I myself have been building websites since 2003 for my businesses and clients, and lately have noticed an increase in undesirable website traffic from countries outside the United States.

On one particular site, which we have been working hard to promote using SEO citations, we have seen a huge increase in bogus form submissions. They are annoying and time-consuming, as we are forced to manually delete each one from our CRM. Over the years, I also have experienced multiple website denial of service attacks, and all of these attacks have come from outside the United States.

(It is interesting to note that in the U.S., nearly 99% of all password hack attempts through brute force, where they are guessing the passwords to legitimate user names, come from Chinese IP addresses.

Top Hacker Countries in the World 2019

See the U.S. State Department’s Country Reports on Terrorism which includes information about cybercriminal countries. Also, see https://en.wikipedia.org/wiki/International_cybercrime.)

There is a lot of wasted bandwidth consumed by bogus bots, brute force hacks, vulnerability scanners, and web crawlers. There is always the risk that one day these hackers will succeed in bringing down a site. The most common thing I’ve seen happen is a redirection, where the owner of the site doesn’t know it, but their website traffic is being directed to a drug site.

I have come to the conclusion, that there is no reason to allow traffic to come from anywhere but the United States and Canada for 95% of our clients.

But of course, there are many websites that wouldn’t want to block access from countries outside the United States for obvious reasons, like hotels, for instance. Even though they cater only to local people who walk in the door for a stay, foreigners traveling to the area will be searching for hotels before they get there. The same argument can be used for fancy restaurants, resorts, car rentals, commuter services, and so on. You will have to decide (and check your web stats) whether blocking particular countries will benefit you or not.

How It’s Done

Using HTAccess

The easiest way to block someone from accessing a website is by getting their IP address and placing this in your HTAccess file. Once you get your list of IP addresses, with help from some scripting (see this post), this can be an effective way to limit access.

You can also generate code by using this tool.

The problem with using HTAccess is that as you get more advanced with the scripting, with limiting access based on what protocol is used, but your .htaccess file will grow out of control fast. Still, it is a method to consider, and you can easily find a country IP address with the services listed below:

  1. http://www.ip2location.com/free/visitor-blocker
  2. https://www.countryipblocks.net

Use a Hosting Company

If you use a hosting company, like ours called Click IT Hosting, you can use controls that have blocking built-in.

Most hosting companies don’t offer this. They provide servers in such a way as to make this feature disabled. The two main types are:

Bare Metal

A bare-metal server or VPS (virtual private server) is a machine that you have complete control over; from the software firewalls to the hosting software and control panels. It’s all under your control. At Click IT, we manage VPS servers for many of our customers and this enables us to offer to block countries at the server level.

For most hosting companies, when you lease a bare metal server or VPS, you do not get to change how the back end is routed. As far as we know, there is not a host that has a “country-blocking” feature as part of a plan configuration. At best, a hosting company offers a basic firewall for adding IPs to blacklists or whitelists. When we host a website for our customers, we manage every aspect of the hosting plan, so using the server to block entire countries is possible with Click IT.

Shared Hosting

Many websites are hosting using a shared server configured with Plesk or cPanel as the controlling back-end software for dealing with databases, emails, backups, and much more. A shared server typically comes with a control panel, but you can’t enable networking controls, which would then affect the other websites hosted on the shared server with the same IP.

At best, a control panel will let you easily add IPs to a firewall, or allow editing of the .htaccess file, but we have yet to see one-click controls to block traffic by country. This would be nice for sure. For that reason, at the server level, it is a bit complex when we want to block countries from accessing a website.

In short, a typical hosting company is not likely equipped to help you out with this and in all likelihood, you won’t be able to block any IPs through the control panel one by one. Country blocking does seem like something you’d think any web host would want to allow, but at this time, we have not found any that do it. But with Click IT Hosting, because we are a “managed” service, is able to provide country blocking.

Content Delivery Networks

CDNs are not an all-encompassing solution for an entire website, but it does partially provide a means to block out countries from seeing your website. If your website delivers static content such as media files and images, you can use a CDN with built-in geo tools to block access to certain countries.

A big player that enables you to do this is Amazon CloudFront. Read the details page and scroll to the section titled ‘Geo Restriction’.

