How to block IP's from some Countries ?

[Norm]

Just to respond to this question:

"Can't figure out how you can connect from your VPN client (with a changed country) to my site in my country without having a VPN server in my country?
As far as I understand, the only thing that happens is that your VPN Client receives some "external" IP (fake), which will be presented to my site as if it were from my country, because you know which is my country."

How it works is that the VPN app on my machine will intercept the football URL I typed and replace it with the address of their server in the UK and pass my original URL as a parameter to their server so it knows what target site I want. I have simplified this a bit to try and convey the idea.

[Norm]

I'll be away from my machine for the next 2 hour. Will look out for your messages when I get back.

[irigsoft]

20 minutes ago, leons said:

With Cloudflare you can get a lot of benefits regarding security, speed/caching e.g. 

Thank you, I know about this, but my clients will need it   to pay for this software and I can not oblige them

[irigsoft]

21 minutes ago, Norm said:

How it works is that the VPN app on my machine will intercept the football URL I typed and replace it with the address of their server in the UK and pass my original URL as a parameter to their server so it knows what target site I want. I have simplified this a bit to try and convey the idea.

Ok, I understand. So If I position my site in UK hosting company, but accept IP's only from Germany I will confuse You what country must select to VPN (You will select UK, but I will block You)?

@Frederick how about this, am I right?

[irigsoft]

I found that some routers can create rule to block by destination, so this is good way to protect.

"This tool will help you create some basic firewalls for Your routers as well as a stand alone address list that you can use with your own custom rules to block certain countries. "

In addition, some Internet security software uses GEO location policy protection

IP Spoofing:

https://www.keyfactor.com/blog/what-it-is-ip-spoofing-how-to-protect-against-it/

[Norm]

2 hours ago, irigsoft said:

Ok, I understand. So If I position my site in UK hosting company, but accept IP's only from Germany I will confuse You what country must select to VPN (You will select UK, but I will block You)?

That is correct.

[irigsoft]

36 minutes ago, Norm said:

That is correct.

OK, thank you

[Frederick]

4 hours ago, irigsoft said:

Ok, I understand. So If I position my site in UK hosting company, but accept IP's only from Germany I will confuse You what country must select to VPN (You will select UK, but I will block You)?

@Frederick how about this, am I right?

Correct. Since you only accept IPs from Germany, someone who actually stays in Germany will not be blocked. However, Norm, who is in New Zealand, can simply get the VPN client to point to a VPN server in Germany and your site can be accessed.

That was the question in my initial post. How can you block a VPN user?

[irigsoft]

11 minutes ago, Frederick said:

How can you block a VPN user?

I didn't know about this Site-To-Site VPN and IP spoofing option.

Now I have received more information about this and I will look for solutions from another manufacturer with knowledge of security.

However, I have integrated the solution described above

[irigsoft]

@Frederick, I try to control every user that connect to my unigui server.

If they try some action that I dont allow, then this user is blocked.

[irigsoft]

But the bad kind of spoofing can be controlled. There are five things, among others, that you can do to help prevent IP spoofing and its related attacks from affecting your network:

1. Use authentication based on key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing.

2. Use an access control list to deny private IP addresses on your downstream interface.

3. Implement filtering of both inbound and outbound traffic.

4. Configure your routers and switches if they support such configuration, to reject packets originating from outside your local network that claim to originate from within.

5. Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.

So, when unigui Framework will enable

 

[Frederick]

16 minutes ago, irigsoft said:

@Frederick, I try to control every user that connect to my unigui server.

If they try some action that I dont allow, then this user is blocked.

That's a great practice but you have to take into account that there are legitimate users who may be outside Germany but want to access your site via VPN because of security or some other reasons.

[irigsoft]

20 hours ago, Frederick said:

That's a great practice but you have to take into account that there are legitimate users who may be outside Germany but want to access your site via VPN because of security or some other reasons.

A user who connects to unigui Server and does not try to hack or other things has no problem working if is on WhiteIPList.

You are right, this control stop some legitimate user, but this is just settings so owner of server will select them as they want.

This reminds me that the unigui app can check if the user is in the WhileIPList and not block it, even if it is outside Germany.

I fixed my code.

[irigsoft]

On 1/14/2022 at 5:09 PM, Frederick said:

you have to take into account that there are legitimate users who may be outside Germany but want to access your site via VPN

@Frederick

In this situation, there are some limitations that the user will encounter:

1. My application is not a website, this is a web application, REST server, etc. and it will need access data.

2. If the user wants to connect to this web application, then he will need:

2.1 full URL of the application (there is some data that you will receive from the owner of the server to connect to the application)

2.2 user and password

3. If they know this information and want to use a Site-to-Site VPN, then they will receive information about which country they will need to use to connect to the web application.

4. A certain IP address can always be added to the list of trusted addresses and blocking by country will not be affected

I think that the combination of all these parameters will allow the normal operation of even such users.

[Frederick]

If you have all these practices in place and they are deemed to be effective, why would you want to block users from certain countries in the first place?

[irigsoft]

7 minutes ago, Frederick said:

If you have all these practices in place and they are deemed to be effective, why would you want to block users from certain countries in the first place?

I'm just trying to add more security options to my app.

I have created a main topic in this forum and I am trying to fill it with some security methods and discuss their effectiveness.
This is just another line on my security list.

I am not a security expert and more information from colleagues like you is useful to me.

I hope we can all work together to make our applications more secure.

[irigsoft]

I changed my code because WhiteIpList can't be used here.