How to block IP's from some Countries ?

[irigsoft]

Hello, I want to block from my uniGui application all IP addresses from locations (Countries) other than my country.

Is there a way integrated in unigui ?

[Sherzod]

Hello,

As you know, UniServerModule.BlockedIPList

And this post may help you:

 

[irigsoft]

2 hours ago, Sherzod said:

Hello,

As you know, UniServerModule.BlockedIPList

And this post may help you:

 

Thanks,

but this is fine if I know the IP addresses of the attackers, but I want to allow access only to the IP addresses from the location (Country) of my server.

I found some IP location detection APIs, but I think this will block the server in case of strong attacks because it will check the location of each IP.

 

something like that: https://stackoverflow.com/questions/3489460/how-to-get-visitors-location-i-e-country-using-geolocation

function getIPDetails() {
    var ipAddress = document.getElementById("txtIP").value;

    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function () {
        if (this.readyState == 4 && this.status == 200) {
            console.log(JSON.parse(xhttp.responseText));
        }
    };
    xhttp.open("GET", "http://ip-api.io/json/" + ipAddress, true);
    xhttp.send();
}

<input type="text" id="txtIP" placeholder="Enter the ip address" />
<button onclick="getIPDetails()">Get IP Details</button>

but if is possible on server side : UniGUIServerModuleHTTPCommand

[Sherzod]

46 minutes ago, irigsoft said:

but I want to allow access only to the IP addresses from the location (Country) of my server.

Here you can add logic and modify the code:

 

[irigsoft]

11 minutes ago, Sherzod said:

Here you can add logic and modify the code:

 

Thanks, I have already integrated this.

I have an application in which I want to allow access only to users from the country where the server is located. For example, only consumers from Germany.

I have a procedure that blocks IP addresses when they try some suspicious activity.

But I want to block all addresses that are not from my country.

When an IP address tries to open a session (when connecting to the server), I want to check its Country and block it (add to Blockiplist) if it is not on my Country.

[Sherzod]

Well, you have to store in a list a range of IP addresses of a certain country and check I think...

[irigsoft]

24 minutes ago, Sherzod said:

Well, you have to store in a list a range of IP addresses of a certain country and check I think...

My plan is:

1. Client try to connect - send GET (or POST) command to uniGui

2. On UniGUIServerModuleHTTPCommand I get RemoteIP address

3. Check IP lookup 

with this API (like example)

function getIPDetails() {
    var ipAddress = document.getElementById("txtIP").value;

    var xhttp = new XMLHttpRequest();
    xhttp.onreadystatechange = function () {
        if (this.readyState == 4 && this.status == 200) {
            console.log(JSON.parse(xhttp.responseText));
        }
    };
    xhttp.open("GET", "http://ip-api.io/json/" + ipAddress, true);
    xhttp.send();
}

4. If Country is different from my Country, then add this IP address to BlockedIPList.

 

The Question1 is: Is there some integrated getIPDetails on uniGui ?

The Question2 is:If there is no integrated getIPDetails in uniGui, then how to use this function on UniGUIServerModuleHTTPCommand and return Country name on some variable ?

 

[Sherzod]

I will try to analyze...

[irigsoft]

1 minute ago, Sherzod said:

I will try to analyze...

Thanks

[irigsoft]

38 minutes ago, Sherzod said:

I will try to analyze...

I have done this so far:

function getIPDetails (sRemIP: String): String;
begin
      UniSession.AddJS  ('  new Promise(function(resolve, reject) {' +
                        + ' const xhttp = new XMLHttpRequest();'
                        + ' xhttp.onreadystatechange = function () {'
                        + '   if (this.readyState == 4 && this.status == 200) {'
                        + '        console.log(JSON.parse(xhttp.responseText));'
                        + '    }'
                        + '};'
                        + ' xhttp.open("GET", "http://ip-api.io/json/" + '  + sRemIP + ', true);'
                        + ' xhttp.send();'
                        + '}'
                        );

 Result := ??????
end;
 

usage 

TUniServerModule.UniGUIServerModuleHTTPCommand

begin

     IF AnsiUpperCase (getIPDetails (ARequestInfo.RemoteIP)) <> AnsiUpperCase (MySettings ['AcceptRequestFromCountry']) then begin
    AResponseInfo.ContentText := '<h1>Restricted Country</h1>';
    Handled := True;
    AResponseInfo.CloseSession;
    exit;
end;

end;

 

I didn't try it.

[Frederick]

6 hours ago, irigsoft said:

Hello, I want to block from my uniGui application all IP addresses from locations (Countries) other than my country.

Is there a way integrated in unigui ?

How do you handle users who use a VPN to access the Internet?

