WEBVTT

00:00.670 --> 00:06.610
Few months back, I got a message from one of my friends saying that his website is getting attacked

00:06.610 --> 00:08.050
by a lot of people.

00:08.410 --> 00:14.920
So we decided to go into the Nginx logs and we went into Splunk to see what exactly is happening.

00:15.160 --> 00:21.310
And we figured out that most of the attacks that are coming on this website were specific to a particular

00:21.310 --> 00:23.740
country, which was Russia.

00:24.100 --> 00:30.910
So attacks ranged from brute force to SQL injection attempts and so many other things, and they were

00:30.910 --> 00:33.340
like 2000, 3000 every hour.

00:34.900 --> 00:41.920
So one of the things that we determined was that his website was specific to clients in India.

00:42.250 --> 00:46.660
So there was no need to open up the website for the whole world.

00:47.500 --> 00:52.600
So then we decided to block the website for specific countries.

00:53.830 --> 00:58.240
Now in Nginx, if we want to do that, then there is a very amazing module.

00:59.220 --> 01:00.960
Nicolas de Enginex.

01:00.990 --> 01:02.700
Http module.

01:04.050 --> 01:08.910
Which basically allows you to block the website based on specific countries.

01:10.260 --> 01:12.990
So if you talk about Linux.

01:12.990 --> 01:17.530
So there are two ways in which you can block a particular IP address.

01:17.550 --> 01:22.770
So let me give you the real world scenario itself of one of my friends.

01:22.800 --> 01:29.310
So basically this is a server and within the server there are multiple websites hosted.

01:30.090 --> 01:32.190
So all of these are the websites.

01:33.920 --> 01:35.180
And this is one.

01:36.140 --> 01:37.070
Linux server.

01:41.820 --> 01:45.000
So there were around five websites which are hosted now.

01:45.000 --> 01:49.680
One of the ways where we could actually block the countries was through the firewall.

01:51.990 --> 01:53.250
So this is a firewall.

01:53.250 --> 01:55.950
And in the firewall layer itself, we could have blocked.

01:56.400 --> 02:04.530
But one of the challenge was that we only wanted to block one website and not all.

02:05.400 --> 02:13.230
So if you just want to block one website based on the server name server name parameter.

02:15.290 --> 02:20.900
Then doing this in Firewall does not become an ideal solution.

02:20.900 --> 02:27.650
So during that you actually have to use the Geoip module which Nginx provides, which can block.

02:28.680 --> 02:34.050
Countries based on the website which they are trying to access.

02:35.510 --> 02:41.030
So let's see on how we can do that in the Nginx configuration.

02:47.150 --> 02:48.170
So.

02:49.340 --> 02:52.730
There is a module called as Geoip which is available.

02:52.730 --> 02:54.740
So let's do a geoip grep.

02:57.800 --> 03:01.220
And you see there are geoip modules available.

03:01.230 --> 03:07.970
Now you will need these modules if you want to do the country based blocking.

03:07.970 --> 03:13.760
So if you do not have this module, then you can simply install the package which is geo hyphen hyphen,

03:13.940 --> 03:19.610
geoip hyphen dev devel and this will actually install both the modules.

03:21.090 --> 03:22.290
For me it is there.

03:22.290 --> 03:25.560
So if you install it, install the nginx yum.

03:25.620 --> 03:28.710
Then this modules will be by default there.

03:29.850 --> 03:36.360
So let's open the nginx configuration and let's write our first code.

03:41.520 --> 03:41.940
Okay.

03:42.990 --> 03:44.220
So I'll say.

03:46.560 --> 03:49.200
Geoip underscore country.

03:51.880 --> 03:54.340
User share.

03:56.870 --> 04:02.300
I hope this is a geo IP that I'll explain the code.

04:03.640 --> 04:05.230
Then we map.

04:07.210 --> 04:09.400
So we map the host variable.

04:09.400 --> 04:15.040
Now host is basically the host that it is trying to attach.

04:15.700 --> 04:19.660
A client is trying to connect followed by the.

04:22.880 --> 04:23.400
Geoip.

04:23.480 --> 04:24.290
Country Code.

04:30.650 --> 04:35.660
And if let's say we define a variable DNI by country.

04:38.820 --> 04:44.100
So if anything starts from, let's say example.com.

04:47.160 --> 04:50.010
If it is not from.

04:50.890 --> 04:51.460
India.

04:55.570 --> 04:58.720
Then let's give it an value of one.

05:00.050 --> 05:02.120
However, the default value is zero.

05:07.760 --> 05:10.130
Let's save this.

05:10.670 --> 05:11.240
Okay.

