Quoting Stan Hoeppner stan@hardwarefreak.com:
It's good policy these days to use ipdeny.com cidr tables and ban all countries from your servers that will never need legitimate access to them.
It can be good policy... But not always...
And it is certainly not a cure-all. If the people in those countries use a proxy, or fake/spoof the IP, or use a mobile device where the IP of their mobile device (smart phone, etc) isn't listed as being from their country, they will bypass such checks.
You can try instead to block all spaces, and then allow only from certain IP spaces (say, all US spaces, or all UK space, etc) but this leaves out many legit spaces in that country which ipdeny.com missed, and has the same types of problems as above as far as proxies, spoofing, etc. This sounds good at first, but when you think about it more it may actually be a worse approach (block too much instead of block too little, resource savings aside).
If you're in the US, do you need to allow Chinese or Russian IP space to connect to your IMAP ports?
If you are in Higher Ed, the answer is almost always yes (unless you are a very small school). The use of VPN for students isn't very common, and many faculty/staff hate VPN even though it is available to them. And VPN may not run on their smart-phone, netbook, etc. Or they may want to use it from an internet-cafe, a friend's house, a foreign university they are visiting, airport wireless, etc. (Security questions arising from that aside...)
We _must_ allow access to our e-mail, web, and computation or general purpose machines from all over the world. Even if we provide VPN, HiEd is not like a normal business in that we often can NOT force the users to use the VPN access...
However, even in HiEd, we can still use ipdeny.com rules for our internal-only machines... For example, I use it on my network monitoring machines since an insecure monitoring machine can quickly lead to all the machines you monitor being insecure...
If not, it's pretty simple to add iptables rules on all your servers to ban all the countries where a large amount of unauthorized connection attempts originate.
That can be a lot of rules... As you noted in your post, that can be a performance issue... Plus there is the cost of keeping the rules updated, etc.
I'm sure there are scripts around on the net to convert the ipdeny.com files into iptables rules automatically, but there is still a cost there...
I believe there is also a "geoip" patch for iptables that will do a similar job as the ipdeny.com lists... I've not tried it though...
Once you've got it set up and tuned it can work very well.
It can, in some cases, indeed. But not in all cases...
I think you did a great service by pointing this out on the list, and that many will find this a useful tip. However, I'm not sure I agree with your opening statement that "It's good policy" since that statement is very broad, whereas policies are so site/application specific...
-- Stan
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!