhere.

          • Fail2ban is great and all but if you get some of the traffic I was getting where someone was clearly cycling through several /16's and what I think was an /8, you'll find fail2ban will either croak, or bring your machine to its knees. Preemptively banning countries can save you a whole lot of time babysitting your machine while fail2ban catches up. Fail2ban would have put 100,000 entries in iptables in the first few seconds for me

            Good lord please tell me fail2ban has enough sense to use ipsets.

          • Yeah, F2B needs a "if more than X on a /24, then ban the whole /24" - that would cut the number of IPs a lot. I guess then "if more than X /24s on a /16, then ban the whole /16" would help in the more extreme cases. I guess you could generalise with /32s up to /16s too - something like "if more than X% of a /Y is banned then ban the whole thing.

            FWIW, I did a whole lot of looking into this a few years ago - it seems the spammers do indeed have a lot of contiguous IP addresses at their disposal.

        • Indeed it is. Fail2ban is how I know 90% of my traffic originated in China and Russia. Now my weekly logs are 90% smaller.

      • Re:No (Score:5, Interesting)

        by plate_o_shrimp ( 948271 ) on Sunday February 14, 2021 @12:00PM (#61062778)

        Most spam does not come from proxies. Simply blocking China / Russia from my website caused an approximate 90% reduction in attempts to get at my wordpress admin page (which isn't in the default location) and attempts to login via ssh (which only accepts certificate logins). That's not an insignificant security measure especially when it comes to what is traditionally dumb brute force attacks.

        Exactly. I got tired of the non-stop brute-force attacks on my ssh login so I've blocked all connection attempts not from my country. Not that they'd have gotten in anyway, like you I allow on certificate logins. But I got tired of the noise in my logs. Now it's a trickle.

        Even if geofiltering won't eliminate risk, a reduction is still a reduction.

        • by Bert64 ( 520050 )

          You're right, unless you have configured things very badly these attempts will just amount to noise and wasted resources rather than any actual threat. I used to see some ssh brute force attempts that exceeded the ability of sshd to process new connections, making it impossible to log in.

          I now only have SSH enabled over IPv6, and have a separate IP for the admin interface (with SSH) vs the public facing interface (ie HTTP) since IPs are plentiful... I haven't seen any noise in the logs as noone has worked o

        • by edis ( 266347 )

          If this is within reach to be implemented, there is no doubt about such a routine being plain common sense security fundamental.

        • I actually got a static IP for my administration machine so I could prevent attacks on my ssh login entirely by locking out all other IPs than my own. If I need to connect remotely I tunnel through my system.

      • PROTIP: Those are not the "hackers" that will be a threat to you. The ones you need to do something about, use smarter means than straight up dictionary attacks.

      • Re:No (Score:4, Informative)

        by ArmoredDragon ( 3450605 ) on Sunday February 14, 2021 @01:46PM (#61063142)

        At my company, we had a public facing server get hit by a zero day exploit. The exploit kit was able to get userland access, but in the end it failed to get anywhere because our geoblocking had prevented it from being able to establish command and control with a server somewhere in China.

        Although they had used some kind of a proxy to deliver the exploit, ultimately their proxy must not have been suitable to relay information back to them.

        So yes, yes, yes, and yes, absolutely 100% for sure, have geoblocking in place. Anywhere that you can interrupt the kill chain in a cyberattack is good, even if it's not in the early stages.

        Fortunately the server didn't really have anything in the way of sensitive data stored on it, and they didn't have root access, but it nonetheless could have been used as a pivot point for further attacks within the DMZ.

      • by larwe ( 858929 )
        Enh. Yeah, OK, that might be true now. And it would only be true because the script kiddies and real threats in those countries don't NEED to go to the trouble of routing their bad traffic through "safe" geoIPs. This is exactly a case of "if you build a dam, the water will come through at the next point of least resistance". Geoblocking is a quarter of a band-aid at most, and it only works _now_ because most people aren't doing it. If it becomes a standard feature, then all the bad guys will up the ante imm
      • That is what I did. I blocked all Russia, China, India, and "pacific ream" sites from connecting to my server. Attempts to hack my system dropped to nothing.

      • I had a similar experience.

        I was getting scanned on port 22 at least 2-5 times a day. I blocked the approximate Russia and China subnets and the scans almost dropped to zero. Another thing that helped was to listen on a non-standard port. I very seldom saw a thorough port scan.

      • Wordfence shows me most admin hack attempts come from foreign countries, and it turns out I get virtually NO legitimate traffic from those countries. If I blocked them outright I would perhaps deny .5% of visitors, a few VPNs, and 90+% of my attackers.

        Until they figured out they were being blocked, and then they would move their business into non-blocked, North American, Western Europe, the more US-friendly Asian hosts.

