"yes, sir, we block ftp and ssh connections from outside the benelux (shortcut for: belgium/netherlands/luxembourg, didn't say this part but it's a very widely known term here)"

"if you allow connections from INSIDE the benelux, why can't I connect from Germany, eh?!?!"


  • 27
    But- but- the "GER" in BENELUX obviously stands for Germany! m)
  • 4
    Why (and how...) restrict access to a region? Its not as if the physical implementation of the internet follows such things as country borders.
  • 6
    @TobyAsE that filters out shit amounts of attacks.

    How? Csf with geoip country block :)
  • 4
    I digress, but generally I prefer hiding sensitive services within a VPN over resorting to country-level blocks. I find it more elegant than cluttering files with thousands of IP ranges that your firewall has to sift through.. but that's just me of course.

    That being said, where do you get stupid clients like that? I mean, who doesn't know that the Benelux isn't Germany? Fucking idiots. Such people would only fuck up the SSH and FTP servers anyway. They've gotta be the people that see "rm -rf /*" on the internet and go like "oh, I should totally copy-paste and run this!!!"
  • 6
    @TobyAsE Usually attacks come from certain countries like e.g. China and Russia, so when you don't do any business there, it's okay-ish to just block all of their networks and call it a day. But personally I don't endorse it, because it's difficult to maintain such a huge, messy block list and it strains the firewall (and consequently the system) significantly.
  • 2
    @linuxx @Condor I know that, but still the risk of locking out legitimate users is high.
    As I said the way the cables are laid in the ground doesn't necessarily coincide with national borders. I could easily sit in one country and the end of my provider's tunnel or even the end of the physical cable I am connected to is in the neighbouring country.
    When I do geoip for myself the location is not even near to where I actually am (still in the same country though, but it's about the principle).
  • 4
    @TobyAsE For the record, we don't block the countries entirely, just as for ftp/ssh access.
  • 1
    Why would you do that, except if you only allow registrations from those countries exclusively? since a client would obviously want to access his server? (or youre blocking only default ports?)

    I've seen systems that auto whitelist the first connecting IP and then having to allow further logins with some sort of auth, but by default blocking out everybody, with an international client reach?...
  • 4
    @JoshBent We mostly do managed vps's and most clients don't use ssh. Every vps has a custom sla agreement so we have custom agreements with every customer. Try are well aware of our security practices so they definitely know what they're walking into!
  • 1
    @linuxxx oh so it is managed, do they have a cpanel of some sorts?
  • 2
  • 5
    @rfc7168 You, I like you, but then again, consider the DACH region (Deutschland Östereich Schweiz) I mean it's clear as glass, that Germany (abbreviated by D) is inside BeNeLux!!!111!!!111!!!!1
  • 5
    @TobyAsE there's a high risk of blocking legitimate users, especially, as until recently (if I recall it cirrectly) vietnam had just two public ips (and then some NAT magic, plus since BGP has no security built in, you can as an AS anounce anything you like (the most famouse example is probably Pakistan taking youtube offline...), One of the bigger problem is, that there are a few (not yet used) subnets (but still allocated) that spammers use... Or simply sold subnets (former udssr countries). Shit fucks with Geoip...

    However when you simply run a country based service there are pretty good lists.

    If you look for more than country based, nowadays you're pretty much fucked as mobile devices can be anywhere and unlike old systems won't get allocated per region (providers used to allocated ips by region to have better ip prefixes, if you're interested, take a look at BGP for inter domain and things like RIP (not that it's really used, but it's a good example!) For intra domain routing!)

    For folks interested in the future, the most promissing project (in my opinion!) Is https://www.scion-architecture.net/ (however I probably am biased as one of my professors is one of the peole developing it, so... Take it with a grain of salt, but BGP is fucked if we're honest...)
  • 3
    @Santaclauze that would destroy a lot of German jokes, like "how do you call a speed bump?"
Add Comment