Blocking visitors from certain countries

Mugoma

• October 02, 2016 11:28

We are seeing increased brute force attacks. These attacks are coming from particular countries, for which we have no clients. We spend valuable time everyday having to blacklist these IPs. This is time wasted. To save time is it possible to block visitors/users from these countries once?

• 

  linux4me2

  • October 02, 2016 18:32

  Yes, you can do it with GeoIP lookup. You don't say what platform you're using, but if you are running Apache and mod_security, here's what you can do:

  ]
  • Download the latest MaxMind GeoLite2 Country database in legacy format (the binary gzip one).
  • Unzip the file, and upload it to your server. You can put it wherever you like; e.g., /usr/share/GeoIP.
  • Log on to WHM, and go Security Center -> ModSecurity Configuration.
  • Scroll down to the Geolocation Database section, and enter the path to the GeoIP.dat file you uploaded. If you used the file location above, it would be: /usr/share/GeoIP/GeoIP.dat
  • Scroll down and Save your changes.

  That adds an IP-to-country-code database to your server. MaxMind updates their database on the first Tuesday of each month, so you should set a reminder to download the database once a month and update the copy on your server to keep it up-to-date. Next, you need to add a custom ModSecurity rule to block the countries you want to exclude. You should look up their two-character country codes and enter them in the following, replacing the "XX"s with the countries you want to block:
  # Test IP address and block by country code SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
  Note: The "id" must be a unique number, but unless you have added other custom rules, "1" should be available. If not, change it to a number between 1-99,999, the range reserved for local use. The "drop" tells ModSecurity to immediately close the TCP connection when it detects one of the countries you've chosen to block.

  ]
  • Go Security Center -> ModSecurity Tools ->Rules List -> Add Rule.
  • Paste your edited rule in the Rule Text box.
  • Check the box for "Deploy and Restart Apache".
  • Click "Save".

  That's it. The rule is written so it will leave a message in your Hits List in ModSecurity when it blocks a country you've chosen.

  0
• 

  Mugoma

  • October 02, 2016 19:13

  I probably phrased the title wrongly. Actually, what we need is to protect brute force attempts on cPanel but realise instructions provided are for protecting Apache (mod_security). We already have a module for automatically blocking brute force against Apache. To my understanding Apache and cPanel run differently - different ports, etc. Will the instructions provided also protect brute force against cPanel?

  0
• 

  Mugoma

  • October 02, 2016 22:26

  From information logged by cpHulk it's able to identify the country from which brute force attemp is coming from. Can cpHulk be configured to automatically block logins from certain countries? This will save time spend blacklisting IPs from those countries.

  0
• 

  keat63

  • October 03, 2016 14:27

  If you have CSF installed, then you can block counties quite easily using the country code. However, bear in mind that this will also block legitimate traffic like DNS, so if you are going to use this method, don't block the USA and Europe, otherwise, you might start to see issues. EG GoogleBot.

  0
• 

  cPanelMichael

  • October 06, 2016 19:21

  Hello, There are no native features to automatically blacklist countries with cPHulk at this time. Feel free to open a feature request for this via: Submit A Feature Request In the meantime, the previous suggestion regarding the ability to block countries with CSF is a viable solution. Thank you.

  0

Please sign in to leave a comment.