Difference between revisions of "Blocked Countries"

From Kolmisoft Wiki
Jump to navigationJump to search
(Created page with '=Description= '''Blocked Countries''' is a security abstraction over the [https://linux.die.net/man/8/iptables iptables]. The functionality is used to block entire countries from…')
 
 
(7 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=Description=
=Description=
'''Blocked Countries''' is a security abstraction over the [https://linux.die.net/man/8/iptables iptables]. The functionality is used to block entire countries from accessing your Servers.
'''Blocked Countries''' is a security abstraction over the [https://linux.die.net/man/8/iptables iptables]. The functionality is used to block entire countries from accessing your Servers.
<br>
 
<br><br>
=Usage=
=Usage=
'''Blocked Countries''' is only available to the System Admin and only from '''MOR X9'''.<br><br>
'''Blocked Countries''' is only available to the System Admin.<br><br>
In the System Admin Menu go to ADDONS section and expand the Monitorings sub-menu. Click on the '''Blocked Counties''' icon ('''NOTE:''' This functionality can be used without having a Monitorings Addon enabled, as it is considered to be a general security feature).<br>
In the System Admin Menu go to the Security section and expand the sub-menu. Click on the '''Blocked Counties''' icon ('''NOTE:''' This functionality can be used without having a Monitorings Addon enabled, as it is considered to be a general security feature).<br>


[[File:MOR_Blocked_Countries_Menu.png]]<br>
[[File:MOR_Blocked_Countries_Menu.png]]<br>


In the newly opened page a list of Country names is present along with their [http://www.iso.org/iso/home/standards/country_codes.htm ISO 3166] Codes.<br>
In the newly opened page, a list of Country names is present along with their [http://www.iso.org/iso/home/standards/country_codes.htm ISO 3166] Codes.<br>


[[File:MOR_Blocked_Countries.png]]<br>
[[File:MOR_Blocked_Countries.png]]<br>


The to-be-blocked Countries can be checked and after clicking the '''Save''' button at the bottom of the list they will be '''blocked'''.<br>'''NOTE: Depending on the number of Countries checked the process might take up to 4-5 minutes of time.'''<br>
The to-be-blocked Countries can be checked and after clicking the '''Save''' button at the bottom of the list they will be '''blocked'''.<br>'''NOTE: Depending on the number of Countries checked the process might take up to 4-5 minutes of time.'''<br>
<br><br>


=How it works=
=How it works=
Line 23: Line 26:
'''NOTE: Each country Blacklist has a default Whitelist for misconfiguration and emergency cases.''' This list includes the Server IP, Kolmisoft Support access, the Server DNS Servers, the ipdeny.com API, the MOR Servers, and the ACCEPT rule for all the SSH traffic on '''port 22'''.
'''NOTE: Each country Blacklist has a default Whitelist for misconfiguration and emergency cases.''' This list includes the Server IP, Kolmisoft Support access, the Server DNS Servers, the ipdeny.com API, the MOR Servers, and the ACCEPT rule for all the SSH traffic on '''port 22'''.


<br><br>
=Scope and Limitations=
=Scope and Limitations=
There is a chance that on some Servers the functionality '''may not''' be installed because of Kernel's '''incompatibility''' to support the [http://ipset.netfilter.org/ IPSet].<br>
There is a chance that on some Servers the functionality '''may not''' be installed because of Kernel's '''incompatibility''' to support the [http://ipset.netfilter.org/ IPSet].<br>
Line 31: Line 35:


Also, the Servers '''must''' allow the http connections which are needed for file download.
Also, the Servers '''must''' allow the http connections which are needed for file download.
[http://www.ipdeny.com/ipblocks/ ipdeny.com] lists are not 100% accurate. If you are having interconnection problems with new IP addresses while the Country block is in use, make sure that those IPs are not within blocked countries [http://www.ipdeny.com/ipblocks/ ipdeny.com] subnets list.
<br><br>
== See also ==
* [[Blocked Countries installation problem. Please contact Support in order to solve it]]
* [[Blocked Countries blocks email server]]

Latest revision as of 11:13, 15 February 2024

Description

Blocked Countries is a security abstraction over the iptables. The functionality is used to block entire countries from accessing your Servers.



Usage

Blocked Countries is only available to the System Admin.

In the System Admin Menu go to the Security section and expand the sub-menu. Click on the Blocked Counties icon (NOTE: This functionality can be used without having a Monitorings Addon enabled, as it is considered to be a general security feature).

MOR Blocked Countries Menu.png

In the newly opened page, a list of Country names is present along with their ISO 3166 Codes.

MOR Blocked Countries.png

The to-be-blocked Countries can be checked and after clicking the Save button at the bottom of the list they will be blocked.
NOTE: Depending on the number of Countries checked the process might take up to 4-5 minutes of time.



How it works

The list of the to-be-blocked Countries is stored in the Database which is shared among the Servers. Each Server will use the Database to update its iptables.

The aggregated IP addresses for each Country is downloaded from ipdeny.com and added to the IPSets which are then included into the iptables.

Every month the Servers will renew their IP address Database to have the latest data.

NOTE: Each country Blacklist has a default Whitelist for misconfiguration and emergency cases. This list includes the Server IP, Kolmisoft Support access, the Server DNS Servers, the ipdeny.com API, the MOR Servers, and the ACCEPT rule for all the SSH traffic on port 22.



Scope and Limitations

There is a chance that on some Servers the functionality may not be installed because of Kernel's incompatibility to support the IPSet.

For this to work your Kernel version must be greater or equal to 2.6.32 and must support the ip_set and ip_set_hash_netport modules.

If the Blocked Countries functionality is not installed on any of the Servers, the GUI will show a warning (this means that the Kernel does not support the IPset).

Also, the Servers must allow the http connections which are needed for file download.

ipdeny.com lists are not 100% accurate. If you are having interconnection problems with new IP addresses while the Country block is in use, make sure that those IPs are not within blocked countries ipdeny.com subnets list.



See also