[sAmI]

Hello,
I'm looking for way to block access to my VPS by countries using Iptables, I did many searches but it seems like all the tutorials follows old GeoLite-Legacy or the files are not there, how ever i have files for the GeoLite2 and the CSV, But i'm not able to find any good tutorial
Any help would be appreciated, I'm setting this up on my OVH VPS and my VPS 7 by ReadiDedis and Post4VPS!

[Mashiro]

Have you already tried https://www.ip2location.com/free/visitor-blocker ?

At "Download List" select your country, IPv4 or IPv6 and then at "Output Format" select "Linux iptables".

You will get a text file with commands to black a ton of ranges from selected country. Just upload that text file to your server, rename it to sh and run it with bash. It should execute the commands. If you want them to stick permanently I would recommend to use iptables-persistent.

iptables-persistent (reference - just look it up yourself for your specific OS):
- http://www.microhowto.info/howto/make_th...ebian.html
- https://linuxconfig.org/how-to-make-ipta...t-on-linux

For firewalld hm... you could use find and replace to modify the commands in the file but it would still require more editing to make the permanent.

[sAmI]

Have you already tried https://www.ip2location.com/free/visitor-blocker ?

At "Download List" select your country, IPv4 or IPv6 and then at "Output Format" select "Linux iptables".

You will get a text file with commands to black a ton of ranges from selected country. Just upload that text file to your server, rename it to sh and run it with bash. It should execute the commands. If you want them to stick permanently I would recommend to use iptables-persistent.

iptables-persistent (reference - just look it up yourself for your specific OS):
- http://www.microhowto.info/howto/make_th...ebian.html
- https://linuxconfig.org/how-to-make-ipta...t-on-linux

For firewalld hm... you could use find and replace to modify the commands in the file but it would still require more editing to make the permanent.

I have tried doing that with ip2location service and turning the text file to sh but it seems to take alot of time, What should i do for it?

[deanhills]

@sAmI  Although I know where you are coming from with country block, hope you are calculating in that it will take resources from your VPS that can create a drag on it.  Country block is not recommended when you are worried about slow down of a VPS.  

If you are worried about being hammered by a group of script kiddies, maybe it's better to do the blocks by IP ranges if you can.

I don't know what Firewall protection you are using, but just in case, here's a link to a tutorial for installing and configuring Config Server Firewall (CSF) on Ubuntu.  If you already have your own protection, maybe you will find some tips in the tutorial on commands for blocking IP ranges.
https://www.digitalocean.com/community/t...-on-ubuntu

[Mashiro]

@sAmI

What did you expect? You are about to block several million of IP addresses, or even several ten million (maybe even hundreds of million depending on country) IP addresses. This will take a while even if they are getting blocked based on subnetting.

So what should you do? Wait, maybe? Perhaps.


Thanks a lot for bringing this up @deanhills.

Actually blocking this huge amount of IP addresses via your firewall is like making it commit suicide. Everytime a someone connects the firewall has to look through the several thousand of rules to match the IP address or let it pass. That alone depending on server performance might simply kill it. No D(DoS) required at all because it will just take it down by itself.

[sAmI]

@sAmI  Although I know where you are coming from with country block, hope you are calculating in that it will take resources from your VPS that can create a drag on it.  Country block is not recommended when you are worried about slow down of a VPS.  

If you are worried about being hammered by a group of script kiddies, maybe it's better to do the blocks by IP ranges if you can.

I don't know what Firewall protection you are using, but just in case, here's a link to a tutorial for installing and configuring Config Server Firewall (CSF) on Ubuntu.  If you already have your own protection, maybe you will find some tips in the tutorial on commands for blocking IP ranges.
https://www.digitalocean.com/community/t...-on-ubuntu

I will try CSF , I'm currently using OVH and i contacted them to they sadi to enable the firewall from their panel and set the mitigation mode to permanent i hope that helps, Well most of the time free booters and paid booters does not actually work on my VPS though, The type of DDOS i'm receiving is different, Everything is working fine, I can use the VPS as well but the TeamSpeak3 goes down only. I'm not sure why is that my first thought it would be some type of TeamSpeak3 exploit (there was one in a previous version), I quickly updated the server to the latest where it was patched but still, I used TCPDUMP on 9987 port (TeamSpeak3 port), I saw unusual IPs other than Pakistan ones which i know about. I searched it was different but it was attacking my IP address as i received a notifcation from OVH as well.

@sAmI

What did you expect? You are about to block several million of IP addresses, or even several ten million (maybe even hundreds of million depending on country) IP addresses. This will take a while even if they are getting blocked based on subnetting.

So what should you do? Wait, maybe? Perhaps.

@Hidden Refuge, I tried executing the smallest file which had almost totally less IPs! Well, I will try that as well. I will also wait for it.

[rudra]

how about using fail2ban. or may be you could use whitelist approach. ban all to the teamspeak port. only allow from ip ranges that match your user isp ranges. it will be helpful cause i am sure it will involve much less checking. fail2ban type auto ban service is good too. it sends offending traffic to just vanish. though if it is some kind of DDoS or even DoS that is taking up the capacity of the network, then your filter or whatever preventative measures you take will have to be further ahead in the chain of things. you cant deal with high volume DoS attacks right at the target.

trying it is a bit like trying to push start a car while you are totally in it.

i dont know anything about game server setups. so pardon my ignorance.

[Manal]

I will try CSF , I'm currently using OVH and i contacted them to they sadi to enable the firewall from their panel and set the mitigation mode to permanent i hope that helps, Well most of the time free booters and paid booters does not actually work on my VPS though, The type of DDOS i'm receiving is different, Everything is working fine, I can use the VPS as well but the TeamSpeak3 goes down only. I'm not sure why is that my first thought it would be some type of TeamSpeak3 exploit (there was one in a previous version), I quickly updated the server to the latest where it was patched but still, I used TCPDUMP on 9987 port (TeamSpeak3 port), I saw unusual IPs other than Pakistan ones which i know about. I searched it was different but it was attacking my IP address as i received a notifcation from OVH as well.


@Hidden Refuge, I tried executing the smallest file which had almost totally less IPs! Well, I will try that as well. I will also wait for it.

I have faced that issue previously. The solution? Most probably you're using direct OVH VPS. Use a OVH Game VPS.
For now, Shadow Hosting doesn't provide OVH Game VPS but I know someone who does provide a cheaper one.
OVH Game is curated to protect your VPS against client-specific attacks that have been proven to work in the past. People tend to go for OVH Essential VPS/Dedi because it is cheap, but a little extra buck and you get the protection you need.
Also contacting OVH Support can be a pain as they're infamous for their response time and resolution of the problem. A long-standing OVH Game reseller should be your best option to choose from.

[Manal]

ps - OVH Game VPS is not available on the OVH website directly. You can only find the OVH Game dedicated server. Those resellers buy that dedi and resell the VPS using virtualization.

[Manal]

And sad to say, banning such IPs won't work because I've studied how booters work. They use a wide-range of IP addresses that comes from not only Brazil, China, Pakistan and Vietnam, but also US, India, Germany and France.
You don't want to ban them, do you?