DigitalOcean

Report this

What is the reason for this report?
Question

Fail2ban/iptables - Allow selected countries only

Posted on December 13, 2014
Sinklar

By Sinklar

Hello,

On Ubuntu, is it possible to add location based rules to Fail2ban and/or iptables? I’d like to block all SSH, SMTP, IMAP, etc. connections attempts except these incoming from selected countries.

For example, I know the countries where the few people I need to allow SSH for are located.

Thanks!



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Adam Robertson
Adam Robertson
December 13, 2014

Here is a great walkthrough of some simple SSH security:

http://bodhizazen.net/Tutorials/SSH_security

In your case, of note is the TCP Wrapper section: http://bodhizazen.net/Tutorials/SSH_security#TCP

From what I have read you can just set hosts.deny to:


 ALL: PARANOID

and then add the IP’s of the users you want to allow…

I would be keen to hear other ideas on this as well.

0
alexdo
alexdo
May 8, 2022

Hello there,

You can also use CSF (ConfigServer Security & Firewall (csf) to block selected countries. If you’re not familiar with CSF or you want to install it on CentOS or Ubuntu droplet check out this mini tutorial:

For CentOS:

https://www.digitalocean.com/community/questions/how-to-install-and-configure-config-server-firewall-csf-on-centos

For Ubuntu:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

You can also use third-party providers like CloudFlare that provider Firewall features that allow blocking single IP addresses or whole IP ranges.

Just enter an IP address, an IP range, or a two-letter country code you wish to block. You can check more here:

https://serverpilot.io/docs/how-to-block-ips-with-cloudflare/

Hope that this helps!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.