Technical Discussion
  >> Web Design / HTML / Web hosting Forum


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User Rich44
(eat-sleep-adslguide) Tue 18-Jun-19 10:40:10
Print Post

Block SMTP access outside the UK?


[link to this post]
 
Hi

Just wondering if anyone has suggestions if the above is possible at all. My thinking is most "attacks" come from outside the UK & all the users concerned (family & friends) are all sending from inside the UK.

So I was wondering if its possible to geo block access to SMTP from abroad (does that sound xenophobic? Lol)? It's a hosted domain not something running on my PC at home.

Yes regularly changing the password is effective etc but I had the idea & wondered how feasible it is, I've blocked access to a website before now internationally so I've fiddled with it before.

I suppose if it were just me & I had a dedicated IP I could set it up so I could only send mail from that IP address....

Any thoughts? Cheers
Standard User camieabz
(sensei) Wed 19-Jun-19 03:15:42
Print Post

Re: Block SMTP access outside the UK?


[re: Rich44] [link to this post]
 
A while back I went down the route of messing with geo-location stuff, and to be honest it's a day to day management thing that's not really worth it. For me it was easier to block pretty much everything outside of UK ISPs. Then you have to consider search engines, security review sites (e.g. "Is this site safe?"), and any other site you might not want to block. I didn't care for indexing, so for me, that wasn't a problem. Here's an except from the .htaccess file.

Text
1
23
45
67
89
1011
1213
14
<Limit POST PUT DELETE OPTIONS CONNECT TRACK DEBUG>
order deny,allowdeny from all
allow from [IP Addresses or IP ranges to allow]</Limit>
 <Limit GET HEAD>
order allow,denyallow from all
deny from 0.0.0.0/7 2.0.0.0/12 3 4.0.0.0/6 8.0.0.0/5 16.0.0.0/6 20.0.0.0/7 24.0.0.0/5 32.0.0.0/5 41 42.0.0.0/7 44.0.0.0/7 46.0.0.0/12 46.96.0.0/11 46.224.0.0/13 47 48.0.0.0/7 52.0.0.0/7 55 56.0.0.0/6 60.0.0.0/7deny from 82.92.0.0/14 93.112.0.0/13 100.0.0.0/6 104.0.0.0/7 106 110.0.0.0/7 112.0.0.0/4
deny from 175 177 178.210.64.0/19 179 180.0.0.0/6 185 186.0.0.0/7 189 190.0.0.0/7deny from 196.0.0.0/7 200.0.0.0/6 211 218.0.0.0/7 220.0.0.0/6 224.0.0.0/3
</Limit>


In addition to this, I had to manage the smaller IP blocks within the ones not covered above (said list is 2-3 years old, so treat with caution). This was for a Wordpress website setup, and it seemed to work well enough. It served as a content site for adding to a forum's chatter, so people on one site would visit mine. I'd get the occasional "I can't access your site", as some site members were based abroad, or on holiday. It's not a great way to go, unless you want belt and braces.

The smaller IP blocks were managed via the site's iptables rules, and in addition to IP filtering, there were rules for allowing SSH from specific IPs (e.g. my home), and blocking a few common nasties, such as 'w00tw00t blackhats' and so on.

You can google for how to block specific ports via .htaccess, or you can re-direct instead to port 80, or whatever you want to do. Or you could do it at the IPtable level if that's what you want. Here's an IP table example (not tested it, but it will be something like this):

-A INPUT -s 1.2.3.4 -p tcp -m tcp --dport 25 -m comment --comment "Allow SMTP from 1.2.3.4" -j ACCEPT

Presumably that's assuming your webserver handles SMTP requests. If not, probably best to set it up at the .htaccess level.

Another example:

-A INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 80 -m comment --comment "Allow HTTP from anywhere" -j ACCEPT

(the only thing changing is the IP CIDR (0.0.0.0/0) and the port (80), and obviously the comment)

Note the "ACCEPT" at the end of each. If creating tables to prevent access, you might use"DROP" or "REJECT". The first basically doesn't respond and black holes requests, while reject responds and acts as a closed port. Some argue that drop is safer, as it acts as if nothing is there to attack, while reject shows a response. Others argue that drop ports can be detected anyway.

Do your own research, and if you write an allow statement, write another to block everything else. And be sure to have one or two remote, trusted testers. You can use a few website testing sites to see if access is working or not. Pick a site, such as GT Metrix, throw your site into its query, and see if it gets a hit. It's an easy way to test access rules, assuming you know the site's server IP. Once you get the rule working, tweak the IPs/ports to suit.


It's probably very easy to whitelist your IP on SMTP via the .htaccess, but the syntax will have to be spot on, and I'm not in the know. In addition, as it's a remote site, you'll be at the mercy of 3rd party policies and practices, so some things might not be possible.
  Print Thread

Jump to