“Geo Restriction or Geoblocking lets you choose the countries in which you want to restrict access to your content. By configuring either a whitelist or a blacklist of countries you can control delivery of your content through Amazon CloudFront only to countries where you have the license to distribute.”

Amazon CloudFront

Most good CDNs will have some form of Geo-restriction. Another example is Akamai, which not only allows blocking by country code but can also be blocked based on their US embargoed country list.

If you have a CDN delivering your content, you probably are not that worried about bandwidth (unless you pay extra for it). It still helps in other ways, such as with licensing if you aren’t allowing your media to be viewed or heard in certain countries.

Apache Modules

If you don’t want to fill your .htaccess file with thousands of lines of blocked IPs, instead, you can install a C library and an Apache module to do the heavy lifting.

MaxMind provides a popular free database that is often used for looking up IPs. GeoLite2 is their free database that is updated monthly. The paid offering is more accurate and updated more frequently. By using this database and installing one of their various APIs, you can handle traffic as you see fit.

For our purposes, you would need to install the C library API as well as the Apache module. Once those are working and enabled, place the database file somewhere, and then you can set up your country blocks with code as simple as this in the .htaccess or Apache config file as the example below:

MaxMindDBEnable On
MaxMindDBFile DB /path/to/GeoIP/GeoLite2-Country.mmdb
MaxMindDBEnv MM_COUNTRY_CODE DB/country/iso_code

SetEnvIf MM_COUNTRY_CODE ^(RU|DE|FR) BlockCountry
Deny from env=BlockCountry

In this simple code example, Russia, Germany, and France (RU|DE|FR) would be blocked. (Get two-letter ISO country codes at https://countrycodes.com.)

This method will perform much better than your server having to parse thousands of lines of text on every request in the .htaccess file. To install the library and module, you need advanced access to your server of course, (which we have as a management services company at Click IT), so this technique is not a possible solution on shared hosts or where you don’t have such access on a VPS. This method will also work if, for some reason, you wanted specific blocking rules at the folder level, which makes it a great method to block entire countries on only specific areas of your website.

The Application Layer

If speed is important, the fastest blocking will happen when it is off your server entirely. It would need to be handled at the routing level or by separate DNS servers, or a proxy before the traffic ever even hits your web server. The next fastest will be with the software firewall being part of the operating system, before the traffic routes to your web server software.

The very top layer, the 7th level of the OSI, is the Application Layer. We’ve talked about blocking at lower levels of the webserver such as with Apache configs or .htaccess, but you can block IPs at the application layer by using the same MaxMind APIs mentioned above. This time, you can install the PHP or .NET, or Perl APIs to help you make geo-location decisions right in your application logic.

If you want to make decisions like showing a different page for different countries or languages, or want completely different offerings based on the country and need to change the core logic of your application in some way, then this is the level where geo-blocking should be set-up and enabled.

Click here for an idea of how it’s done in PHP.

Since this method requires that you perform a lookup of every IP and then verify all of them before your code can fully compile a page, this is going to be one of the slower methods. Multiply this by thousands of visits a day and you may be dealing with some lag in the performance of your website if it is not highly optimized.

Many system administrators will tell you that they don’t prefer doing full blocking at the application layer. By the time someone gets blocked, they have already communicated with your server, sent some data, used bandwidth, taken a few CPU cycles, and more. But in some unique circumstances, this may be exactly the method you need.

App layer blocking comes in any imaginable form. You can find APIs and data files for whatever language you require. Some pre-built software, especially e-commerce software, have geo-targeting tools built right into them, such as Prestashop. The software will change what it presents such as when currency is displayed, which is based on the geo data.

If you don’t want to deal with API, one of the coolest ways to block IPs at the application layer is with any number of available (and free) web APIs.

For example, freegeoip.net will send you geo data just by accessing their URL in the form of “freegeoip.net/{format}/{IP_or_hostname}” where the format is csv, xml, json, or jsonp.

All you would have to do is grab the user’s IP, send it to the URL and parse the response. Freegeoip allows up to 10,000 queries an hour but if you need more, you can download their server for free and run your own service. Not only can you grab the country code here, but you can read right down to the city, ZIP, time zone, and GPS coordinates. It is really powerful.

