I am using Secast for intrusion protection on my Asterisk PBX. It’s working great, and I now want to start blocking specific geographic regions. My system is getting hammered from Ramallah Palestine, and I want to block them. Is this right?
I have set (in the [geoip] section of secast.conf):
ruledefault=allow
ruleexceptions=::Ramallah:
A bit off topic, but consider how you are using your geofencing rules. Are your users really travelling the world?
If not, switch the default rule to deny, and the allow in only the country(ies)/continent(s) where your pbx users actually visit.
So for the example above, if you have valid users in other parts of Palestine but none in Ramallah, then don't deny all of palestine.
Your setting will work - but may not do exactly what you want. If there is a city in the USA called Ramallah, one in Palestine, and one in Iraq, then
ruleexceptions=::Ramallah:
will block all three cities with the same name. What might be more effective is to block based on the continent, then country, then city:
ruleexceptions=AS:PS:Ramallah:
so that rule would block the city of Ramallah, in Palestine, in Asia. If it turns out that Palestine in general is a hotspot for attacks, you could more broadly block the who country with:
ruleexceptions=AS:PS::