More security with GeoIP lockout for Debian and Ubuntu server
In this Turorial, the deployment and application of GeoIP with the kernel firewall of Debian 10 (buster) and Debian 11 (bullseye) or Ubuntu 20.04 LTS is applied. In addition to TLS connections and 2FA authentication, another instance is a firewall that can regulate the data traffic. Based on the public IP address, it is quite easy to determine from which city or from which region the access is currently taking place.
In addition, further considerations should be made whether the accessibility of websites and services from countries far away from local languages is at all appropriate, and relations may not be maintained with distant regions, such as to South Pacific. When tracking the sources of brute force and DDoS attacks, the sources are often found in the Far East and Russia.
A geolocation system is used to determine the location of systems. On the Internet, an IP address can be assigned to a country, a city or an organization in order to then determine the location.
Installation
The installation of the required services and libraries for GeoIP on Debian and Ubuntu is done as root with “su -” or “sudo su -“.
The GeoIP database must be downloaded from the MaxMind website, with the following URL: https://www.maxmind.com. MaxMind is a Massachusetts-based digital mapping company that provides location data for IP addresses.
MaxMind requires you to register for the Free Account with a valid email. After logging in, go to My Account and Download Databases.
Under GeoIP2 and GeoIP Legacy Databases – GeoLite2-Country-CSV Format with Download ZIP download the file.
If you want to perform the download using Permalink, you need a license key, which you can generate under “My Account – Manage License Keys”, the download did not work here at this time (401 Unauthorized).
The contents of the GeoLite2-Country-CSV_20220125.zip ZIP file
Create a new directory on the host and switch to it.
$ mkdir -p /usr/share/xt_geoip/
$ cd /usr/share/xt_geoip
Upload the downloaded country-CSV_20220125.zip file to the Debian or Ubuntu server using ftp or scp, xt_geoip to the directory path /usr/share/and and unzip it.
$ unzip GeoLite2-Country-CSV_20220125.zip
$ cd GeoLite2 country CSV_20220125
$ /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
The CSV data is converted using the MaxMind CSV database converter to binary for xt_geoip. The output appears similar to the following, here in abbreviated form.
729578 entries total
0 IPv6 ranges for
16 IPv4 ranges for
362309 IPv6 ranges for 0 0
365215 IPv4 ranges for 0 0
0 IPv6 ranges for 1 0
28 IPv4 ranges for 1 0
0 IPv6 ranges for AD Andorra
8 IPv4 ranges for AD Andorra
...
The module xt_geoip load into memory with subsequent testing.
$ modprobe xt_geoip
$ lsmod | grep ^xt_geoip
The output should be similar to this.
xt_geoip 16384 34
The GeoIP integration for iptable is now complete, commands can now be executed with the following syntax.
The output might look something like the following.
Chain INPUT (policy DROP 259 packets, 13704 bytes)
num pkts bytes target prot opt in out source destination
1 68011 14M f2b-apache-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
2 155K 41M f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 272K 12M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country RU,CN
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country BY,CY
This example swipe row 5.
$ iptables -D INPUT 5
Query ISO Country Code of an IP address.
$ apt install geoip-bin
Example query with geoiplookup.
$ geoiplookup 61.219.11.151
GeoIP Country Edition: TW, Taiwan
Example with iptables and GeoIP
An example with ISO codes for countries that are classified as obscure or as known suspicious havens and are explicitly blocked, the ISO codes of the DACH countries should be approved.
$ iptables -P INPUT DROP
$ iptables -A INPUT -m geoip --src-cc AT,CH,DE -j ACCEPT
$ iptables -N DROP_GEOIP
$ iptables -A DROP_GEOIP -m geoip --src-cc ID -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc KP -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TJ -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TM -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc TR -j DROP
$ iptables -A DROP_GEOIP -m geoip --src-cc UA -j DROP
$ iptables -A DROP_GEOIP -m geoip ! --src-cc AT,CH,DE -j DROP
$ iptables -A INPUT -j DROP_GEOIP
The (!) argument inverts the passed values, which excludes ISO (AT,CH,DE) from jump to DROP.
Check the iptables INPUT chain with line-numbers, the output as follows for this example.
$ iptables -L INPUT --line-numbers -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 273K 12M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
2 273K 12M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
3 273K 12M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country RU,CN
5 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country BY,CY
6 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country HK,KP
7 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country KG,KZ
8 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country UA,VN
9 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country MD,GE
10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip --source-country TW,TM
11 102 5329 DROP_GEOIP all -- * * 0.0.0.0/0 0.0.0.0/0
12 90 4827 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 -m geoip ! --source-country AT,CH,DE
iptables-persistent
Reactivate the iptables chains after a restart, to do this iptables-persistent is installed.
$ apt install iptables-persistent
Confirm with yes to back up the iptables during installation.
The iptables chains can be backed up with iptables-save to restore them at a later time.
UNBLOG verwendet Cookies, um Dein Online-Erlebnis zu verbessern. Mit "ACCEPT" gibst Du Deine Zustimmung zur Nutzung dieser Website und unseren Datenschutzbestimmungen, oder wähle Cookie settings.
Diese Website verwendet Cookies, um Ihre Erfahrung zu verbessern, während Sie durch die Website navigieren. Von diesen werden die Cookies, die nach Bedarf kategorisiert werden, in Ihrem Browser gespeichert, da sie für das Funktionieren der grundlegenden Funktionen der Website wesentlich sind. Wir verwenden auch Cookies von Drittanbietern, mit denen wir analysieren und verstehen können, wie Sie diese Website nutzen. Diese Cookies werden nur mit Ihrer Zustimmung in Ihrem Browser gespeichert. Sie haben auch die Möglichkeit, diese Cookies zu deaktivieren. Das Deaktivieren einiger dieser Cookies kann sich jedoch auf Ihre Browser-Erfahrung auswirken.
Notwendige Cookies sind unbedingt erforderlich, damit die Website ordnungsgemäß funktioniert. Diese Kategorie enthält nur Cookies, die grundlegende Funktionen und Sicherheitsmerkmale der Website gewährleisten. Diese Cookies speichern keine persönlichen Informationen.
Alle Cookies, die für die Funktion der Website möglicherweise nicht besonders erforderlich sind und speziell zur Erfassung personenbezogener Daten des Benutzers über Analysen, Anzeigen und andere eingebettete Inhalte verwendet werden, werden als nicht erforderliche Cookies bezeichnet. Es ist obligatorisch, die Zustimmung des Benutzers einzuholen, bevor diese Cookies auf Ihrer Website ausgeführt werden.