Naturally, this method introduces its own lag as you wait for a response from an entirely different server, but it is pretty fast, and apparently, Freegeoip can serve 10,000 queries an hour for many users at once, so that is very impressive.

Routing Tables

I briefly mentioned blocking at the firewall level; this is certainly an option too. This may be one of the least automatable solutions unless you are a hardened server administrator.

This would naturally reduce the overhead from your web server software (such as Apache), and you wouldn’t have to do the coding yourself at the application level either.

Keeping routing tables up to date with accurate IPs can become a maintenance headache. If the number of IPs you need to block are minimal and you are very comfortable editing the firewall tables and automating their updates, then this method is an acceptable solution.

In any case, check out ipdeny.com where you can download country lists as zone files. Their zone file is really just text with one CIDR address per line.

For some instructions on using iptables and scripting this process in Linux, read this.

Even though this removes some overhead from the web server, having thousands of lines to deal with in the router can introduce overhead of its own kind. For this reason alone, this really isn’t the best method.

This method does have a different effect though. Any blocked IPs are not just blocked from port 80 web traffic, but literally blocked from any access to your server whatsoever. Other methods might block China from visiting your web page, but it doesn’t stop them from trying to log into your root over SSH.

This hardened security is much better set up with a negative security model, just block everything except a few valid access points in your router, rather than trying to block huge chunks of the planet!

This method is also not for shared hosting or locked down servers where you can’t access the routing programs or perform mass updates to them.

ModSecurity

ModSecurity is a web application firewall for Apache, IIS, and Nginx for protecting against many types of attacks and allows for HTTP traffic monitoring, logging, and real-time analysis.

You can install and configure this on a bare server if you have the skills. If you have a host that gives you WebHostManager (WHM), you can configure it from within the WHM interface. This is what we are capable of doing for some of our higher-level clients at Click IT Hosting. The cost can get prohibitive for most, however.

ModSecurity is configured with its own language called ModSecurity Rule Language which is designed to work with HTTP transaction data.

ModSecurity is a huge topic all on its own, with many different forms of protection it can offer. For our purposes though, it has built-in support for the previously-mentioned MaxMind database for GeoIP lookups and rules.

Here is a sample rule for ModSecurity to block China:

SecGeoLookupDb /path/to/geo/data/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block China IP address'"
SecRule GEO:COUNTRY_CODE "@streq CN"

For this to work, you have to pay attention to which MaxMind database you use, and your implementation of ModSecurity.

If you use WHM, here is what you would need to do.

First download the legacy country database found here. It’s important to get the legacy database in *.dat format, as the Apache ModSecurity module can’t use the newer *.MMDB format yet.

A faster way is to first create a folder to store the database file, Using /usr/share/geoip/ is pretty common.

Use this command to download the file each month (it updates on the first Tuesday of the month).

wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz

Many people will download the latest version on Wednesday or Thursday, just in case they are behind in updating the file.

Once it downloads, extract with this command:

gzip -df GeoIP.dat.gz

The switches tell it to “deflate” and overwrite the existing file.

Now, log in to WHM and go to Security Center->ModSecurity Configuration. Scroll down to “Geolocation Database” and put in the path from above.

Modsecurity Configuration

You might also make sure the Rules Engine is set to process rules. Then save the changes.

Next go to the ModSecurity Tools section. You will see the current “Hits List” showing actions performed by any active rules. Click the “Rules List” button and then click “Add Rule”.

Copy this rule:

# Test IP address and block by country code
SecRule REMOTE_ADDR "@geoLookup"  "phase:1,chain,id:10,drop,log,msg:'Blocking China IP Address'"
SecRule GEO:COUNTRY_CODE "@streq CN"

Click the checkbox to “Enable Rule” as well as the checkbox to “Deploy and Restart Apache” and then Save.

Within no time, you should see your new rule blocking some traffic.

ModSecurity Hits List

Just be sure to know that if you use this technique, it will block for ALL domains hosted under WHM! If you want to block based only on particular domains, you’ll need additional configuring. None of my domains hosted on this WHM server need readership from China, so I’ve chosen to block for all domains.

Also note that if your WHM doesn’t have the menu like mine does, you may not be up to date. Make sure you’re on the latest.

