Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
How to block specific countries in Plesk?
Answer
Such a feature is not implemented in Plesk yet.
Vote for this feature on the UserVoice portal.
The top-ranked suggestions are likely to be included in the next versions of Plesk.
Workaround I
To block/whitelist countries on the webserver level, the Deny-country extension can be used.
Workaround II
Follow the next steps to block particular countries via ModSecurity:
- Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
-
Unpack it:
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
- Navigate to Tools & Settings > Web Application Firewall(ModSecurity) > Settings and add the following Custom directives:
CONFIG_TEXT: SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"Note: "XX XX XX" are to be replaced with the required country codes.
Comments
9 comments
Such feature may be achieved using ModSecurity GeoIP module on Plesk.
Below is a full guidance:
Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.
This is seen afterwards on the file:
SecDefaultAction \
"phase:1,deny,status:403,log,auditlog"
SecDefaultAction \
"phase:2,deny,status:403,log,auditlog"
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"
If you do NOT update CRS:
ModSecurity Blocking Countries Guidance
1) Download the Geo2ip lite database:
Or download some other DB files from:
Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.
Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.
2) uncompress the file (Converted the zip *.gz file to a *.dat file):
3) Uploaded the COUNTRY file to:
4) Enable GeoIP in a file according to which ModSecurity Rule set is used:
For OWASP:
For COMODO:
5) Manually Create a ModSecurity rule
Using OWASP:
Place the rule in the just created file:
Note: "XX" are to be replaced with the actual country codes.
Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't
You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.
6) Test server configuration and fix before restart if needed:
7) Restart the server, to make sure the new configuration takes place:
8) Test the blocking happens.
You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location.
Then, check on the mobile Opera is set for Asia, on Google:
And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):
Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:
9) You may add a Whitelisting of your accessing fixed IP, Server own public and private fixed IP, and Plesk support to ModSecurity
For OWASP, it will look something like this:
Note: rule id number added in the example above, is: 3. You should make sure rules ID for all rules on your server is unique. Also, there are some rules numbering conventions.
https://wiki.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules
10) As sometimes, “Switch off security rules” list on Plesk was reset to null during the process, so make sure to keep the list of such rules numbers aside, and paste it once process is concluded, and click the Apply button on the Plesk GUI.
11) As sometimes, that DEFAULT OWASP ModSecurity although clicked as “On” is in face in scoring mode (which does NOT block all identified attacks), you want to manually configure/change it to be set ‘Blocking’, by modifying a script as below:
And, then restart:
12) Also note, that as on Plesk the OWASP currently doesn’t have a GUI configuration to update rules set daily, if you want to update the OWASP rule set, this should be done manually, as follow:
1. Connect to the server via SSH
2. Download the archive with the ruleset:
3. Unpack the archive:
4. Move the old directory (to have a copy):
5. Create a new directory:
6. Copy the rules:
7. Copy the main configuration file:
8. Restart Apache:
13) You may add a manual Fail2Ban rule, that will block for a long duration and IP getting a 403 and 400 Error code:
A) Whitelist your fixed IP, server IP, and Plesk Support IP on Faile2Ban:
B) **First file**
create file:
edit file content:
C) **Second file**
Note: Edit logpath according to your logs (logs are originally in one place, and Plesk generates a second copy directory as well)
create file:
edit file content:
D) test tool via special fail2ban testing command:
E) Restart Fail2Ban Via Plesk GUI on “Service Management” Plesk page:
Or optional, cia SSH CLI:
F) If you lock yourself out, via SSH:
And, it seems there is an additional way to do so on nginx:
https://linuxadmin.io/nginx-geoip-block-countries/
It's installed. Can't see how to use it. It's not obvious where to make changes
Hello, @Xyonet Hosting
Once the extension is installed in Plesk, it is also needed to perform the backend installation following the guide:
https://pleskext.configbox.com/en/deny-country/
Once done, you will be redirected to the extension's configuration interface.
I host a website in the U.S., with a client who has a form. For the past week or so, the form is being bombarded with spam submissions that have IP addresses from mostly non U.S. origin. Most appear to be originating from China and Russia, but with proxy servers, we can't really know for sure where they originate. Because my client is U.S. based, with no international interests, I chose to block access to this website from all countries except for the U.S. today, until this blows over, using the htaccess file. Here are the steps:
Visit this site: https://www.countryipblocks.net/acl.php
Select the U.S., and then Apache htaccess allow. Generate your list.
Open your htaccess file and paste the generated list into it.
Preceed the list with deny from all
upload it to the public directory - (usually httpdocs)
Hi Frank,
Note: I'm not a Plesk team member, but a user.
I'm afraid the size of the list would break your clients server.
I recommend the ModSecurity blocking.
Or you may add to the Plesk FW the x.x.0.0/16 ranges of main attackers.
Thank you for the suggestion, Ehud. The Mod Security option seems way too complicated for my current skillset.
To my surprise, even though the IP list that I generated is about 76,000 lines, it seems to be working fine in the htaccess file, in blocking all counties but the U.S. A handful of spam submissions are still coming in from the U.S., and I have seen a couple from some other countries that must have I.P addresses that weren't covered by what was generated by https://www.countryipblocks.net/acl.php But three or four spam submissions per day is better than dozens. I don't understand the motives of an attacker of this nature. This is a rhetorical question, but what could an attacker hope to gain by these nuisance submissions? I don't understand why he (or his automation) persists.
Hi Frank Palaia,
I'm happy to hear it didn't break the website.
May I ask, if you have checked website upload time influence?
Also, you may choose to block ASN (Internet providers) that attacks come from, identifying them, by IP check, as in:
https://ipinfo.io/8.8.8.8
And then, fetching the entire IP range list, by posting the numeric ASN found above at the end of a link as below instead of 'AS12975', where the third bottom from the button would fetch such list:
https://asn.ipinfo.app/downloads/AS12975
I appreciate your thoughts, Ehud.
"May I ask, if you have checked website upload time influence?" I'm afraid I am confused by this question. Would updating an htaccess file impact my file upload speed? Or - did you mean to say download?
Let's look at a specific example. An attacker IP address from today was 5.59.133.26. (It managed to get past my htaccess update that should be blocking most non-U.S. countries from accessing the site - and I'm not sure how).
So I can visit https://ipinfo.io/5.59.133.26. From this, I would get AS47626, am I right?
With this, you're suggesting that I go here: https://asn.ipinfo.app/downloads/AS47626 ?
If I'm following you up until this point, why not go to the htaccess text link, and grab the ten lines there to add to my htaccess file? It looks like this:
Are you saying that this will block all requests from this questionable internet service provider?
Please sign in to leave a comment.