Link to home
Start Free TrialLog in
Avatar of Alex Buckland
Alex Buckland

asked on

Geo IP filtering for Server 2019 AWS

Hi. I have a Server2019 instance running on AWS it provides VPN authentication and I want to install a GEO-IP filter to avoid logon attempts from unauthorized countries. Anyone have a good, reliable way of doing this? Either with AWS or 3rd party software?
Avatar of David Favor
David Favor
Flag of United States of America image

You asked, "Anyone have a good, reliable way of doing this?"

No. Zero chance.

Geo Filtering only works for server to server checking.

Never for client to server checking.

There's a reason Google has you set your Geo/Zipcode, because it's highly unlikely you'll correctly guess a client's Geo.

To many VPNs + other NAT'ted tech (like cell networks) rotate IPs across Geos + also share many clients on one IP, so any type of IP... authentication will fail.

Because of the shared IP situation, you'll have to authenticate sessions using cookies.

Study how WordPress does this as a great example.

One of the reason, to me, why WordPress has surpassed other competing products is it's rock solid session management, which is already tooled to work with multi-instance, multi-master, database replication.

If you clone the WordPress session management system, you'll have a highly functional solution to your authentication requirements.
Avatar of Alex Buckland
Alex Buckland

ASKER

All I am trying to do is negate some of the risk, I realize no solution is 100% but syspeace do an excellent job for RDP servers and was just wondering if there was a solution without me downloading public IP lists and importing them withvpowershell into the firewall...
See above.

Tip: If Google has determined there's no way to guess at a client Geo to attempt "negating some risk", it's a good bet your budget for this project will be less than Google spent, so unlikely you'll make better progress than Google.

My rule of thumb is, generally, watching what Google implements + following their lead can save a massive amount of lost budget.

You can use RBLs which publish some residential IP lists, like Google Fiber + Comcast + Spectrum, which will be fairly useless.

All ISPs like this already track their clients outgoing packet flow.

Say for example you have a Google Fiber connection at a residence. If you then attack other machines - SMTP all the way to UDP 443 attacks - Google will sense this + block the attack.
Suggestion: Describe what specific problem you're targeting to resolve by having this data.

Likely someone has a solution.

For example, mitigating DOS/DDOS attacks is trivial + requires no IP lists.
Ok,

I am seeing a lot attempts to logon from Russian, Chinese, and Korean IP addresses.
I want to block these from even seeing the server to negate the risk.

Thanks,
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.