Will blocking all connections outside of the US, aside from port 80 cause a high server load?

iptables

Like most servers (I assume), we have people trying to brute force our services 24/7. I have cpHulk blacklist their IP's, but it seems like it'd be better if they didn't get that far in the first place. Myself and my host are the only ones who connect to the server on ports other than 80, so I'd like to block connections from all countries outside the US, except for port 80. I contacted my host to set this up, but they were hesitant because they said it would create an exceptionally high server load. It's a dedicated Xeon 1230 server with 32GB RAM running CentOS 6.6 and iptables.

First, any reason not to do this? Second, is what my host told me correct? Third, is there any way to accomplish this without a high performance impact?


Setting up specific rules to block every IP range (by listing every range) is the wrong approach.

Set the default rules in iptables to drop all traffic to your management ports. Then add rules to only allow access from your trusted IPs (yours and your host).

Blocking everything by default, and allowing only approved traffic is usually called "explicit deny all", and is considered a best-practice. In this case also does help to avoid the performance impact your host is concerned about.


In order to do this, you would have to add tens of thousands of firewall rules, one for each netblock, where a country may have anywhere from one to several thousand netblocks associated with it.

When a request comes in, it would have to be checked against every single rule, which takes very little time for a few dozen or maybe even a few hundred rules, but with as many rules as you would need to use, (1) every request will be slowed down significantly and (2) it will use a lot of CPU.

The way to do this without a significant performance impact is by doing what you're already doing: blocking only those specific addresses which are being problematic.


What you need is a tool called ipsets

IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.

the important thing to note here is that it is lightning fast! That is because huge number of ip networks can be represented by a single hash instead of hundreds or thousands of lines of iptables rules.

For blocking countries see this example:


Ignoring the bit about whether or not doing it this way is a good idea, you can do what you asked for with the GeoIP module for iptables.

After building and installing the module (and keeping your IP lists updated monthly), you can do stuff like this to block individual countries:

iptables -I INPUT -m geoip --src-cc CN -j DROP

Or use --src-cc US -j ACCEPT and so on if you prefer to specify those countries that you want to keep.


If you wanted to retain the ability to connect from anywhere without maintaining a geo-location blacklist/whitelist, you could implement port-knocking. It would stop most automated attempts while allowing you to still connect from any address.

Note: Don't put the port to knock adjacent to the port to open, otherwise a sequential port scan will activate your rule.

Related

Calculate Days Since 1/1/1970
Change the UPS battery while it's powered on?
Why does my Windows 7 VM running under Linux' KVM not use all the virtual processors?
remove line break using AWK
Windows RDP - Making production server look unique
Program file exists in /usr/bin, but cannot be used
How do I change swap partition in Linux?
The PID of a bash child proccess (imapsync) - how do you get it?
Moving a Logical Volume directly from one server to another over the network?
Can I plug a 15A UPS into a 30A receptacle?
On a linux server how do you use multiple terminals over a single ssh connection?
How to setup /etc/issues to show the IP address for eth0