        I think I'd rather figure out how to divert these scumbags into an unwritable honeypot. A

    • This. Attacks may originate in some specific countries but most attackers that might target your personal network is likely probing for openings using a botnet of proxies all over the world ( and if you get hit chances are your machines will join that botnet ).

    • Country level blocks do have value, but there're only a small piece in the overall puzzle.

      Sure, they won't stop targeted attacks ( as you mentioned, proxies ), but they will lessen the chatter you get from drivebys. Combined with things like non-standard port numbers ( where applicable ), rate limiting, and other defensive tools, they do help.

      On top of all of that, a significant number of phishing sites are hosted in Russia and China, so by blocking them at the parameter I reduce my user's risks.

      • Country level blocks do have value, but there're only a small piece in the overall puzzle.

        I'll take as many small pieces as I can get. I finally was able to move my server behind a physical firewall and that stopped all that. Now if I could only block phone calls from India I would be good.

    • Blocking US networks from trying to deliver e-mail reduced my spam by over 87%. Blocking US http/s and ssh reduced scans and attacks by even more.

      I could do fine-grained control and filtering, but it isn't worth the bother.

      Google and a few more deliver from local servers, and that's most legit network traffic that's going out of the US anyway.

    • Yes, this. I run a home network with services that need to be accessible from outside the network, so it's much simpler than an enterprise network. I block all external IPs across multiple open ports using fail2ban (they get one shot at connecting and then are banned forever). There might be a better way to do that, but given my setup and home router, that works for me.

      The only incoming connections are through a VPN, and authentication requires a certificate on the client device. All services allow traffic

    • Country level is worthless against proxies anyway.

      If it's another country the proxy is in then you certainly have a gain. And when it comes from within your own country then whoever runs the proxy and assists criminals can get prosecuted more easily. You may not get the criminals behind the proxy, but you can get the proxy owner and that's worth something.

      But you're right of course and it's generally a stupid idea to block connections based on country when everything should be blocked unless there is a very good reason not to.

      To make this about countries i

    • by gweihir ( 88907 )

      That sums it up nicely.

      The question asked demonstrates a complete non-understanding of the problem though.

    • As admin of place that has hundreds of servers, 95% the bad stuff comes from list of countries most places in USA could safely block, if they're using proxy it's from some other 3rd world toilet that also can be blocked. Cleaner logs, much less spam, much less attacks of all types makes it a very worthwhile practice.

    • You should block all unexpected connections.

      Agreed, if only everyone complied fully with the provisions of RFC3514 the Internet would be a much safer place.

      Country level is worthless against proxies anyway.

      Exactly, good enough is the same as doing nothing cuz after all good enough != perfect.

      Filtering systems like Pi-hole are worthless against IP literals AND proxies so don't waste your time.

      Shit gets thru spam filters so better to manually filter hundreds of shitmails per day because filters are not perfect.

      And we all know AV is worthless against unknown signatures "anyway".

    • You should block all unexpected connections. Country level is worthless against proxies anyway.

      Russia and China seem like great places for proxies, not much cooperation with US law enforcement. I imagine most of the probing from these locales are proxies not "state sponsored" or anything dramatic.

  • Depends (Score:4, Insightful)

    by thegarbz ( 1787294 ) on Sunday February 14, 2021 @11:41AM (#61062730)

    Do you gain any value from connections from said country? Is it likely to affect your business income?

    • by mhkohne ( 3854 )

      There are FAR too few IT organizations that ask themselves questions like this before they start flipping switches and applying new methods of deciding not to let stuff on their network (I spent some time helping track down the issue with an IT department that kept over-tightening their internal firewalls to the point that the gear they bought from us wouldn't work. Great work, guys!

      • by edis ( 266347 )

        Hey, security-wise, you are proper to start from the utmost necessity. That's professional.
        Thanks for your help.

    • On SSH ports? No.

      SMTP and HTTPS? Yes.

      It doesn’t have to be an all or nothing proposition.

  • by redelm ( 54142 ) on Sunday February 14, 2021 @11:42AM (#61062734) Homepage

    Of course you need to geoblock hostile areas, like those that produce carbon-polluting oil, Saudi Arabia and Texas.

  • Sophos SG and XG routers have this as an option as well. We've set it up to block incoming connections from IPs in other continents and it helps with spam, brute-force, and probe attacks.

    That said, every once in a while we get a random "how come we can't get mail from X", where X turns out to be a local small business whose marketing company set up their web and mail on Cheapest Hosting Ever, in some random foreign country. Or "Bob is on vacation in ForeignCountry and can't VPN in."

    So, depending on sc
    • Sophos SG and XG routers have this as an option as well. We've set it up to block incoming connections from IPs in other continents and it helps with spam, brute-force, and probe attacks. That said, every once in a while we get a random "how come we can't get mail from X", where X turns out to be a local small business whose marketing company set up their web and mail on Cheapest Hosting Ever, in some random foreign country. Or "Bob is on vacation in ForeignCountry and can't VPN in." So, depending on scale, the upkeep for exceptions may or may not be worth it.

