This is a TCP wrapper which will filter server connection attempts based on the country of origin. It can be configured in one of two different ways:
- Allow connections only from a specified list of countries.
- Deny connections EXCEPT those from a specified list of countries.
This allows for the dynamic blocking (or allowing) of an entire country without having to manage or maintain IP lists, which can often be very large.
- USA has over 1.5 billion IP addresses spanning approximately 450,000 different blocks.
- China has over 300 million IP addresses spanning approximately 4,000 different blocks.
- Russia has over 40 million IP addresses spanning approximately 10,000 different blocks.
The solution is only as accurate as the GeoIP database, however most tools for identifying a country from an IP are at least 99% accurate.
The use of TCP wrappers does not eliminate the need for a properly configured firewall. This script should be seen as part of your security solution, not the whole of it.
This tool relies on geoiplookup, if it is not installed then the script will log an error and allow the connection, even if the default action is DENY. The reason for this is that without this ALL connections would be blocked including your own (which would be bad).
This may require additional apt or yum sources depending on your distribution.
Debian / Ubuntu
# apt-get install geoip-bin geoip-databaseCentOS / RHEL
# yum install GeoIP GeoIP-dataBy default this will install the free version of the GeoLite Country binary database (GeoIP.dat etc.), usually in the /usr/local/share or /usr/share directory. The specific location doesn't matter as the geoiplookup command will know where to look for the data files.
We currently do not support GeoIP2 format (mmdb) or automated updates from MaxMind, although is this on the roadmap for this tool.
Look up one of Google’s IPs.
# geoiplookup 74.125.225.33
GeoIP Country Edition: US, United StatesIf you see the above or similar then geoiplookup is installed and working.
Although this was developed for use with sshd, the principle should work for any service that is supported by TCP wrappers, however in this documentation we will use sshd.
Copy the script to /usr/local/sbin/country-filter (and ensure that it is executable [chmod +x]).
Out of the box the country list is empty and the script has the default ACTION of DENY (only block countries in the list), so the net effect at this point is to block nothing.
To add countries to the list, add them to the COUNTRIES variable. This is a space separated list of country codes (2 letter codes). Example country code list from Wikipedia.
There are times where a country cannot be identified, if you want to block all entries where a country cannot be identified, add XX to the COUNTRIES variable.
By default the script will deny connections from any country listed in the COUNTRIES variable, however you can invert this logic and only allow connections from these countries, by setting the ACTION variable to ALLOW.
If you change the default ACTION to ALLOW, ensure your own country is in the list of countries before you do this, otherwise you will no longer be able to connect to your server. This won't effect existing open connections, so test with a new connection attempt to ensure the configuration is correct.
In Linux/Unix based systems the processing order for TCP wrappers is as follows:
- hosts.allow
- hosts.deny
This means that anything that is not handled (allowed / denied) by hosts.allow will be handled by hosts.deny.
The following configuration will tell the system to pass all IPs, for ssh connections, to the country-filter. The return code of the filter specifies the action to be taken.
- 0 = Success - allow the connection.
- 1 = Failure - deny the connection.
sshd: ALL: aclexec /usr/local/sbin/country-filter %a aclexec tells the system to execute the following script and %a is replace by the current IP address.
The following configuration will tell the system to deny all ssh connections.
sshd: ALLThis should never be reached because all cases should be handled by the country filter, but as with all security configurations protection in depth is key and having a safe / secure fallback position is preferable.
We provide a number of different TCP Wrapper filters.
If you wish to use more than one of our TCP Wrappers then please refer to our TCP Wrapper Multiplexer.
