I am in a bit of a pickle. I am setting up an SFTP Server and I had wanted to use a method I was using quite some time ago. I wanted to use the tcp wrappers method, using aclexec in hosts.allow to run a script that uses geoiplookup to tell where the connection is coming from and block IP’s in certain countries. I am reading now though that tcp wrappers is deprecated and no longer available. I am not sure now how to do this. Does anyone have any ideas for an elegant solution?
I used to do something similar until maxmind changed things, but I believe you can still get the free stuff here: MaxMind Server IP Addresses
Previously I used this with iptables and ipset for the countries I wished to block, but you can also do it with FirewallD easily enough as well. You could then parse the geolite database to get the countries you wish to block, and then put them in a FirewallD zone. This will stop them connecting, even before they get to SSH/SFTP - so means all services on your server will be blocked for those addresses.
Great. thanks for your reply. I ended up doing something similar. I grabbed the IP Address blocks of the countries I wanted to whitelist and used the ipset feature in a rich rule in firewalld to allow only those IP’s