Banning country on root level?

[Klen]

Is it possible to ban entire country ip rang on root level(for entire dedicated server)?

[SmokeyTheBear]

anything is possible if you try ..

well at least thats what they tell you in school.

so i tried to toss my teacher off the roof , but it didnt work .. those liars.

p.s. yes its possible.. well kinda.. you wont get everyone obviously but..

p.s.s. why would you want to ban an entire country ?

[scottybuzz]

one reason may be that for example he cant convert chinese traffic to save his life, so instead of them leeching bandwidth, klen simply wants to not allow them to enter.

[[ScreaM]]

There was a good site that had all the IP ranges. I don't have it coz I lost all my bookmarks.

Anyone?

[rowan]

You can ban by registrar range but they usually cover such a wide geographical area that it's impractical.

Case in point: many people ban 202.* and 210.* because they're "asian" IPs, however these ranges are also allocated to Australian and New Zealand ISPs.

[Klen]

I want to ban country Turkey beacuse hackers from there third time penetrated into my server and causing me damage(since i have tgp sites where every second of downtime/unavaibility is disaster)

[rowan]

Banning Turkish IPs won't stop hackers, they'll just find an open proxy or zombie machine from a non banned area.

[Klen]

Quote:

Originally Posted by rowan

Banning Turkish IPs won't stop hackers, they'll just find an open proxy or zombie machine from a non banned area.

Funny you replied,sloth trader is a security hole which they used to penetrate.
I know they can use proxy,but if i redirect their ip to some "Alah" site they could think i have "proper" site.

[GrouchyAdmin]

The easiest bandaid way would be to use mod_geoip and the free country database by MaxMind.

A slightly better solution would be to extract the IP ranges for this, and ban it at the server.

A much better solution would be to decide why you'd want to ban an entire country instead of finding someone who can use that traffic, and offering for a trade.

[chaze]

Yeah maxmind is your best bet, but the issue is that the ip's can get resold to anywhere in the world after a business loses them.

so scammers wait for them to drop and grab them so they can seem from a different location.

[raymor]

Doing lookups on each IP that hits your server could get VERY expensive in
terms of resource usage. Instead I would look at the actual IP ranges that
seem to be problem and block them in iptables.

[GrouchyAdmin]

Quote:

Originally Posted by raymor

Doing lookups on each IP that hits your server could get VERY expensive in
terms of resource usage. Instead I would look at the actual IP ranges that
seem to be problem and block them in iptables.

I don't think anybody's gonna ban by /32, Ray.

Well, then again...