I am trying to block a list of IP blocks to block a country. Did anyone succeed without changing the ISP's native settings? I'm researching the possibilities, I'm in doubt if I do it through Apache, fail2ban or through the firewall. Some form that is as light as possible and easy to manage.
Do you have a firewall that supports that? That would definitely be easiest. None of the three (apache/fail2ban/ufw) supports blocking by countries without some work; probably apache or iptables would be the most likely of the those to get the job done, but unless you can find something already put together for it (and other folks may reply here with exactly that), you'll have to setup a download of geoip data source (update weekly or monthly maybe?) and pull the data from there to rig up your rules. As a suggestion, I'm a happy pfsense user, which is a firewall platform you could use for that among (many) other things.
We have a good firewall before the webserver. But the security sector does not find it a good method to block a country in this way. But I did an analysis and saw that 99% of the access in a certain country is accessed by scanning the websites. I saw solutions like this: https://www.howtoforge.com/community/threads/debian-9-apache-2-using-mod_maxminddb.79515/ Researching a lighter way to block these IPs
If 1% of access from that country is visitors you want to serve, blocking the whole country causes problems. Something like this may be better: https://zeltser.com/malicious-ip-blocklists/
I made pretty good experience with ipset blacklist: https://github.com/trick77/ipset-blacklist It is fast and supports different blacklists. You can activate a country blacklist to block a country. Use the firewall, it's orders of magnitude faster (less power consuming)!