If you don’t have WHM, you would have to install and configure ModSecurity manually and likely use the other (non-legacy) database as well.

If you install ModSecurity from scratch, it comes with no rules by default. The most common thing to do is to install a rule set that is ready-made. The best is the OWASP ModSecurity Core Rule Set (CRS). This protects against many known hack techniques and bad behaviors such as requesting content with the COOK protocol.

If you use ModSecurity, you have to watch out for false positives. Be prepared to deal with them and watch for blocked traffic you would normally have allowed. Keep an eye on the logs for anything interesting.

Also, you should check out the offerings at ConfigServer as well. Not only do they have their own security and firewall product, but it integrates with cPanel products. They even have a plugin for WHM/cPanel for added control of ModSecurity.

The WAF (Web Application Firewall) space has many options and is a large topic on its own. There are many contenders here and even bare metal appliances that do this work such as from Barracuda.

When you install ModSecurity with WHM, there are many default rules that begin protecting you from things you never even thought about. For example, using the protocol “COOK” as opposed to GET or POST may start blocking requests. Why? Because apparently this protocol is sometimes handled by a built-in compiler in the OS and is exploitable over the web. Who knew? It was probably a successful hack at some point in time, not sure if it’s long-since been fixed though.

Using a Proxy Service

Our last method involves hiding your domain behind a proxy service that essentially handles all the source traffic before forwarding them on to your server.

This works at the DNS level and often all you need to do is change DNS settings to use them.

The proxy service we use is CloudFlare which is the best by far.

Not only does your site work by going through their proxy, but they also provide security features and content delivery, and many other controls. If you have a small(ish) site and don’t require their advanced features, there is almost no reason why you shouldn’t protect your site behind their completely free plan. View plans for details. They are also well equipped at handling DOS attacks.

They also act as a reverse proxy, with CDN services and serving your content with geo-targeting servers. Because of this, they can inject content into your site such as additional analytics or various “apps” you can add. An example of an app is the ‘A Better Browser’ app which would notify your users if they use an out of date browser. They do this without you having to code anything additional into your site or build that logic yourself.

Blocking a country couldn’t be easier. It is in their paid plans however. You’ll need to upgrade and then go to ‘Threat Control’ where it says ‘Add custom rule’. Start typing the full country name and then click it from the dropdown list. Click the big red ‘Block’ button and you’re done!

CloudFlare Block

Block any countries you need to and then you’ll see them listed in your ‘Block list’.

CloudFlare Block 2

This may be the fastest and easiest way to enable some level of protection, CDN support, reverse proxy caching, and country-blocking abilities on a domain. You can stick your domain on CloudFlare and get it protected and set up in about 10 minutes. The downfall is that it can get pricy, with their high-protection plans costing $200 a month and more. This is typically not affordable by 90% of our clients at Click IT.

I will mention one other player here and that is Incapsula. They do a lot of the same stuff and compete directly with ClourFlare. They also have a free plan you can use on unlimited domains with basic features. With CloudFlare you have to change your NS records, but Incapsula requires only a CNAME, which may better fit how your DNS is handled.

If you are serious about using proxy services (and you should highly consider it anyway), do research on both CloudFlare and Incapsula for the best option for your needs.

There just happens to be a fairly in-depth analysis of CloudFlare vs. Incapsula vs. ModSecurity on Slideshare by Zero Science Lab, check it out.

WordPress Plugins

One last consideration is to install a plugin if your site is built on WordPress. There are many, and we have not yet evaluated which one we would recommend. We are considering finding the best plugin, and then making it a part of our website care packages. For comparison, see https://scanwp.net/blog/wordpress-plugins-for-blocking-countries.

Conclusion

At Click IT, we believe that ModSecurity and CloudFlare are the best options today to protect a website and block unwanted visitors looking to cause harm. They each provide a large degree of protection against today’s attacks and security issues. If you decide to use .htaccess or firewall rules, be ready to invest some time. Some situations may require geo-restrictions at the application layer so that is a good option when necessary.

Editorial Note:

Much of the information provided here was written and contributed to by Zack Wallace, a hobbyist programmer and private web developer located in Northern Arizona who has been in the IT field since 2003.

Leave a Comment