Skip to content

A simple way to filter IPs by country to block or allow connections to SSH

License

Notifications You must be signed in to change notification settings

BlueTeamToolbox/tcp-wrapper-country-filter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BlueTeamToolbox logo
Github Build Status Release Commits since release

Overview

This is a TCP wrapper which will filter server connection attempts based on the country of origin. It can be configured in one of two different ways:

  1. Allow connections only from a specified list of countries.
  2. Deny connections EXCEPT those from a specified list of countries.

This allows for the dynamic blocking (or allowing) of an entire country without having to manage or maintain IP lists, which can often be very large.

  • USA has over 1.5 billion IP addresses spanning approximately 450,000 different blocks.
  • China has over 300 million IP addresses spanning approximately 4,000 different blocks.
  • Russia has over 40 million IP addresses spanning approximately 10,000 different blocks.

The solution is only as accurate as the GeoIP database, however most tools for identifying a country from an IP are at least 99% accurate.

Security

The use of TCP wrappers does not eliminate the need for a properly configured firewall. This script should be seen as part of your security solution, not the whole of it.

Prerequisites

This tool relies on geoiplookup, if it is not installed then the script will log an error and allow the connection, even if the default action is DENY. The reason for this is that without this ALL connections would be blocked including your own (which would be bad).

Installing the Prerequisites

This may require additional apt or yum sources depending on your distribution.

Debian / Ubuntu

# apt-get install geoip-bin geoip-database

CentOS / RHEL

# yum install GeoIP GeoIP-data

By default this will install the free version of the GeoLite Country binary database (GeoIP.dat etc.), usually in the /usr/local/share or /usr/share directory. The specific location doesn't matter as the geoiplookup command will know where to look for the data files.

We currently do not support GeoIP2 format (mmdb) or automated updates from MaxMind, although is this on the roadmap for this tool.

Testing the Prerequisites

Look up one of Google’s IPs.

# geoiplookup 74.125.225.33
GeoIP Country Edition: US, United States

If you see the above or similar then geoiplookup is installed and working.

Configuration

Although this was developed for use with sshd, the principle should work for any service that is supported by TCP wrappers, however in this documentation we will use sshd.

Install the filter

Copy the script to /usr/local/sbin/country-filter (and ensure that it is executable [chmod +x]).

Out of the box the country list is empty and the script has the default ACTION of DENY (only block countries in the list), so the net effect at this point is to block nothing.

Adding countries

To add countries to the list, add them to the COUNTRIES variable. This is a space separated list of country codes (2 letter codes). Example country code list from Wikipedia.

There are times where a country cannot be identified, if you want to block all entries where a country cannot be identified, add XX to the COUNTRIES variable.

Allow or Deny

By default the script will deny connections from any country listed in the COUNTRIES variable, however you can invert this logic and only allow connections from these countries, by setting the ACTION variable to ALLOW.

If you change the default ACTION to ALLOW, ensure your own country is in the list of countries before you do this, otherwise you will no longer be able to connect to your server. This won't effect existing open connections, so test with a new connection attempt to ensure the configuration is correct.

Process Ordering

In Linux/Unix based systems the processing order for TCP wrappers is as follows:

  1. hosts.allow
  2. hosts.deny

This means that anything that is not handled (allowed / denied) by hosts.allow will be handled by hosts.deny.

/etc/hosts.allow

The following configuration will tell the system to pass all IPs, for ssh connections, to the country-filter. The return code of the filter specifies the action to be taken.

  1. 0 = Success - allow the connection.
  2. 1 = Failure - deny the connection.
sshd: ALL: aclexec /usr/local/sbin/country-filter %a 

aclexec tells the system to execute the following script and %a is replace by the current IP address.

/etc/hosts.deny

The following configuration will tell the system to deny all ssh connections.

sshd: ALL

This should never be reached because all cases should be handled by the country filter, but as with all security configurations protection in depth is key and having a safe / secure fallback position is preferable.

Alternatives

We provide a number of different TCP Wrapper filters.

Multiple Rules

If you wish to use more than one of our TCP Wrappers then please refer to our TCP Wrapper Multiplexer.

About

A simple way to filter IPs by country to block or allow connections to SSH

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Sponsor this project

Packages

No packages published

Languages