Country Blocking & IP Geolocation for Server Security
Learn when and how to use country-based IP blocking for server security. Configure CC_DENY, CC_ALLOW, and geolocation filtering with VistoShield.
Introduction: Geographic Access Control
Not all traffic to your server is created equal. If you operate a business that serves customers exclusively in the United States, there is little legitimate reason for connections to your SSH port from IP addresses registered in countries thousands of miles away. If your e-commerce store only ships within the European Union, HTTP traffic from regions you do not serve is overwhelmingly composed of automated scans, brute-force attempts, and exploit probes.
Country blocking — also known as geographic IP filtering or geolocation-based access control — uses IP-to-country databases to restrict access to your server based on the geographic origin of incoming connections. It is one of the most effective methods for reducing your server’s attack surface without impacting legitimate users.
VistoShield’s Server Edition provides robust country blocking capabilities integrated directly into the iptables/nftables firewall, ensuring that blocked traffic is dropped at the kernel level with minimal resource consumption. This article covers the principles, configuration, and best practices for implementing country blocking effectively.
How IP Geolocation Works
Every IP address on the internet is allocated to a Regional Internet Registry (RIR), which assigns blocks to Internet Service Providers (ISPs) and organizations within specific geographic regions. IP geolocation databases map these allocations to countries, providing a lookup table that can determine the country of origin for any given IP address.
Geolocation Database Providers
Several organizations maintain IP geolocation databases:
- MaxMind GeoLite2: Free tier with country-level accuracy, widely used in open-source security tools
- MaxMind GeoIP2: Commercial tier with city-level accuracy and higher update frequency
- DB-IP: Alternative geolocation provider with free and commercial tiers
- IP2Location: Another established provider with various accuracy levels
VistoShield uses the MaxMind GeoLite2 database by default, which provides country-level accuracy exceeding 99% for most regions. The database is automatically updated on a regular schedule to reflect changes in IP allocations.
Accuracy Considerations
No IP geolocation database is 100% accurate. Some factors that can affect accuracy include:
- VPN and proxy usage: Users connecting through VPNs appear to come from the VPN server’s country, not their actual location
- CDN and cloud services: Traffic routed through CDNs like Cloudflare may appear to originate from the CDN’s edge server location
- Mobile carriers: Mobile IP allocations can be less accurately geolocated, especially in regions with shared IP pools
- Recently reallocated IP blocks: IP ranges that have been transferred between organizations or regions may have stale geolocation data until the database is updated
These edge cases are important to understand but do not diminish the value of country blocking as a security measure. The vast majority of automated attack traffic originates from easily identifiable IP ranges, and country blocking remains highly effective against these threats.
When to Use Country Blocking
Country blocking is most effective in the following scenarios:
Restricting Administrative Access
The most common and least controversial use of country blocking is restricting access to administrative services. If your system administrators are all located in one or two countries, there is no reason for SSH (port 22), control panel (ports 2082-2087, 10000), or database (port 3306) access to be available from the entire internet.
Example: A hosting company based in the Netherlands with all administrators in the Netherlands and Germany can restrict SSH and Webmin access to only those two countries, immediately eliminating 99%+ of SSH brute-force attacks.
Reducing Attack Surface for Web Services
If your website serves a specific geographic audience, blocking countries that generate significant attack traffic but zero legitimate visitors can dramatically reduce the volume of attacks your WAF and application must process.
Important caveat: Be cautious about blocking HTTP/HTTPS traffic too aggressively. Search engine crawlers (Googlebot, Bingbot) operate from various countries, and blocking them can harm your SEO. VistoShield allows you to whitelist known crawler IP ranges even when their source country is blocked.
Compliance with Trade Restrictions
Some businesses are legally required to restrict access from sanctioned countries. Country blocking provides a technical control that helps demonstrate compliance with trade regulations and export controls.
Reducing DDoS Impact
During a DDoS attack, if the attack traffic is concentrated from specific regions that are not part of your customer base, temporarily enabling country blocking can significantly reduce the attack volume while maintaining service for your actual users.
