Many security professionals want to restrict traffic from certain countries (I’m looking at you North Korea). Because ip addresses are divvied out by countries and Internet service providers, this can be done using ip address range filtering in your firewall.
On Windows, usually people will use Windows Firewall. On Linux, iptables or firewalld are common options.
The problem with blocking ip addresses by county is that it becomes a rabbit hole. Sounds easy right? Just block a few countries. Well, ip addresses are always changing. What aboute exceptions? What if you have an employee going to a restricted country and they need access? What about the inverse, only allowing traffic from your chosen countries. What about updating the list daily so your ip addresses don’t become stale.
Even if you get the process of using the correct ip addresses and updating regularly, you will likely run into performance issues with your firewall, especially on Windows.
IPBan Pro has solved country blocking with several high performance and easy to use options. With a couple of checkbox clicks you can have all your servers protected by only allowing access to certain countries, or simply blocking a few of the naughty countries. Because IPBan Pro uses Windows Filtering Platform, you can block hundreds of thousands of ip addresses easily without impacting performance. The ip addresses for countries update daily, and only take a few seconds to update on each client.
Using the IPBan Pro Web Admin, you can block ip addresses by country easily and without hurting performance. Here is a screenshot:
Let’s go over the settings.
The obvious setting is the list of countries. Next, a list of ports that are exempt from country blocking. In this example I’ve set the https port to allow traffic from those countries. Let’s say you have a very popular international website, you’d want to consider that option.
The first failed login option allows a single login attempt from the chosen countries. Should that login attempt fail, that ip address will be banned not only on the server it attacked, but all of your servers, instantly. This is a great option if you don’t want to overload your client machine firewall’s with too many ip addresses. Turn off first failed login to pro-actively add all the ip addresses to the firewall of each client. IPBan Pro is pretty fast, so this is usually not needed.
Finally, the invert country block list option basically flips the script. Instead of blocking the chosen countries, it allows them, and blocks everything else. So if you only wanted to accept traffic from a few countries, this is a great option, preventing the need to block dozens or hundreds of countries.
Give IPBan Pro Datacenter a Try and start protecting your servers with country blocking today.