After seeing how many attempted WordPress logins for invalid accounts there were through Wordfence, I decided to look into blocking the offending countries that were routinely in the list. I started by trying to use TCP wrappers and adding country IP ranges to the /etc/hosts.deny file. This seemed to be an exercise in futility and not very effective. While the IP ranges are available lots of places on the Net, there were none already formatted to the required hosts.deny syntax. After a couple of weeks, I gave up on hosts.deny idea and started looking into doing it on my firewall (openwrt). That resulted in a crash burn as the router puked when trying to add 3,000 ranges to the custom firewall rules. A little more research turned up two helpful sites on enabling the Apache GeoIP module and using it to block by country using a GeoIP database. The first version I went with was from Drew Scogin (http://scog.gump.in/post/45108381598/how-to-block-foreign-countries-in-apache) and I think it worked, but my testing did not seem to be getting the country code correctly, or at least that’s what I thought. So my second effort used the methods posted by Shadowbringer (http://shadowbringer.com/guide-how-to-set-up-apache-geoip/) and is pretty much exactly the same other than Drew’s implementation allows countries and Shadowbringer blocks countries. The other difference is were they place the config for the GeoIp module. One does it in the vhost file and the other in a stand alone file that is included in the vhost file. Shadowbringer also shows how to use the rewrite module to send blocked visitors to a specific site or page instead of just letting Apache respond with a 403 Forbidden status code. So far the number of failed logins from blocked countries is zero.
Now I realize this is a little bit of security through obscurity and I am dependent on up to date GeoIP data and that’s okay with me. I know that a persistent hacker is going to locate hop points in a country that is not blocked and recon and attack from there; and there is not much I can do about that other than the security controls I already have in place like Wordfence. GeoIP is a viable first line of defense (https://blog.damballa.com/archives/1131).
It’s sad that I have to implement such Draconian measures for such a simple web site as this one. I guess between hackers and some cyber spies, there is no longer a safe harbor anywhere on the Internet.