Block the IP of the selected country in Firewall
Firewall should be able to block the IP of the selected country. I have a lot of traffic from the IP 5.10. *. *

As an alternative option, you can configure GeoIP protection using nginx GeoIP module https://docs.plesk.com/en-US/obsidian/administrator-guide/website-management/websites-and-domains/extended-website-management/plesk-for-linux-setting-up-ip-geolocation-for-a-website.80011/
Please let us know what you think about it.
--AA
-
SpyderZ commented
• Block all traffic to the server using the firewall.
• Enable Cloudflare for your domains/server.
• Firewall Whitelist Cloudflare's IPs for only port 443 -
Larsen commented
nginx would only block HTTP traffic. For one we use Apache and also we want to block every connection, not only HTTP.
-
Frank Mailänder commented
At the moment I solved it with ipset
-
Bryan S. Katz commented
I can't use nginx, so I've completely disabled it. I presume that means I can't use the GeoIP module mentioned?
-
Denis Kondopoulos commented
This does not cater for Windows Server though.
-
Motaz Elshazly commented
This is an important feature.
-
Udo Waigand commented
I think the attacks from certain countrys is growing. This would help to make all more safty in an easier way.
-
Anonymous commented
Though some ways to accomplish this seem to now be available - they are too complicated, and/or the steps to implement them are not clear enough for non-experts. The deny-country extension looks like it could address this well - but again - installation is too complicated.
-
EhudZ commented
Hi,
The Plesk FW suffers from a code that converts some IpV4 IPs to their IpV6 transformation, causing it to run for hours if placing lots of IPs in it. If it would not have that issue, you could easily block thousands of IP ranges without any performance issues... related to UPDATING the firewall with new content.
If you are looking to block only one country... this should be doable.
Blocking 5.10.0.0/16 which are all IPs after the prefix 5.10.* should be a piece of cake anyway.. however this is not all the IPs in that country (Russia?).
You may also use ModSecurity to block countries using their iso 2 letters country code.
You may look at the solution on the below Plesk support ticket, and also read my (not Plesk support) comments:
This is also in the attached file.
-
Peter Bieberich commented
easy handling important!
-
Frank Mailänder commented
Due to iptables limits absolutely necessary
-
EhudZ commented
And, it seems there is an additional way to do so on nginx:
-
EhudZ commented
Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.
This is seen afterwards on the file:
/etc/apache2/plesk.conf.d/modsecurity.conf
SecDefaultAction \
"phase:1,deny,status:403,log,auditlog"
SecDefaultAction \
"phase:2,deny,status:403,log,auditlog"SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW ** KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"If you do NOT update CRS, you may use the guidance placed above. I recommend you read it all, as there are some important action recommendations in it.
-
EhudZ commented
Such feature may be achieved using ModSecurity GeoIP module on Plesk.
Below is a full guidance:
ModSecurity Blocking Countries Guidance
1) Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
Or download some other DB files from:
GeoIP Legacy Databases
Or, a paid one from Maxmind.
Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.2) uncompress the file (Converted the zip *.gz file to a *.dat file):
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
3) Uploaded the COUNTRY file to:
# /usr/share/GeoIP/GeoLiteCountry.dat
4) Enable GeoIP in a file according to which ModSecurity Rule set is used:
For OWASP:
# vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.confun-commented the following line:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.datFor COMODO:
# vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.confAdd the below line at the end of the file:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat5) Manually Create a ModSecurity rule
Using OWASP:
# touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
Using COMODO:
# touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.confPlace the rule in the just created file:
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn'tCountry two charts ISO code list is available here:
ISO 3166-1 alpha-2 - Wikipedia
You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"
6) Test server configuration and fix before restart if needed:
# apachectl configtest
7) Restart the server, to make sure the new configuration takes place:
# systemctl restart apache2
8) Test the blocking happens.
You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.
Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
Then, check on the mobile Opera is set for Asia, on Google:“What is my IP?”
And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):
8.8.8.8 IP Address Details - IPInfo.io
Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:
2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error** See more recommendations in the attached PDF file **
-
EhudZ commented
Issue is resolved. This task can be done with Plesk 'as-is'.
Attached is a full guidance, in a PDF file.
-
Plesk Tech Support commented
If we could use ModSecurity to block particular countries by the means of Plesk interface/CLI, that'd be great.
-
Anonymous commented
Yes I agree with this, its such an important feature
-
Epictrim commented
+1
-
geetee commented
+1
-
Tomi commented
+1