05:11.660 --> 05:12.590
It's successful.

05:13.310 --> 05:17.090
Now, second thing that you have to do is go to the.

05:23.730 --> 05:25.280
Next 50.

05:26.190 --> 05:32.340
Stay with me on this and I'll just explain you and inside the server directive.

05:38.490 --> 05:40.020
We add a include?

05:47.980 --> 05:50.860
If denied by country, then return.

05:51.850 --> 05:52.690
403.

05:57.700 --> 06:01.330
Let's check if the tests are successful.

06:02.770 --> 06:03.340
Okay.

06:03.340 --> 06:04.980
And let's reload the enginex.

06:08.580 --> 06:08.870
Okay.

06:09.570 --> 06:13.260
So let's see on what exactly you have written.

06:15.220 --> 06:20.780
So the first directive over here is geoip underscore country.

06:20.800 --> 06:25.600
So this basically means that this is the location of the database file.

06:25.630 --> 06:33.580
Now, this database file basically contains IP to country mapping.

06:33.940 --> 06:42.580
Now, if we look into the Internet or if we look into the IP address based schemes, each country is

06:42.580 --> 06:45.580
given a specific set of IP addresses.

06:45.730 --> 06:48.940
So let me open a Firefox.

06:50.390 --> 06:53.840
And if we look over here, this is one of the websites.

06:53.840 --> 06:56.430
I'll be posting it on the forum itself.

06:56.450 --> 07:02.600
So this basically gives IP address corresponding to particular country.

07:02.600 --> 07:05.570
So if I say India, then.

07:10.070 --> 07:13.580
There are IP address blocks which are assigned to.

07:15.170 --> 07:18.800
Indian ISPs, and there are a lot of them.

07:20.070 --> 07:26.960
So specifying each and every IP addresses based on country is a very difficult task.

07:26.970 --> 07:34.170
So there is a organization called as Maxmind, which has already done that for us.

07:34.170 --> 07:39.390
And that mapping country to IP mapping is stored in the geoip.

07:39.630 --> 07:40.770
That file.

07:41.250 --> 07:47.010
So the first thing that we are doing over here is we are including this IP dot, that file.

07:49.940 --> 07:53.150
In the second directive we are mapping the host.

07:53.150 --> 07:55.070
So host is a variable.

07:55.070 --> 08:00.230
So we have already looked into the Http header where we have a host header.

08:01.710 --> 08:09.240
So host with the Geoip country code and deny by country is a variable.

08:09.480 --> 08:13.020
So the default value for deny by country is zero.

08:13.320 --> 08:17.070
And if any host variable.

08:17.070 --> 08:18.570
So this is host.

08:19.970 --> 08:21.950
If any, host variable.

08:23.640 --> 08:25.530
Comes with Indian IP.

08:26.140 --> 08:29.010
Then the value is one.

08:29.610 --> 08:32.280
So let me explain you on how this works.

08:32.880 --> 08:35.190
Let's use our favorite one node.

08:38.220 --> 08:41.250
So the first.

08:44.400 --> 08:48.750
We are doing a mapping and we have a host variable over here.

08:50.870 --> 08:51.620
And.

08:56.420 --> 08:57.740
GOP.

08:58.800 --> 09:00.540
And let's go country.

09:03.510 --> 09:04.530
And the scope code.

09:07.240 --> 09:12.940
So let's say if a host is example.com, so it will be example.com.

09:15.690 --> 09:17.670
And its zip code is India.

09:20.680 --> 09:24.400
So this will become a mapping to this.

09:25.060 --> 09:33.820
So if any visitor so if, say, if any user tries to come and opens example.com.

09:35.240 --> 09:40.250
And if he's not from India, then block him.

09:41.330 --> 09:44.420
So this is what we are actually specifying over here.

09:46.670 --> 09:48.410
So I just had.

09:52.790 --> 09:53.750
To add over here.

09:54.970 --> 09:55.360
I see.

09:56.020 --> 09:57.820
So this corresponds to.

09:58.450 --> 09:59.350
This semicolon.

09:59.830 --> 10:11.260
So again, let's revise map host variable to give country code and if anything's come in any.

10:12.530 --> 10:16.850
Visit comes to example.com and if it is not from India.

10:16.850 --> 10:18.320
So here we have specified.

10:18.320 --> 10:24.440
If it is not from India, then the value is one by default, value is zero.

10:25.830 --> 10:27.030
And.

10:29.640 --> 10:30.960
Within the.

10:32.500 --> 10:33.540
Web.config.

10:33.740 --> 10:38.710
If said if deny by country value is one, then return 403.

