• Block all traffic to the server using the firewall.
• Enable Cloudflare for your domains/server.
• Firewall Whitelist Cloudflare's IPs for only port 443

nginx would only block HTTP traffic. For one we use Apache and also we want to block every connection, not only HTTP.

At the moment I solved it with ipset

I can't use nginx, so I've completely disabled it. I presume that means I can't use the GeoIP module mentioned?

This does not cater for Windows Server though.

This is an important feature.

I think the attacks from certain countrys is growing. This would help to make all more safty in an easier way.

Though some ways to accomplish this seem to now be available - they are too complicated, and/or the steps to implement them are not clear enough for non-experts. The deny-country extension looks like it could address this well - but again - installation is too complicated.

Hi,

The Plesk FW suffers from a code that converts some IpV4 IPs to their IpV6 transformation, causing it to run for hours if placing lots of IPs in it. If it would not have that issue, you could easily block thousands of IP ranges without any performance issues... related to UPDATING the firewall with new content.

If you are looking to block only one country... this should be doable.

Blocking 5.10.0.0/16 which are all IPs after the prefix 5.10.* should be a piece of cake anyway.. however this is not all the IPs in that country (Russia?).

You may also use ModSecurity to block countries using their iso 2 letters country code.

You may look at the solution on the below Plesk support ticket, and also read my (not Plesk support) comments:

https://support.plesk.com/hc/en-us/articles/115004928714-How-to-block-or-whitelist-specific-countries-through-Plesk-

This is also in the attached file.

easy handling important!

Due to iptables limits absolutely necessary

And, it seems there is an additional way to do so on nginx:

https://linuxadmin.io/nginx-geoip-block-countries/

Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.

This is seen afterwards on the file:

/etc/apache2/plesk.conf.d/modsecurity.conf

SecDefaultAction \
"phase:1,deny,status:403,log,auditlog"
SecDefaultAction \
"phase:2,deny,status:403,log,auditlog"

SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW ** KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

If you do NOT update CRS, you may use the guidance placed above. I recommend you read it all, as there are some important action recommendations in it.

Such feature may be achieved using ModSecurity GeoIP module on Plesk.

Below is a full guidance:

ModSecurity Blocking Countries Guidance

1) Download the Geo2ip lite database:

# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

Or download some other DB files from:

GeoIP Legacy Databases

Or, a paid one from Maxmind.

Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

2) uncompress the file (Converted the zip *.gz file to a *.dat file):

# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

3) Uploaded the COUNTRY file to:

# /usr/share/GeoIP/GeoLiteCountry.dat

4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

For OWASP:
# vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

un-commented the following line:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

For COMODO:
# vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf

Add the below line at the end of the file:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

5) Manually Create a ModSecurity rule

Using OWASP:
# touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
Using COMODO:
# touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

Place the rule in the just created file:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

Country two charts ISO code list is available here:

ISO 3166-1 alpha-2 - Wikipedia

You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

6) Test server configuration and fix before restart if needed:

# apachectl configtest

7) Restart the server, to make sure the new configuration takes place:

# systemctl restart apache2

8) Test the blocking happens.

You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.

Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
Then, check on the mobile Opera is set for Asia, on Google:

“What is my IP?”

And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

8.8.8.8 IP Address Details - IPInfo.io

Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error

** See more recommendations in the attached PDF file **

Issue is resolved. This task can be done with Plesk 'as-is'.

Attached is a full guidance, in a PDF file.

If we could use ModSecurity to block particular countries by the means of Plesk interface/CLI, that'd be great.

Yes I agree with this, its such an important feature

+1

+1

+1