GeoIP database have the records of Geographical location-based on IP address. Using this database we can search any ip belongs to which country using Linux command line. This article will help you to allow SSH or FTP (vsftpd) access based on users country. This examples uses TCP wrappers to secure your services.
Install GeoIP and GeoIP Database
First install GeoIP binary for Linux and their database based on your operating system. For CentOS and RedHat users GeoIP binary and database are combined in single package.
On CentOS and RedHat:
# yum install GeoIP
On Ubuntu and Debian:
$ sudo apt-get install geoip-bin geoip-database
Create the SSH/FTP Filter Script
Now create a shell script which checks for all incoming connection ip addresses and search their corresponding country using GeoIP database and allowed only those countries which code is defined in ALLOW_COUNTRIES variable in script.
# vim /usr/local/bin/ipfilter.sh
#!/bin/bash # License: WTFPL # UPPERCASE space-separated country codes to ACCEPT ALLOW_COUNTRIES="IN US" LOGDENY_FACILITY="authpriv.notice" if [ $# -ne 1 ]; then echo "Usage: `basename $0`" 1>&2 exit 0 # return true in case of config issue fi if [[ "`echo $1 | grep ':'`" != "" ]] ; then COUNTRY=`/usr/bin/geoiplookup6 "$1" | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1` else COUNTRY=`/usr/bin/geoiplookup "$1" | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1` fi [[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY" if [[ "$RESPONSE" == "ALLOW" ]] ; then logger -p $LOGDENY_FACILITY "$RESPONSE sshd connection from $1 ($COUNTRY)" exit 0 else logger -p $LOGDENY_FACILITY "$RESPONSE sshd connection from $1 ($COUNTRY)" exit 1 fi
Script srouce: https://gist.github.com/jokey2k/a74f56955124880749e7
Make this script executable
# chmod +x /usr/local/bin/ipfilter.sh
Restrict SSH/FTP Connections
Now apply SSH and FTP restrictions using TCP wrappers. First we need to deny everyone by adding below line in /etc/hosts.deny.
sshd: ALL vsftpd: ALL
Now edit /etc/hosts.allow and allow only those ips which is allowed by your ip filter script.
sshd: ALL: spawn /usr/local/bin/ipfilter.sh %a vsftp: ALL: spawn /usr/local/bin/ipfilter.sh %a
Above FTP restrictions are for vsftpd only. Also make sure you have enabled (tcp_wrappers=YES) in your vsftpd configuration. You can also create similar rules for any other services supported TCP wrapper.
Testing
Finally test your server by login using SSH or FTP from different-2 locations and analyse access log file. Below is the some demo logs created by ipfilter.sh.
Feb 27 13:03:29 TecAdmin root: DENY sshd connection from 212.191.246.202 (PL) Feb 27 13:34:28 TecAdmin root: DENY sshd connection from 212.181.246.202 (SE) Feb 27 13:34:36 TecAdmin root: DENY sshd connection from 211.181.246.203 (KR) Feb 27 13:35:00 TecAdmin root: DENY sshd connection from 221.191.146.204 (JP) Feb 27 15:11:04 TecAdmin root: ALLOW sshd connection from 49.15.212.12 (IN) Feb 27 15:11:09 TecAdmin root: ALLOW sshd connection from 149.15.212.12 (US) Feb 27 15:11:22 TecAdmin root: ALLOW sshd connection from 49.15.156.123 (IN) Feb 27 15:11:32 TecAdmin root: ALLOW sshd connection from 231.15.156.123 (IP Address not found) Feb 27 15:14:04 TecAdmin root: DENY sshd connection from 111.15.15.123 (CN) Feb 27 15:14:56 TecAdmin root: ALLOW sshd connection from 49.15.110.123 (IN)
In logs you can say that all ips belongs to US (United States) and IN (India) are allowed. Also if any ip do not matches in GeoIP database will be allowed by default. Rest of matching other countries ips are denied.
Hi to every body, it’s my first pay a visit of this webpage; this web site contains
amazing and truly fine information designed for visitors.
i have red all your comments all that stuff doesn’t work properly with my centos 7
Hello.
how can I use it for smtp? smtpd .. allow connection to send mail from a defined country.
thanks, Andres.