Block Countries from Visiting your Website - I have just created a little help file on how to block countries from visiting your website: Block Countries Visiting

Tom · 22nd June 2010, 09:44 AM

I have just created a little help file on how to block countries from visiting your website:

Block Countries Visiting Your Website | fusionservers Knowledge Base

Does it make sense?

cew · 22nd June 2010, 01:02 PM

sorry, but why would you want to do this?

Frinkky · 22nd June 2010, 01:05 PM

Seems fine to me

Tom · 22nd June 2010, 01:39 PM

Cheers frinkky.

Cew: It is very useful for websites that are being attacked, especially forms. I have been in situations where entire countries have been blocked from accessing a data centre, because they generate so much bad traffic that it is just easier to block them. The reason for this approach is that some people do want traffic from certain countries, because of the way they operate, this allows them to accept that traffic on a per country basis.

I have blocked russia, china and vietnam from my website, I do not want any customers from those regions as it would be hard to provide them with support but mainly because so many hackers operate out of those countries that I feel safer about my website if they are blocked.

(Note this does not protect you against proxies, that's a whole other ball game)

burn1337 · 22nd June 2010, 04:37 PM

Personally... Blocking country traffic due to not wanting to attain customers from that country is a good idea... But blocking a country due to hackers... I think is kinda stupid.. Just as you said; proxies is a whole other ball game... So is ip spoofing... Doesn't matter where a hacker is located or working from... If they want access, it is determined on their determination on rather or not they get it... I know this from past experiences with hacking myself... It would be a better idea to safe guard your server in a security aspect rather then to block a whole country as a safe guard...

Plus after looking at your guide thing... This only blocks access to the in-particular folders being hosted by your web server... This does not block actual access; or in other words, any open port (including port 80) is still accessible... And with the use of simply doing a force change on the user agent of the web browser being used, it wouldn't matter if you have that in place or not (apache as well as most web servers run off of the user agent, not the packet headers or checksums; in order to manipulate apache to run off of the packet headers, you would have to hand code that in C, then configure, and compile apache yourself; which would also mean you would also have to make changes to the building structure of apache... This is also why php can only accumulate a small range of data coming from the end user. )...

Or in other words, a hacker could easily get a handshake from your web server (apache), and with the proper exploits could even use that to find out exactly what your .htaccess is allowing or disallowing (without proper safe guarding that is); and with that, force their browser to a user agent of their choosing, and still gain access to view your files anyway...

If you are even going to consider the idiocy of having apache deny ip's or ip ranges, this should be done in your httpd.config file, not an .htaccess file... Otherwise you should have your server configured to block those ip ranges... (There are multiple firewalls that can be configured for this prior to the connection reaching apache; any routers, switches, IpTables, or any software firewall installed on your server (including those packaged with your OS (like IpTables).)

The only other way outside of a firewall block of an ip that I would ever condone, would be a block through php (or other server side scripting) using a database to hold those ip's... I say this cause, when you run your website with php; so long as you don't send any header information prior to the ip check; you can deny any ip from viewing your page/s without allowing a handshake that can be exploited into showing that information... But even still, it's not like the ip or user agent can't be spoofed to allow access anyways...
Not to mention the fact that even high end commercial grade firewalls can be hacked. (I personally have had the privilege of legally hacking a pix firewall, from all of; a remote terminal on an outside network, a remote terminal from the local network, and even a terminal from the maintenance port (cross-over RJ-45 through hyper terminal, and linux command line ssh); do keep in mind at the time I was only 17 (5 years ago) and at that time the equipment cost was $4,500)

22nd June 2010, 09:44 AM	#1
Tom Join Date: Jan 2009 Posts: 782 Blog Entries: 16 Thanks: 17 Thanked 35 Times in 35 Posts Expertise: Design & Graphics Experience: Quite Good	Block Countries from Visiting your Website I have just created a little help file on how to block countries from visiting your website: Block Countries Visiting Your Website \| fusionservers Knowledge Base Does it make sense? __________________ www.fusionservers.co.uk\| Inexpensive Themes

