Methods to ban whole countries on server level

I already expressed my opinion about country bans in a previous post, now let’s see some methods of how to achieve country bans.

With IPTables, using a bash script:

Remember that this will work only under Linux and with IPTables working correctly.
Instead of looking up every IP and block, we ask APNIC about a country’s allocated IPs.
The script is very simple, I won’t bother writing a new script as the web is full with it. The best I found is a Certified RedHat Engineer’s, Sebastien Wain’s, it’s clean and simple. Click here to read his post, then you can follow a link to the script from his post. It would be unfair to post the link to the script directly.
When you run the script, you will have to input the country code you want to block. A complete list of country codes can be found here: ISO 3166 Country Codes
The output of the script will be IPTables commands for each IP which you can use later in another bash to insert the IPs in the IPTables drop list, or if you have enough time to spare, you can copy-paste each command in the command line.

Using MaxMind GeoIP or GeoLite and Server Side Code

MaxMind provided its GeoIP database’s “Lite” version for free. The difference between the two databases is that the free version is less accurate, but still accurate enough to be very useful as its accuracy is still above 99%. So, download the MaxMind GEOLite database from MaxMind’s website and save it on your server somewhere. You should save in the include path, it will be easier to you and still safe from unauthorized access. It’s a huge dat file so it wouldn’t be fun if some hacker-kids would access it on 2000 queries per second rate.
Now that you have this database on your server, write a PHP or any other server level script which, before serves a page checks the user’s IP against this database. API’s are available to ease the developers’ life.

With .htaccess

There’s an awesome online tool which can create the .htaccess you have to place in the root of your script. The tool is called “block a country”, – on a side note, quite imaginative name,- and is situated under the www.blockacountry.com domain. You select the from the list the IPs you want to block then pressing “Go” will generate the lines you have to place in a .htaccess.
Easier method doesn’t exist, you either use that tool, or you put every IP in the htaccess manually.

Other methods

Doesn’t really exist i think. It’s possible to block access on router or firewall level, at least that’s what I was told, but I admit I never tried.

Please always think before you block a whole country. You can loose traffic from legitimate users, and traffic is precious for every webmaster. Or at least, it should be precious…

Ban IP on server level after a number of unsuccessful logins

This is a widely used function amongst the server managers. Depending on your system configuration, the server will ban the enforcer’s IP, either putting it in the firewall’s deny list or, on Linux servers with IPTables installed, will put the IP in the drop list.

To achieve this feature, the easiest way is to install a software firewall. My recommendation is CSF, Configserver Security & Firewall developed and maintained by Way To The Web Limited. It’s an extremely efficient software, and integrated into WHM is very easy to manage it, even a beginner can handle almost everything.

So, if configured correctly, CSF has a, say, extension: LFD or Login Failure Daemon.

This stuff is what we search for at the moment. You can configure which ports to listen on, so if the enforcer tries on SSH, POP3 or FTP and even HTTP authentication, it will get banned after a few tries.

You can also put IPs to its ignore list. This is very useful feature if you don’t want to get yourself banned.

Restrict access to directory or domain by IP, using .htaccess

I don’t blah too much on this subject.
Basically, you can restrict or allow who can connect to your site or who can access specific directories using .htaccess .

Here’s the code to block one specific IP, I use 192.168.0.1 to block, you replace it with the IP you want to deny.


order allow,deny
deny from 192.168.0.1
allow from all


That is. Placed in the root of your site, the user with the IP 192.168.0.1 will not be able to access your site at all. If you place it in a specific subdirectory of your site, the user won’t access the specific subdirectory. If you want to put more IPs in your deny list, just add one more deny line for each IP.

To block by domain, replace the IP with a domain. For example:


order allow,deny
deny from .comcast.net
deny from .google.com
allow from all


If you look hard, you will observe that I put a dot in front of the domains. It has only one meaning: if you put a dot in front of the domain, all the sub-domains will be blocked. For example, in the second deny rule i said to deny everybody from google.com, including www.google.com, googlebot.google.com, finance.google.com, you get it.

And as always, we saved the world again.

Be Google’s friend: Make your URLs canonical with .htaccess

This subject is… is… well
Every second site on the net has at least one article about this subject. But to be honest, it’s good to have so many articles about this, in a way. At least people recognize they should use it. Or not.
So, what’s the fuss around the URL canonicalization? One thing only: the search engines and their hate of duplicated content. If your website is accessible both on www.example.com and the plain example.com the search engines will index both areas, they think you duplicated your content to get more positions in the search results, so they penalize your domain. Weird. They should know it’s the same website, or at least the coders should teach them that www is the same with non-www. Or at least on well-configured servers.
So, here pops Apache in and throws a resolution for the issue: the mod_rewrite engine, again. You will have to have mod_rewrite bundled into Apache and working correctly.
As always, here’s the code for those who just want to copy&paste and then the explanation for all the lines.


RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule ^/(.*) http://example.com/$1 [R=301,L]


That is. Placed in a .htaccess file, it will redirect with code [301:Moved Permanently] all the queries sent to the www.domain.com to domain.com. Now let’s explain it line-by-line:

1. We switch On the mod_rewrite module, thus telling Apache we want to work with it.
2. If the hostname contains “www”, apply the rule, so this a condition
3. This last line is the rule which has to be done if the condition can be applied on the HTTP request. In our case do a 301 redirection to the non-www version of the site

That was all. Search engines are now happy, World saved again.
As always, if something is unclear, drop a comment and i answer as soon as possible.

Hotlink Protection using .htaccess made easy

This is one of the most used tricks by the webmasters who care about their allocated bandwidth. The code which controls what are domains where your images can show up is very short, 4 line that is.
As always, I provide the full code, then below it I explain everything.
To use this code, you have to have an Apache web-server with mod_rewrite correctly installed.
So, let’s see the code for those who don’t want the explanations:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]


Now some explanations:
The first line,

RewriteEngine on

practically tells Apache we will do something with mod_rewrite so turn it on. This line is optional if you already turned it on before in the same .htaccess where you put the above code in.
The second line,

RewriteCond %{HTTP_REFERER} !^$

this is nastier. Basically, if there is no referrer, let the image to be displayed. I guess this needs a bit of explanation. When you navigate on the internet from one site to the other, the browser always sends a “referrer” header to the host you are accessing. So, for example if you are currently on http://www.Google.com and you navigate to http://yahoo.com, the browser will send yahoo the following : “Referrer: http://www.google.com”. This header is what we use in our .htaccess to prevent hotlinking, BUT! Some antiviruses, firewalls clears this header on the clients’ side so there is no referrer at all, thus we don’t know the user browses our site, or it’s hotlinking our image on another site. Thus we just let the image to be displayed if there is no referrer.

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]

If the referrer domain is our own domain, display the image. We set: http(s)?://(www\.)?yourdomain.com, so our condition will work on HTTP, HTTPS and also on our www and non-www hostname/domain.

And the last step is to tell Apache which files to protect:

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

In the above case the jpg, jpeg, png and gif images will be protected. If you want to protect your Flash-files as well, put swf in the list and your movies will not display embedded in remote sites.
On our domain the php files are also protected because the Imagick examples are parsed by php codes.

I hope the above example was somewhat useful, if you need help with it, just say your problem below and will answer as soon as possible.