Domain Validation and GeoIP restrictions

Hi there and thanks for your effort. We've seen an increase in attacks to our web servers since the war started by Russia. We have several meassures in place and so far we're doing fine. Our web sites contents are destined to local audiences so we're considering geoblocking as a plus. We're planning to block access to port 80 and 443 to all countries but some in Hispanic America and Spain. However, I don't want to block LE Domain Validation. What's the best course of action you think we should follow ?

TIA,

IG

I don't know if Let's Encrypt validates from South/Central America or Spain, but it might.

To be on the safe side, use dns-01 validation. Or just configure fail2ban instead of blanket geofiltering.

Hi and thanks for your quick reply. Indeed fail2ban is our most helpful tool against those attacks, along with other tools running at the web proxy and web server. I'll check dns-01validation for sure.

Thanks

Just be aware that when using dns-01 your authoritative nameservers must be world-reachable.

It won't work if you geofilter them as well.

If applicable, you can also use a service like Cloudflare to handle this. You could then block all traffic into your system except (i) those from Cloudflare and, (ii) an allowlist of office/employee ips.

I don't know about your business or traffic, but the costs of utilizing a proxy system like Cloudflare are still likely to be much cheaper than the increasing financial costs and the frustration/burden placed on your dev/ops team by mitigating the attacks in-house.

(I got this backwards, I thought they wanted to block Spain and Latin America)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.