KeyHelp Community

Hi,

I'd like to add Russia to ban list in Keyhelp firewall.

Is there any tutorial/guide on how to ban a country in keyhelp?


Thanks in advance.

Hello,

out of the box, there is no efficient way to do this, beside manual configurations. Using "ipset" and so on...


For the sake of completeness, you could do the following - Warning that may be highly inefficient and will not automatically update, if the Russian IP space changes:

1) Get a list of Russian IP address masks
2) Within the KeyHelp-Firewall, put a new rule to at first position
2.1) Direction: "Incoming traffic"
2.2) Action: "Deny / Reject"
2.3) Sources: Put your list of IP address masks here.
(the list may be to long for the input field, after saving, check if it was truncated, and may add a second (third, ...) rule to be able to put all address masks there)
3) Apply the rules and check the server load

Like I sad, this may be inefficient, however as i blocked china for testing purpose some year ago, i did not notice any issues.
It depends on how much computing power your server has and how busy he is in general.

Hi,

Thank you for answering, if I want to block /24 will this work as well?

https://imgur.com/a/o7u45DL

Yes, this is a network mask notation, and it will work (like it is indicated in the text above the input field).

Do I need to put something in ports as well?

Or leave it as it is (blank)

https://imgur.com/a/bGuPqEt

It depends what you want to achieve:

1) You can leave it blank and everything (access to SSH, Websites, FTP, Mail, ...) on your server will be blocked for those IP addresses.

2) If you put in a port - for example 22 (= SSH) - than only the services listening on the specified port(s) will be blocked for the IP addresses.
In this example (Port 22), the specified IP addresses will not be able to connect via SSH, but they still can see your websites etc.


To help you out and if you are unsure: You may want to post a screenshot of all firewall rules after you have applied them. So that the community can check whether you have set up your rules correctly, because the order of the rules also matters.

Apologies for bumping my old topic, just want to confirm if I have these settings set correctly.

Here is the custom rules I added:

https://imgur.com/a/wOnFdrr

https://imgur.com/a/t5h8hU8

And Firewall:

https://imgur.com/a/3FfHzWx

Hopefully, I have it setup properly.

You can (and should) add image as attachments.

a) They will exist as long as this board exists (so, for sure longer than any images at free hosters).
b) People are annoyed by watching the adds for no reason besides you are not using the options of this board.

I have added the images here now.

Thank you, Chalipa, that looks much nicer an we don't have to click each link.

In my opinion, that IP-filter setting look good.

This could become handy here:

https://www.ip2location.com/free/visitor-blocker

Select e.g. "Russia" and "CIDR" as Output Format and you can simply Copy/Paste the subnets to be blocked.

https://www.ipdeny.com/ipblocks/
RUSSIAN FEDERATION (RU) [download ru.zone] Size: 166.83 KB (10930 IP blocks)

This should be used with different (separate) ipset blacklists (too much stuff for IP blocking via KH Firewall)

However, this will not have a major impact as attackers are increasingly using compromised or rented western servers to attack other internal networks from within ...

Ralph wrote: ↑Fri 17. Jan 2025, 12:34 https://www.ipdeny.com/ipblocks/
RUSSIAN FEDERATION (RU) [download ru.zone] Size: 166.83 KB (10930 IP blocks)

This should be used with different (separate) ipset blacklists (too much stuff for IP blocking via KH Firewall)

However, this will not have a major impact as attackers are increasingly using compromised or rented western servers to attack other internal networks from within ...

How many different sets do you think they should be devided to?

Chalipa wrote: ↑Fri 17. Jan 2025, 15:03 How many different sets do you think they should be devided to?

I am blocking about > 200,000 IP addresses ... so ipset chains w/ optimized hashsize & maxelem
use a separate chain for each country (e.g. max. 50000-60000 per chain).
there are a few scripts available on github (untested)
https://github.com/mkorthof/ipset-country

Maybe Alexander or someone from keyhelp can explain a little how many IP's (MAX) can be put in ONE rule?