Restrict account access to certain countries/IP ranges

Allow a user to set restricted IP ranges that can log into their account. I’m not sure if this is a just a false sense of security though, since an attacker can and most likely will be spoofing their IP through some other route.

GitHub issue: Allow logins from only certain countries · Issue #41 · bitwarden/server · GitHub

Defense in depth. Won’t stop a determined advisory, but will deter or slow someone down with limited knowledge.

original requestor here - These sorts of geo-ip address blocklists actively monitor such things as TOR exit nodes and proxy companies. Realistically, if the code is secure otherwise, I’m not as concerned with some sophisticated adversary then as much as the every day scenarios. If I log in at a hotel while I’m on vacation I can’t terminate that lingering session nor restrict access from that country when I return home.

This is such a low-cost improvement and implementation and help with some of the most common scenarios.

from original request:

I really like Lastpass’ feature to restrict logins to only certain countries on an allowed list.

I see MaxMind free location tables https://www.maxmind.com used a lot for this though I’m sure there are probably others out there.

The only time I allow any other country might be if I’m on vacation and I definitely block all TOR login access.

But you can… Go to web vault -> Settings -> Deauthorize Sessions

1 Like

This combined with an ability to proxy traffic (via SSH or something) would be a game changer.

I would only allow my home IP and an IP of some server that I own and to which I could connect with my phone. It would thus reduce the attack surface to my physical circle, I would no longer have to worry about keyloggers or malware on my pc stealing my passwords because attacker would not be able to login anyway (unless he proxies through my pc).

I don’t know how much I like the idea of totally blocking someone via geo-restrictions or proxy restrictions. At the very least, though, maybe there could be an additional challenge when logging in from either a higher-risk or sufficiently different location (e.g. a different IP, an IP a certain number of miles away from my last recorded IP, etc). This could be as simple as master password and MFA, plus an additional random PIN being sent to an email that needs to be entered to log in.

I agree with this one, it is one more defense to put in place. It would at least force an attacker to come from a country/region that has been allowed by the vault owner before being able to try to brute force credentials.

@kspearrin you could use http://iplists.firehol.org to allow users to optionally block access from IP in some of the lists in addition to GEO IP.
Even if it’s not blocking it could be just sent an alert email, so for someone based in France it could be interesting to know that someone is logging or trying to (fail logs) from china, US or from an IP in some of the block lists (TOR, suspicious IP, etc.)

Some tools here to implement firehol lists
http://firehol.org/
@kspearrin

yes, its not a perfect solution, but a non-meaningless roadblock that can help improve security. as we know security is all about layers, and this is yet another layer.