CC_DENY vs CC_ALLOW: Two Approaches
VistoShield provides two complementary modes for country-based access control:
CC_DENY (Blacklist Mode)
CC_DENY blocks traffic from specific countries while allowing everything else. This is the more common approach and is suitable when:
- You want to block a relatively small number of high-risk countries
- Your audience is global but you want to exclude specific regions
- You want a less disruptive approach that only blocks known problem areas
# Block traffic from specific countries (use ISO 3166-1 alpha-2 codes)
CC_DENY = "CN,RU,KP,IR"CC_ALLOW (Whitelist Mode)
CC_ALLOW only allows traffic from specific countries, blocking everything else. This is the stricter approach and is suitable when:
- You serve a well-defined geographic market
- Maximum security is more important than global accessibility
- You want the simplest possible configuration with the smallest attack surface
# Only allow traffic from specific countries
CC_ALLOW = "US,CA,GB,DE,FR,NL"Which Mode to Choose?
| Criteria | CC_DENY | CC_ALLOW |
|---|---|---|
| Default posture | Allow (block exceptions) | Deny (allow exceptions) |
| Best for | Global sites reducing risk | Regional services, admin access |
| Attack surface reduction | Moderate | Maximum |
| Risk of blocking legitimate users | Low | Higher (travelers, VPN users) |
| Maintenance | Add countries as threats emerge | Add countries as you expand markets |
VistoShield Country Blocking Configuration
VistoShield’s country blocking is configured through the main configuration file or via the hosting control panel module (cPanel, DirectAdmin, or Webmin).
Basic Configuration
# Enable country blocking
CC_DENY = "CN,RU,KP,IR,VN,IN,BR,PK"
# Apply country blocking to specific ports only (optional)
# Leave empty to apply to all ports
CC_DENY_PORTS = ""
# Country allow list (whitelist mode - overrides CC_DENY)
CC_ALLOW = ""
# Allow specific ports even from denied countries
CC_ALLOW_PORTS = "80,443"
# GeoIP database update interval (hours)
CC_LOOKUPS = 12Port-Specific Country Blocking
One of VistoShield’s most powerful features is the ability to apply different country policies to different ports. This allows you to:
- Keep HTTP/HTTPS open to the world (for your website and search engines)
- Restrict SSH to your home country only
- Restrict email ports to countries where your users are located
- Restrict database ports to localhost only (no country blocking needed — just close the port)
# Example: Restrict SSH and control panels to NL and DE only
CC_ALLOW_FILTER = "NL,DE"
CC_ALLOW_PORTS = "22,2082,2083,2086,2087,10000"
# Block known high-risk countries from all ports
CC_DENY = "CN,RU,KP"
CC_DENY_PORTS = ""This layered approach provides maximum security for sensitive services while maintaining global accessibility for your web content.
Whitelisting Known Services
Some IP addresses should never be blocked by country filtering, regardless of their geographic origin. VistoShield’s allow list (/etc/vistoshield/csf.allow) takes precedence over country blocking:
# Google crawlers (various countries)
66.249.64.0/19 # Googlebot
# Cloudflare IP ranges (if using CF proxy)
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
# Payment processors
# Stripe webhook IPs
54.187.174.169
54.187.205.235
# Your monitoring service
198.51.100.10 # UptimeRobotUnderstanding the Attack Landscape by Country
To make informed decisions about which countries to block, it helps to understand the global distribution of cyber attacks. Multiple threat intelligence sources consistently identify the following patterns:
Top Sources of Automated Attacks
The countries that generate the highest volume of automated attacks (SSH brute-force, web scanning, exploit attempts) tend to have large populations of compromised servers and consumer devices forming botnets. It is important to note that the geographic origin of an attack does not mean the attacker is physically located there — botnets operate globally by compromising machines in every country.
Attack origin data from multiple sources, including Spamhaus, AbuseIPDB, and SANS DShield, consistently shows high volumes from certain regions. However, these regions also contain legitimate users and businesses, so blocking decisions should be made based on your specific audience and risk tolerance, not generalizations.
Data-Driven Decision Making
Rather than relying on generic recommendations, use your own server logs to identify where attacks against your specific server originate. VistoShield provides several tools for this:
# View top attacking countries from LFD blocks
vistoshield --top-countries
# View country distribution of current blocks
vistoshield --deny-list --by-country
# View country statistics for the last 30 days
vistoshield --stats --period 30d --group-by countryIf 80% of your blocked IPs originate from countries where you have zero legitimate users, country blocking is a natural and effective defense. For further analysis, the Commands reference documents all available CLI tools.
Performance Impact of Country Blocking
One concern administrators often have about country blocking is performance. The answer depends on the implementation.
VistoShield’s Implementation: iptables ipset
VistoShield uses iptables with the ipset module for country blocking. Instead of creating individual iptables rules for each IP range (which would result in thousands of rules and slow lookups), all IP ranges for blocked countries are loaded into an ipset — a kernel-level hash table optimized for fast IP lookups.
