2

I host a forum where the target audience is ONLY U.S., Australia, and Oceania. I would like to know how I could ban all other countries from access to my forum except the three above. I've been having a problem with bots signing up and they are all coming from IPs from other countries, so I think this would fix the problem and would not bother my target audience.

Is there an easy way to do this? Advice would be appreciated.

Jared
  • 1,776
  • 4
  • 20
  • 41
  • 1
    Your target audience never travels? – DA. Nov 04 '11 at 23:04
  • 1
    I thought about doing a `tracert` on any incoming request and then crosschecking the hops...but an IP can be through a proxy. I would be interested to know the answer to this as well. May want to cross-post this at http://serverfault.com/ – Yzmir Ramirez Nov 04 '11 at 23:05
  • @DA. It is a 'fansite' for a game hosted in the United States and only allows access from those 3 countries. Other countries have their own version of the game they can play. – Jared Nov 04 '11 at 23:06
  • If the problem is automated sign-ups via bots, I'd suggest looking at other solutions first...namely make sure there is some form of email validation confirmation or the like. – DA. Nov 04 '11 at 23:09
  • @DA: Email validation (and Captcha) have been broken by bots for some time. – Eric J. Nov 04 '11 at 23:14
  • Well, so has IP detection. But all options offer some relief. I'd suggest starting with ones that are a little easier to pull off. (Another option I suggest is to moderate all new-user posts.) – DA. Nov 04 '11 at 23:17

4 Answers4

3

Bots use proxy servers all around the world. People running bots know how to get around IP blocking.

Using GeoIP to prevent bots from signing up on your system will not really solve the core problem.

Captcha can help to some extent, however it's actually been broken (in the sense that well programmed bots can solve Captcha challenges) for several years.

The StackOverflow model is actually very good... don't let a new user do very much until they get a little bit of reputation (e.g. post something that gets upvoted by other users, or require the first few posts to receive moderator approval).

Eric J.
  • 139,555
  • 58
  • 313
  • 529
  • I figured as much. I don't feel like paying just to keep some visitors out (GeoLite City, does not say FREE for me [free trial != free]!), and your answer is mostly what I was expecting. Thanks. – Jared Nov 05 '11 at 14:45
  • @Jared: My company makes heavy use of geolocation - much finer grained than per-country, with much better data sets than MaxMind's. Geolocation just doesn't work for access restrictions of any kind. The data's too flawed, and it's too easy for someone to just use a proxy. – Eric J. Nov 05 '11 at 15:21
1

With this PHP code you may allow selected countries to view your site. All other users will be show blank page with message that they cant access site.

You may set any number of countries by adding && $country != "XY" where XY is code of country which you allow view your site.

It below example Korea and US may view the site while others not. With a little modification, you may also block or allow selected IP's if you want

$userIP = get_ipxx(false);
$country = file_get_contents('http://api.hostip.info/country.php?ip=' . $userIP);

if ($country != "KR" && $country != "US") {
    die ('ERROR : SITE IS UNAVAILABLE');
}

function get_ipxx($ip2long = true) {
    if($_SERVER['HTTP_CLIENT_IP']) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    }else if($_SERVER['HTTP_X_FORWARDED_FOR']) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }else{
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    if($ip2long) {
        $ip = ip2long($ip);
    }
    return $ip;
}
Mihai Iorga
  • 36,863
  • 13
  • 100
  • 102
nonamehere
  • 313
  • 3
  • 2
1

MaxMind's GeoLite City free database can be easily downloaded, updated, and processed to localize IP addresses.

David Schwartz
  • 166,415
  • 16
  • 184
  • 259
0

The easiest, but rather brute force way would be to get a list of IPs per country (they are normally allocated roughly by country, http://www.countryipblocks.net/). This has the possibility of accidentally blocking people who are legitimate customers, and still allowing people who are not legitimate in to the site, but it should handle 95-99% of the cases. You'll then just set up the firewall or webserver or whatever tech you choose to block any of those IPs.

Zipper
  • 6,684
  • 6
  • 44
  • 64