      Or "SiteGround's headquarters is in Eastern Europe, so we need to block their Chicago IPs for er some reason ... "

    • You also rely on your provider, namely Sophos to keep up with the IP block trading. Blocks are now traded and a block which was originally allocated to country A may end up in country B.

      Generally, the most common geo blocking setups are based on a propaganda view which is being promoted very heavily. They block out China and Russia as the "horrible hostiles". They still emit threats, but they are way down the list.

      Lat Am, Philipines, Malaysia, etc produce orders of magnitude more SPAM and have orders of

  • Wait, I am still trying to come to terms with the fact that US passport now lets me enter as many countries as one from Somaliland. Let me get used to total isolation in small steps, please, before we fully cut off from the world and live happily within these here borders.

  • From the Dept of Duh (Score:4, Interesting)

    by JustAnotherOldGuy ( 4145623 ) on Sunday February 14, 2021 @11:58AM (#61062766) Journal

    "Should You Block Connections to Your Network From Foreign Countries?"

    Unless they're needed, hell yes. Why is this even a question?

    This is on the same level as, "If you set yourself on fire, should you extinguish the flames?"

  • Completely useless. Most large attacks are spoofed or if the attackers target you specifically they will just attack from a country you allow.
  • It is the same logic as blocking all people from the USA "because Trump", and actually, also the same logic as "all Jews ...".

    Block by the actual group that is bad. Not by some random group that us much bigger, just because you're too lazy to be specific.

    The actual group is defined by the experiences you have with it. Aka its behavioral patterns.
    E.g. do not ban everyone from driving fast. Ban people who cannot handle driving that fast on that road from driving fast.

    Which is analogous to not using anti-virus

    • For spam, a simple greylist works wonders. (Think of it as a CAPTCHA for actual human mail clients.)

      A amavisd offers enough behavioral patterns to block.
      What's left over, is easily filtered with a bit of bayesian filtering and giving a bonus to known e-mail adresses.

      Also great are e-mail adress tokens. As in, your adress following the pattern user.hash@server where the hash is based on who you are giving the adress to. E.g. base128(sha256("slashdot.org")).
      You can then mark all mails without any (valid) hash

    • Comment removed based on user account deletion
    • by imidan ( 559239 )

      Block by the actual group that is bad. Not by some random group that us much bigger, just because you're too lazy to be specific.

      Okay. You go ahead and create the global list of specific IP addresses that generate malicious traffic. We'll wait. In the meantime, we'll be using geoblocking because we value our time and are perfectly aware that nobody in China has any legitimate reason to be attempting an ssh connection to our servers.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Sunday February 14, 2021 @12:05PM (#61062796) Homepage

    If you have some malware inside your network then it may try to contact a command & control machine or send reports/files/... back to its home. So blocking outgoing is as important as incoming.

    This will cause problems until you have got a list of external sites that you regularly talk to. Consider having a machine outside of this protection that people can use if they need to contact an exception. Also your email server might be outside of this as well.

    Consider: what are you protecting, how much pain is it worth ?

    Finally: have good, tested backups.

  • Lately, our RDP server has become overrun with requests from a data center in Russia and a provider in Canada. They've been attempting RDP connections with an average of one per second. Each failed connection creates a defunct process which quickly accumulates to thousands of procs and prevents all future connections until the RDP service is restarted. I'm going in today to aggressively block these subnets and I have no problem if a few legit users get blocked - I can make exceptions for them when necess
    • > Each failed connection creates a defunct process which quickly accumulates to thousands of procs and prevents all future connections until the RDP service is restarted.

      That's surely a problem with RDP, not with people attempting to connect to it.
  • I don't want geo blocking for all ports, just most. No matter who and where you are, if we're in the same bittorrent swarm, then we are brothers in at least one way. But yeah, keep away from my ssh and openvnp ports, brother.

  • If you log into the admin console for Alibaba Cloud (China's AWS) and other hosting providers in China, they all have a button "Block foreign connections". They've had this for at least 5 years. Previously, you couldn't shop the real Taobao (China's Amazon.com) site unless you were coming from a Chinese IP address. Not sure if that is still true.

    For foreigners in China, this ends up leading to some weird logic. You have a lot of Americans/Europeans hitting your website in China. They are inside China su

  • I was spending some time in Thailand, and going nuts because websites I needed to access geoblocked. Home Depot was the most annoying one— I needed to order a bunch of things for when I returned. I had a VPN though to home and work, so it was easy to bypass.

    It is much more effective to compartmentalize things than block entirely— you never know when that foreign connection is actually important. Isolate unexpected users to a separate system with less power and features, and wipe it regularly.

