Join the community today
Register Now

Do you block countries like China on your production servers?

Discussion in 'System Administration' started by Jon Snow, Nov 16, 2019.

  1. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I've noticed a large amount of China traffic recently. It's strange.

    So I've been considering to block China as a country as a whole. I don't think any of my member base is from China. There could be legitimate guests but I'll have to check GA to confirm.

    Anyone here blocks China and other countries on their popular site production servers?
     
  2. buik

    buik Well-Known Member

    1,212
    326
    83
    Apr 29, 2016
    Ratings:
    +959
    Local Time:
    9:17 PM
    Yup.

    But as "There could be legitimate guests but I'll have to check GA to confirm."

    It might be a better idea to use a blacklist with abusive IP addresses and domain names.
    Then block an entire country.
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,262
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    6:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I have legit China visitors so can't block them all. But with Cloudflare in front can filter some out by default and for rest use CF Firewall Rules

    Example my Cloudflare Firewall rules based on CF Threat Score determines if they get JS Challenge or they get Blocked.

    From Known Issues and FAQ - Cloudflare Firewall Rules

    and Fields and expressions - Cloudflare Firewall Rules

    cf-firewall-rules-threat-score-161119.png

    I also have more finer grain Firewall rules for China specifically depending on which request paths the visitor is coming from etc
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,262
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    6:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    For Centmin Mod's CSF Firewall level country blocking read CSF - How to block country traffic in CSF Firewall including note about being careful to not block countries where Centmin Mod's download dependencies servers are located in. Otherwise, you block Centmin Mod's ability to update itself.
     
  5. Jimmy

    Jimmy Well-Known Member

    1,646
    353
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +884
    Local Time:
    3:17 PM
    1.17.x
    MariaDB 10.3.x
    I use the CF rules also.
     
  6. Jimmy

    Jimmy Well-Known Member

    1,646
    353
    83
    Oct 24, 2015
    East Coast USA
    Ratings:
    +884
    Local Time:
    3:17 PM
    1.17.x
    MariaDB 10.3.x
    I setup one to JS challenge china traffic, but everything seems to get through. I can see errors in my IPS error log.
    Code:
    (http.host eq "domain.com") and (ip.geoip.country eq "CN") and (cf.client.bot or cf.threat_score ge 10)
    I would normally just challenge everything from the country, but I though finer tuning would be better. Just learning how to use these rules vs. just blanketing the whole country.
     
  7. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    How would I block the domain name?

    I'm seeing more with the hostname (different hostnames but same domain):

    ecs-159-138-154-238.compute.hwclouds-dns.com

    Too many IPs to manually add to the block list.
     
  8. buik

    buik Well-Known Member

    1,212
    326
    83
    Apr 29, 2016
    Ratings:
    +959
    Local Time:
    9:17 PM
    There are ready to use blocklists. The same goes for blacklist domains.
     
  9. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Doesn't that only block user agents? I have it enabled already.

    I don't think the log is getting any useful user agent content for the IP address:
    Code:
    159.138.156.147 - - [21/Nov/2019:13:37:31 +0000] "GET /forum/threads/blahblah.999/ HTTP/1.1" 200 15053 "-" "Mozilla/5.0(Linux;U;Android 5.1.1;zh-CN;OPPO A33 Build/LMY47V) AppleWebKit/537.36(KHTML,like Gecko) Version/4.0 Chrome/40.0.2214.89 UCBrowser/11.7.0.953 Mobile Safari/537.36"
    Edit: I had to block another country this time.
     
    Last edited: Nov 22, 2019
  10. buik

    buik Well-Known Member

    1,212
    326
    83
    Apr 29, 2016
    Ratings:
    +959
    Local Time:
    9:17 PM
    Don't know if you use a solution in front like Cloudflare.
    because you have no information about this.

    That is why it is somewhat difficult to advise.
    But blacklists are blocking ips, domains, just what the list specifies.

    Blocklist.de is a common example.
     
  11. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    I don't use Cloudflare. Only what's available in CMM.
     
  12. buik

    buik Well-Known Member

    1,212
    326
    83
    Apr 29, 2016
    Ratings:
    +959
    Local Time:
    9:17 PM
    Ok.
    Did you enable the blacklists that CSF offers?
     
  13. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
  14. eva2000

    eva2000 Administrator Staff Member

    42,262
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    6:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CSF blocklists advanced config Centmin Mod style https://community.centminmod.com/th...-09beta01-extended-csf-firewall-tweaks.11745/. More details at https://community.centminmod.com/posts/50058/

     
  15. Jon Snow

    Jon Snow Active Member

    452
    66
    28
    Jun 30, 2017
    Ratings:
    +104
    Local Time:
    4:17 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 but that's still IP based right? Can a domain from a hostname be blocked?
     
  16. eva2000

    eva2000 Administrator Staff Member

    42,262
    9,550
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,708
    Local Time:
    6:17 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes you block by IP only - hostname isn't an option as it's easy to change hostnames anyway. You should use Cloudflare Firewall rules/User Agent blocking mentioned here in conjunction with CSF Firewall

    Cloudflare Firewall fields you can use https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions/

    Also you can rate limit requests at Cloudflare level or Centmin Mod Nginx level https://www.nginx.com/blog/rate-limiting-nginx/
     
    Last edited: Nov 23, 2019