10:38.860 --> 10:48.310
So that means if any visitor tries to access example.com from any other country other than India, then

10:48.310 --> 10:51.490
the value of this denied by country becomes one.

10:51.700 --> 10:53.230
Otherwise it is zero.

10:53.830 --> 10:57.310
And if the value becomes one, return a 403.

10:59.780 --> 11:04.310
So this is how the blocking happens.

11:04.310 --> 11:09.770
So as I'm from India, let's not include India in the list.

11:10.040 --> 11:13.880
So I'll put, let's say us.

11:14.450 --> 11:17.930
So before we do that, I'll just show you that a website is working.

11:18.290 --> 11:19.850
Let's say example.com.

11:22.610 --> 11:24.500
Ah, it is showing forbidden.

11:26.170 --> 11:29.530
It looks like or it seems cash.

11:31.960 --> 11:32.470
Okay.

11:34.200 --> 11:35.670
Let's see what happened.

11:42.430 --> 11:44.310
The code seems good.

11:44.320 --> 11:46.090
Let's restart Nginx.

11:48.050 --> 11:49.340
And let's do a tail.

11:50.600 --> 11:53.840
Tail always helps on what exactly is the issue.

11:58.900 --> 12:00.850
So let's refresh this.

12:02.840 --> 12:04.850
And this is working now.

12:05.390 --> 12:06.470
So.

12:09.440 --> 12:15.290
So those things were because of the old testing and the cache in my browser.

12:16.490 --> 12:19.540
So now example.com is working.

12:19.550 --> 12:23.780
So now let's block example.com from India.

12:24.620 --> 12:28.430
So I'll open the nginx.conf.

12:28.580 --> 12:34.910
And so by default it is allowing only India and no other country.

12:35.090 --> 12:40.960
So let's remove India and say let's allow us.

12:41.000 --> 12:46.080
So now only client IP address from us will be allowed and rest.

12:46.100 --> 12:47.420
Everyone will be blocked.

12:48.280 --> 12:49.810
So if I reload this.

12:50.520 --> 12:51.960
And try to open.

12:54.720 --> 12:57.900
Basically it will give me A4034 bidder, which means.

12:58.750 --> 13:02.650
The IP addresses not allowed.

13:03.360 --> 13:05.340
So this is very useful.

13:05.340 --> 13:15.690
If specific website is only targeting customers based on a specific country or a specific city.

13:15.930 --> 13:21.840
So even if you look into security wise, so if your website is specific to a particular country, let's

13:21.840 --> 13:26.640
say India, then why do you want that website to be accessible throughout the world?

13:26.670 --> 13:35.040
You can actually block countries where a lot of attacks that comes from specifically Russia, a lot

13:35.040 --> 13:36.720
of attacks comes from there.

13:36.720 --> 13:38.610
So you can actually do that.

13:39.580 --> 13:47.110
Now, one more interesting question that comes is how will we know the code for each and every country?

13:47.110 --> 13:50.440
So in us and so many other things.

13:50.440 --> 13:57.580
So there is a database from Maxmind itself which has country code mapping.

13:57.580 --> 14:00.610
So EU stands for Australia, for India.

14:00.610 --> 14:05.860
It is in and for each country they have given a specific country code.

14:05.860 --> 14:08.680
So this is something that you can use to.

14:09.480 --> 14:11.610
Enhance your blocking capabilities.

14:11.610 --> 14:15.450
So I'll be posting this in the website itself so that you can refer it.

14:17.430 --> 14:22.170
Now this is the basics about how you can block the.

14:22.980 --> 14:27.500
Two countries from your whole website.

14:27.510 --> 14:34.680
So we have looked into geoip based country mapping so you can do a lot of things with the Http module.

14:34.710 --> 14:37.560
You can even use city based blocking.

14:37.560 --> 14:41.000
You can use longitude as well as organization based.

14:41.010 --> 14:49.980
So organization based means that some organizations are being given a specific set of IP addresses.

14:49.980 --> 14:52.320
So specifically if you see universities.

14:52.440 --> 15:02.610
So if I say University of California, so this University of California, many times they are given

15:02.610 --> 15:04.950
a specific range of IP addresses.

15:04.950 --> 15:14.070
So you can actually use Geoip module based on the university names instead of the country code.

15:14.430 --> 15:20.940
So a lot of things that you can do, you can always do trial and error test many things depending upon

15:20.940 --> 15:22.770
the requirements.

15:22.770 --> 15:30.180
So this is it about the basic Geoip module and how to block country based upon the Geoip block.

15:30.510 --> 15:34.890
So I hope this video has been informative for you, and I'd like to thank you for viewing.