  • by philmck ( 790785 ) on Sunday February 14, 2021 @12:36PM (#61062926) Homepage

    One person's "foreign" is another person's "home sweet home". I'm guessing the OP is in the USA, and a high proportion of cyberattacks actually originate there (which makes sense, considering the high proportion of internet-connected computers). So blocking "foreign" attacks isn't going to solve the problem, just delay it a bit.

    For someone like me outside the USA, blocking that whole country doesn't make much sense, even though we know it sure as hell can't be trusted! It would mean blocking Google, Facebook...hmm, perhaps I'd better stop before I convince myself to try it.

    Also, my webserver isn't in my country (I'm in London, the server's in Europe, which used to be the same country but sadly no longer). So I would have to change hosts to achieve this.

    Russia, China and Brazil together have a MUCH higher population than the USA. That naturally means they also have more criminals (though quite possibly a lower proportion). So by blocking such "foreigners" you would cut yourself off from the majority of humanity. I know some people consider that an attractive idea, but I'm not one of them.

  • by reanjr ( 588767 ) on Sunday February 14, 2021 @12:44PM (#61062952) Homepage

    I have consciously made the decision to let Chinamen brute force my SSH logins. I'm not super worried about these sorts of automated attacks. What concerns me more is private networks that assume traffic is ok if it's coming from inside the network. Traffic needs to be authorized regardless of where it comes from.

  • If its a private website,shell of any kind or service of any kind that people outside the network shouldn't be accessing tcpwrappers is your friend... in hosts.deny block everyone, in hosts.allow allow anyone that needs access. Problem solved, no need to blocking whole countries, the internet was built on the foundation of free access of information for all, not the select.

    Learn how to use Linux the way it was meant to be used, the older tools (tcpwrappers, netfilter, ebtables) work, learn how to use them

  • by Wolfier ( 94144 ) on Sunday February 14, 2021 @02:09PM (#61063216)

    Instead, show them different contents. So their governments will block it for us.

  • by TheNameOfNick ( 7286618 ) on Sunday February 14, 2021 @02:58PM (#61063344)

    Every time someone tries to log into my Wordpress, which doesn't exist, another IP address block gets added to an ipset which drops all inbound connections at the firewall. I don't care what country you're from, if you allow people to scan for vulnerabilities from your cloud, your address space is added to the list, forever. I have address space from China Telecom and Tencent in there along with Amazon, Google, Microsoft, Linode, OVH and others. BTW, getting a Let's Encrypt certificate attracts these assholes like shit attracts flies. Yay certificate transparency!

    This will end up like the reverse situation with mail servers: You can't send mail from residential ip address space and expect it to get through. Eventually you won't be able to access the web from data center address space.

    • by trawg ( 308495 )

      I have often thought about trying to build a distributed honey pot thing that faked a WordPress site that a few trusted people could run to generate q ban list. I ban hundreds if not thousands of IPs a week simply from a small handful of inconsequential hobby and test sites. The background radiation of hacking attempts for WordPress is staggering.

  • by Misagon ( 1135 ) on Sunday February 14, 2021 @03:28PM (#61063448)

    IP address ranges sometimes change country, and the GeoIP database you subscribe to may lag behind a bit.
    Therefore, be aware that you could both have some false positives and some false negatives.

    • yet the volume of unwanted traffic will still fall 95%. there isn't a downside to blocking whole regions of the earth one has no dealings with and that only are a source of attacks on your business or personal server.

  • It depends on your business, and who's responsible for what. If you're running e-mail inside your own network you're weighing the protection you get from a "nuke 'em all" approach vs. the possibility that you might get some legit new customers from outside your country. If e-mail is outside your firewall then it's the provider's problem and you just have to worry about malware in the e-mail content.

    The list goes on. There's no pat answer.

  • But welcome to circa 20 years ago when OpenBSD PF had the "tables" feature.

    table china file "/etc/geoip/china"
    block in from

    I've always been baffled why Linux didn't adopt PF as well. The rule grammar is so much more readable than iptables.

  • by nuckfuts ( 690967 ) on Sunday February 14, 2021 @05:46PM (#61063856)

    TFA makes this sound like something that's just become available. In fact geo-blocking has been an option for years now.

    This has not always been possible, however. I can recall obtaining an IP address block back in the 1990's. Back then, IP blocks were allocated with no regard to geographical location. As the Internet grew, this had the effect of requiring larger and larger routing tables, which started to approach the limits of what many routers could handle. So IP address blocks were gradually reorganized in a more hierarchical manner, which takes into account geographical locations. As a side-effect, one could then start associating IP addresses with their geographical origin.

  • You mean like Texas?

If I'd known computer science was going to be like this, I'd never have given up being a rock 'n' roll star. -- G. Hirst

Working...