ipset restore hung forever on my test server.Then I further offer
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxf -
for i in is ru ps kp ua md nl fi
do /usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do echo "add -exist $i $j"; done
Which runs faster , thanks @Jerry3716 , and doesn't clutter up /etc, (don't see the need to restart iptables or fail2ban , nor the use of wait)
grep "INPUT -j IPSPF" /etc/sysconfig/iptables
sed -i 's|-A INPUT -j ASIP|-A INPUT -j IPSPF\n-A INPUT -j ASIP|' /etc/sysconfig/iptables service iptables restart service fail2ban restart
/usr/sbin/ipset create -exist badguys hash:net
/usr/sbin/ipset -A badguys 126.96.36.199
/usr/sbin/ipset list badguys
-A IPSPF -m set --match-set badguys src -j DROP # save the file and then... service iptables restart service fail2ban restart
for i in $(cat $( ls *.zone|egrep -v "[ca|us]" ))';[ do echo "add -exist restofworld $i";done |ipset restoreWe don't bother with per-country sets and keep the iptables rules clean with one single block-most-of-the-world set. At this point I'd probably be better off with a whitelist, but if it ain't broke....
And with all this talk - a general comment just to reiterate - admins need to first be comfortable with their firewall rules without geoblocking present.
Security through obscurity is not real security. Many dismiss it completely, but IMO geoblocking improves the odds, eliminates a ton of junk in the logs and hopefully makes any real problems easier to spot.
Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name.