Open in app

Sign in

Write

Sign in

Hiding your website from hackers & spammers

Brandon Osborne
4 min readMar 29, 2021
Network Perimiter

Every day, we have a finite time to accomplish the many tasks that each of us has on our plates. I own a software development company, and I field dozens of calls and countless emails per week from people (usually vastly under-qualified) begging me to pay them to cause me even more headaches. The vast majority of these unsolicited calls and messages can be isolated to specific countries throughout the world. So, how can I nip this problem in the bud? Enter the geo-fence. A geofence is a virtual perimeter for a real-world geographic area. By constructing a geo-fence, I have virtually eliminated my unwanted calls and spam. I have also significantly lowered the number of attempted security breaches that I have to deal with every month. This article will discuss two methods for restricting access to your website based on the user’s geographic location.

Simple IP Based ACL for Apache

If you’re using Apache, then you’re in luck! 😁 It is just as simple as 1…2…3!

  1. Head on over to https://www.countryipblocks.net/acl.php, select the countries you would like to deny access to, and click ‘Create ACL.’
  2. Create or open your existing .htaccess file in your website’s root directory and append the IP addresses from step 1.
  3. FTP the updated .htaccess file to your server.

Voila! It’s just as simple as that.

Unfortunately, I have never found such a simple solution for IIS, but we’ll delve into that in the next section. It is also important to note that these IP addresses will eventually grow stale, and you will need to head on over to Country IP Blocks and select the countries to either white-list or black-list and copy/paste the IP addresses again.

Geo-Fencing in Internet Information Services with MaxMind & ASP.net Core

This task was considerably more straightforward in the .Net Standard Framework (not core). Back then, you just needed to update the global.asax.cs file. Feel free to contact us if you need help doing this on an older or legacy website. Now we have to create middleware and inject ourselves into the pipeline to receive the HTTP request & abort the connection from users coming from our black-listed countries.

The first thing you’re going to want to do is to fire up Visual Studio and open the project you wish to lockdown.

Now you’re going to want to download MaxMind’s GeoIP2 Country Database. I always save the mmdb file to the ~/AppData folder.

Next, you’ll want to add the MaxMind.Db wrapper NuGet package to your project by entering the following command into the Package Manager Console:

PM> dotnet add CoderPro.BuyCoders.Web.UI package MaxMind.Db

I always put my middleware and extension classes into their own directory, so create two new directories off of your root project directory:

  1. Extensions
  2. Middleware

First, we’ll tackle the middleware. Go ahead and create a new class called RequestCountryMiddleware in your root directory.

Then you’ll want to add the following code:

The above code gets the user’s IP address and queries the MaxMind database that you just downloaded to determine what country from which the request originates. As you can see from my code, I reject users from Russia, China, India, and Pakistan. If you want to restrict access to other countries, add their two-character country code to the list.

Next, we “need” to register our extension method to call it in our Startup.cs file eventually. To do that, create a class called RequestCountryMiddlewareExtensions.cs in your ~/Extensions directory and paste the following code:

Now, all you have to do is call your new middleware is add the following line of code to your Startup.cs file within the Configure method.

app.UseRequestCountry();

That’s all she wrote! Users in countries from within your black-listed countries will no longer be able to view your site. Instead, they will see the following:

Connection Reset

You could also redirect them to another page or even use this method to serve up content specifically for specific geographic regions or perhaps even inject JavaScript into your pipeline to better handle or track international users.

Summation

Today we covered two methods for hiding your websites from people in other countries. It is important to note that this method is not foolproof. For instance, if the browser uses a VPN to mask his location, it will let him right in the door. There are, of course, some ways of blocking this sort of traffic. If you need help with that or more geofencing methods, please don’t hesitate to contact us!

As always, you can find a sample project for this code on GitHub.

Coming Up Next Time

In my next article, I will finally discuss utilizing Identity Server 4 for single sign-on for all of your applications. Until then: Happy Coding!

Happy Coding!
Information Security
Aspnetcore
Infosec
C Sharp Programming
Web Security

--

--

Brandon Osborne

Written by Brandon Osborne

62 Followers

I’m the Chief Software Architect of coderPro.net. I’ve been developing software on the Microsoft stack for 20 years & have been traveling the world for over 10!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams