Hi,

The Plesk FW suffers from a code that converts some IpV4 IPs to their IpV6 transformation, causing it to run for hours if placing lots of IPs in it. If it would not have that issue, you could easily block thousands of IP ranges without any performance issues... related to UPDATING the firewall with new content.

If you are looking to block only one country... this should be doable.

Blocking 5.10.0.0/16 which are all IPs after the prefix 5.10.* should be a piece of cake anyway.. however this is not all the IPs in that country (Russia?).

You may also use ModSecurity to block countries using their iso 2 letters country code.

You may look at the solution on the below Plesk support ticket, and also read my (not Plesk support) comments:

https://support.plesk.com/hc/en-us/articles/115004928714-How-to-block-or-whitelist-specific-countries-through-Plesk-

This is also in the attached file.

easy handling important!

Due to iptables limits absolutely necessary

And, it seems there is an additional way to do so on nginx:

https://linuxadmin.io/nginx-geoip-block-countries/

Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.

This is seen afterwards on the file:

/etc/apache2/plesk.conf.d/modsecurity.conf

SecDefaultAction \
"phase:1,deny,status:403,log,auditlog"
SecDefaultAction \
"phase:2,deny,status:403,log,auditlog"

SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW ** KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

If you do NOT update CRS, you may use the guidance placed above. I recommend you read it all, as there are some important action recommendations in it.

Such feature may be achieved using ModSecurity GeoIP module on Plesk.

Below is a full guidance:

ModSecurity Blocking Countries Guidance

1) Download the Geo2ip lite database:

# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

Or download some other DB files from:

GeoIP Legacy Databases

Or, a paid one from Maxmind.

Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

2) uncompress the file (Converted the zip *.gz file to a *.dat file):

# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

3) Uploaded the COUNTRY file to:

# /usr/share/GeoIP/GeoLiteCountry.dat

4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

For OWASP:
# vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

un-commented the following line:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

For COMODO:
# vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf

Add the below line at the end of the file:
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

5) Manually Create a ModSecurity rule

Using OWASP:
# touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
Using COMODO:
# touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

Place the rule in the just created file:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

Country two charts ISO code list is available here:

ISO 3166-1 alpha-2 - Wikipedia

You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

6) Test server configuration and fix before restart if needed:

# apachectl configtest

7) Restart the server, to make sure the new configuration takes place:

# systemctl restart apache2

8) Test the blocking happens.

You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.

Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.
Then, check on the mobile Opera is set for Asia, on Google:

“What is my IP?”

And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

8.8.8.8 IP Address Details - IPInfo.io

Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

2021-mm-dd 12:51:40 Error 77.111.245.12 403 GET / HTTP/1.0 5.00 K Apache SSL/TLS access
2021-mm-dd 12:51:40 Error 77.111.245.12 [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"] Apache error
2021-mm-dd 12:51:40 Error 77.111.245.12 62778#0: *180 upstream prematurely closed connection while reading response header from upstream nginx error

** See more recommendations in the attached PDF file **

Yes I agree with this, its such an important feature

+1

+1

+1

It would be a nice extension allowing to block selected countries as needed (especially US where a lot of sniffing Proxies/VPNs seems to be located).

Yes me too, the answer is Geo blocking, I've just requested this an extension

I'd like to block Russia and China from visiting my site, I believe Geo blocking is the solution, unable to find a Geo blocking extension in the list

This is a must now, getting lots of spam from certain countries

I agree… this is very much needed.

Plesk, IMHO, it's about time... Security, is more and more important every day that passes.

The strong proliferation of attacks to my (and others) servers needs an immediate answer - please provide this feature.

On linux just switched to Juggernaut extension and I m very happy with it !

This feature is a necessity.

Thanks @IgorG for the link in Plesk forum and @Rafal for the great idea.
Wow, so many supporters.
When do think it will be realized (not exactly, only in months or seasons)?