The performance characteristics of ipset-based country blocking:
| Metric | Value |
|---|---|
| Lookup time per packet | O(1) — constant time regardless of set size |
| Memory usage (all countries loaded) | ~10–20 MB |
| Rule evaluation overhead | Negligible (<1 microsecond per packet) |
| Impact on legitimate traffic latency | None measurable |
This means you can block millions of IP addresses across multiple countries with no perceptible impact on server performance or response times for legitimate users.
Common Country Blocking Strategies
Strategy 1: Block High-Risk, Keep Web Open
The most balanced approach. Block known high-attack countries from all ports, but keep HTTP/HTTPS accessible globally.
CC_DENY = "CN,RU,KP,IR"
CC_ALLOW_PORTS = "80,443"This dramatically reduces SSH, FTP, and email brute-force attacks while maintaining full web accessibility.
Strategy 2: Whitelist Admin, Open Web
Allow administrative access only from your country, but leave web ports unrestricted.
CC_ALLOW_FILTER = "US"
CC_ALLOW_PORTS = "22,2082,2083,2086,2087,10000"Strategy 3: Full Whitelist
Only allow traffic from countries where your customers are. Strictest approach, maximum security.
CC_ALLOW = "US,CA,GB"Strategy 4: Dynamic During Attack
During an active DDoS or sustained attack, temporarily enable aggressive country blocking to reduce volume while you implement additional mitigations.
# Temporary: allow only US during attack
vistoshield --cc-allow "US" --temporary 3600Country Blocking and CDN/Proxy Considerations
If your server sits behind a CDN or reverse proxy (Cloudflare, Fastly, AWS CloudFront), country blocking at the server level requires special consideration. All web traffic arrives from the CDN’s IP addresses, not the original visitor’s IP. In this case:
- Whitelist CDN IPs: Add all CDN IP ranges to the VistoShield allow list to prevent accidental blocking
- Use the CDN’s country blocking: Most CDNs offer their own country-based filtering at the edge, which is more appropriate for HTTP traffic when using a proxy
- Apply server-level country blocking to non-proxied ports only: SSH, FTP, and email traffic does not pass through the CDN and can still benefit from server-level country blocking
VistoShield’s configuration supports this scenario natively by allowing you to apply country blocking only to specific ports, leaving CDN-proxied ports unaffected.
Legal and Ethical Considerations
Country blocking raises legitimate questions about fairness and accessibility. Some considerations:
- Discrimination concerns: Blocking access based on geographic origin can be seen as discriminatory. Ensure your blocking policy is based on data-driven security needs, not prejudice.
- Business impact: Before blocking a country, verify through your analytics that you have zero legitimate traffic from that region. Blocking potential customers is a business cost.
- VPN users: Legitimate users who use VPNs for privacy may appear to come from blocked countries. Consider this in your support processes.
- Regulatory requirements: Some jurisdictions require that certain online services be accessible to all. Check whether your service has legal accessibility requirements before implementing country blocking.
Monitoring and Maintaining Country Blocks
Country blocking is not a set-and-forget configuration. Regular review ensures it remains effective and does not block legitimate traffic.
- Review block statistics monthly: Are your blocked countries still the top attack sources? Has the attack landscape shifted?
- Check for legitimate traffic from blocked countries: Use your web analytics to verify no significant legitimate traffic is being blocked
- Keep GeoIP databases updated: IP allocations change. VistoShield automatically updates the GeoIP database, but verify updates are running successfully
- Test from blocked regions: Use a VPN to periodically verify that blocking is working as expected from the blocked country’s perspective
Key Takeaways
- Country blocking is a powerful tool for reducing your server’s attack surface, especially for administrative services like SSH, FTP, and control panels.
- Use CC_DENY for blacklisting specific high-risk countries or CC_ALLOW for whitelisting only the countries your users are in.
- Port-specific blocking provides the best balance: restrict admin services to your country while keeping web ports open globally.
- VistoShield uses ipset for O(1) lookup performance, meaning country blocking adds zero measurable latency to your server.
- Data-driven decisions are essential. Use your actual server logs, not assumptions, to determine which countries to block.
- Always whitelist CDN IPs, monitoring services, payment processors, and search engine crawlers.
- See the Configuration documentation for the complete list of country blocking settings and the Webmin guide for GUI-based configuration.