22nd June 2010, 01:05 PM	#3
Frinkky Join Date: Dec 2008 Posts: 712 Thanks: 0 Thanked 38 Times in 38 Posts Expertise: Design & Graphics Experience: Professional	Seems fine to me __________________ Jon Warner Web Pro Cafe :: The PixelForge :: Follow my Twits (or something) :: LinkedIn

22nd June 2010, 01:39 PM	#4
Tom Join Date: Jan 2009 Posts: 782 Blog Entries: 16 Thanks: 17 Thanked 35 Times in 35 Posts Expertise: Design & Graphics Experience: Quite Good	Cheers frinkky. Cew: It is very useful for websites that are being attacked, especially forms. I have been in situations where entire countries have been blocked from accessing a data centre, because they generate so much bad traffic that it is just easier to block them. The reason for this approach is that some people do want traffic from certain countries, because of the way they operate, this allows them to accept that traffic on a per country basis. I have blocked russia, china and vietnam from my website, I do not want any customers from those regions as it would be hard to provide them with support but mainly because so many hackers operate out of those countries that I feel safer about my website if they are blocked. (Note this does not protect you against proxies, that's a whole other ball game) __________________ www.fusionservers.co.uk\| Inexpensive Themes

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

22nd June 2010, 01:02 PM	#2
cew Member Join Date: Apr 2010 Location: South Africa Posts: 49 Thanks: 0 Thanked 3 Times in 3 Posts Expertise: (X)HTML / CSS Experience: Intermediate	sorry, but why would you want to do this?

22nd June 2010, 04:37 PM	#5
burn1337 Member Join Date: Jun 2010 Location: Reno, Nevada Posts: 70 Thanks: 0 Thanked 2 Times in 2 Posts Expertise: Web Development Experience: Professional	Personally... Blocking country traffic due to not wanting to attain customers from that country is a good idea... But blocking a country due to hackers... I think is kinda stupid.. Just as you said; proxies is a whole other ball game... So is ip spoofing... Doesn't matter where a hacker is located or working from... If they want access, it is determined on their determination on rather or not they get it... I know this from past experiences with hacking myself... It would be a better idea to safe guard your server in a security aspect rather then to block a whole country as a safe guard... Plus after looking at your guide thing... This only blocks access to the in-particular folders being hosted by your web server... This does not block actual access; or in other words, any open port (including port 80) is still accessible... And with the use of simply doing a force change on the user agent of the web browser being used, it wouldn't matter if you have that in place or not (apache as well as most web servers run off of the user agent, not the packet headers or checksums; in order to manipulate apache to run off of the packet headers, you would have to hand code that in C, then configure, and compile apache yourself; which would also mean you would also have to make changes to the building structure of apache... This is also why php can only accumulate a small range of data coming from the end user. )... Or in other words, a hacker could easily get a handshake from your web server (apache), and with the proper exploits could even use that to find out exactly what your .htaccess is allowing or disallowing (without proper safe guarding that is); and with that, force their browser to a user agent of their choosing, and still gain access to view your files anyway... If you are even going to consider the idiocy of having apache deny ip's or ip ranges, this should be done in your httpd.config file, not an .htaccess file... Otherwise you should have your server configured to block those ip ranges... (There are multiple firewalls that can be configured for this prior to the connection reaching apache; any routers, switches, IpTables, or any software firewall installed on your server (including those packaged with your OS (like IpTables).) The only other way outside of a firewall block of an ip that I would ever condone, would be a block through php (or other server side scripting) using a database to hold those ip's... I say this cause, when you run your website with php; so long as you don't send any header information prior to the ip check; you can deny any ip from viewing your page/s without allowing a handshake that can be exploited into showing that information... But even still, it's not like the ip or user agent can't be spoofed to allow access anyways... Not to mention the fact that even high end commercial grade firewalls can be hacked. (I personally have had the privilege of legally hacking a pix firewall, from all of; a remote terminal on an outside network, a remote terminal from the local network, and even a terminal from the maintenance port (cross-over RJ-45 through hyper terminal, and linux command line ssh); do keep in mind at the time I was only 17 (5 years ago) and at that time the equipment cost was $4,500)