[Norm]

I use the following trick to achieve what you are trying to do:

I extract the country from the javascript Date function and include this as part of the ajaxRequest login script. I check this in Delphi as part of the login verification and reject if the country is not what I expect.

my javascript login function :

function doLogin(){
  let date = (new Date()).toString().toUpperCase();
  countryName = date.substring(date.indexOf("(") + 1, date.lastIndexOf(")"));
  let loginName = $('#login_username').val();
  let loginPsw = $('#login_password').val();
  let remember = $('#login_remember').prop('checked');
  if(remember){
    rememberLogin = 'Y'
  } else {
    rememberLogin = 'N'
  }

  let params = {loginname : loginName, loginpsw : loginPsw, loginremember : rememberLogin, country : countryName};
  params= JSON.stringify(params);
  top.ajaxRequest(top.frmLogin.htmlFrame, 'login',['json_param='+ params])
}

[irigsoft]

6 hours ago, Frederick said:

How do you handle users who use a VPN to access the Internet?

Good question, but if it uses a VPN, it means that this user has default connectivity rights. (VPN connection to the server is activated)

[irigsoft]

5 hours ago, Norm said:

I use the following trick to achieve what you are trying to do:

I extract the country from the javascript Date function and include this as part of the ajaxRequest login script. I check this in Delphi as part of the login verification and reject if the country is not what I expect.

my javascript login function :

function doLogin(){
  let date = (new Date()).toString().toUpperCase();
  countryName = date.substring(date.indexOf("(") + 1, date.lastIndexOf(")"));
  let loginName = $('#login_username').val();
  let loginPsw = $('#login_password').val();
  let remember = $('#login_remember').prop('checked');
  if(remember){
    rememberLogin = 'Y'
  } else {
    rememberLogin = 'N'
  }

  let params = {loginname : loginName, loginpsw : loginPsw, loginremember : rememberLogin, country : countryName};
  params= JSON.stringify(params);
  top.ajaxRequest(top.frmLogin.htmlFrame, 'login',['json_param='+ params])
}

Thanks, this is a good way to get a "state" by date, but what if the user's regional settings are wrong?

my goal is to protect myself from attacks from foreign countries, so it is assumed that they will try to circumvent the proper login 

[Norm]

You can avoid regional setting hack by using the free ip lookup service (ipapi.co).

In my example above replace the country from date function with:

  $.get('https://ipapi.co/json/', function(data) {
    countryName = data.country_name;
  })

You obviously need to use a promise to retrieve the value.

I am aware that you are wanting to completely block connections outside your country. In my case I simply want to disallow logins from foreign countries.

[irigsoft]

12 minutes ago, Norm said:

You can avoid regional setting hack by using the free ip lookup service (ipapi.co).

In my example above replace the country from date function with:

  $.get('https://ipapi.co/json/', function(data) {
    countryName = data.country_name;
  })

You obviously need to use a promise to retrieve the value.

I am aware that you are wanting to completely block connections outside your country. In my case I simply want to disallow logins from foreign countries.

Thank You.

How to get country_name in global variable on uniMainmodule ?

[Frederick]

1 hour ago, irigsoft said:

Good question, but if it uses a VPN, it means that this user has default connectivity rights. (VPN connection to the server is activated)

Let's say that I am from ABC country and you are located in XYZ country. Using a VPN, I can set it such that I am from XYZ country. How do you block me since my IP address would show that I am from your home country?

[irigsoft]

2 minutes ago, Frederick said:

Let's say that I am from ABC country and you are located in XYZ country. Using a VPN, I can set it such that I am from XYZ country. How do you block me since my IP address would show that I am from your home country?

OK, how You will connect to my VPN server, without knowing user and password ?

I think if you know the VPN user and password for the VPN server, then you have every right to connect.

[Frederick]

Just now, irigsoft said:

OK, how You will connect to my VPN server ?

You have a VPN server that users must connect to?

[irigsoft]

Just now, Frederick said:

You have a VPN server that users must connect to?

At this moment no.

[Norm]

As far as I know there is no way of circumventing VPN use. I would be very interested to know if I'm wrong.

[irigsoft]

1 minute ago, Norm said:

As far as I know there is no way of circumventing VPN use. I would be very interested to know if I'm wrong.

If this question was to me.

I dont use VPN, i have StandAloneApplication, and I see in my log files some trys to hack from different IP's from different countries.

This makes me look for ways to block access to the server from certain destinations (Countries)

[Norm]

I was responding to Frederick's question regarding VPN hacks. He is making a valid point that hackers can break through your IP lookup solution by connecting to your server using their own VPNs to pretend they are in your country.

The only way to avoid VPN hacks is to gradually build up a list of allowed IP's.

[Frederick]

18 minutes ago, Norm said:

As far as I know there is no way of circumventing VPN use. I would be very interested to know if I'm wrong.

I feel that it would not be possible to block a user from a different country once they use a VPN because you are trying to block them by their IP address, which can be spoofed.

[Frederick]

15 minutes ago, Norm said:

The only way to avoid VPN hacks is to gradually build up a list of allowed IP's.

Even this would be difficult because it is possible that the user has a dynamic IP address. Imagine your workload to build up an unending list.