Skip to content

I suggest you...

← Feature Suggestions

Allow to protect a folder by country-based access via .htaccess

0 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Marco Marsala shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • EhudZ commented  ·   ·  Report

    This is optional via ModSecurity (blocking the folder for some countries?)

    Just adjust the below example for a specific folder:

    Below is a full guidance:

    ModSecurity Blocking Countries Guidance

    1) Download the Geo2ip lite database:

    # curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

    Or download some other DB files from:

    GeoIP Legacy Databases

    Or, a paid one from Maxmind.

    Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
    Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

    2) uncompress the file (Converted the zip *.gz file to a *.dat file):

    # gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

    3) Uploaded the COUNTRY file to:

    # /usr/share/GeoIP/GeoLiteCountry.dat

    4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

    For OWASP:
    # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

    un-commented the following line:
    SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

    For COMODO:
    # vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf

    Add the below line at the end of the file:
    SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

    5) Manually Create a ModSecurity rule

    Using OWASP:
    # touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
    Using COMODO:
    # touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

    Place the rule in the just created file:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

    SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

    Note: "XX" are to be replaced with the actual country codes.
    Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

    Country two charts ISO code list is available here:

    ISO 3166-1 alpha-2 - Wikipedia

    You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

    SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW ** KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

    6) Test server configuration and fix before restart if needed:

    # apachectl configtest

    7) Restart the server, to make sure the new configuration takes place:

    # systemctl restart apache2

    8) Test the blocking happens.

    You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.

    Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
    Then, check on the mobile Opera is set for Asia, on Google:

    “What is my IP?”

    And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

    8.8.8.8 IP Address Details - IPInfo.io

    Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

    2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
    2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
    2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error

    ** See more recommendations in the attached PDF file **

  • Marco Marsala commented  ·   ·  Report

    You're right. What about .ftpaccess for country-based limiting FTP logins? Currently I'm doing this it via the following .ftpaccess in my root folder:

    <Limit ALL>
    AllowClass italy
    DenyAll
    </Limit>

    italy defined as list of IP/ranges in separate file under /etc/proftp.d/italy.conf

Feature Suggestions: Security

Categories

Feedback and Knowledge Base

(thinking…)