How to block or whitelist specific countries through Plesk?

• 

  Ehud Ziegelman December 07, 2021 12:40 (Edited December 08, 2021 15:17)

  Such feature may be achieved using ModSecurity GeoIP module on Plesk.

  Below is a full guidance:

   

  Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.

   

  This is seen afterwards on the file:

  /etc/apache2/plesk.conf.d/modsecurity.conf

   

  SecDefaultAction \
  "phase:1,deny,status:403,log,auditlog"
  SecDefaultAction \
  "phase:2,deny,status:403,log,auditlog"

  SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
  SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

   

   

  If you do NOT update CRS:

   

  ModSecurity Blocking Countries Guidance

   

  1) Download the Geo2ip lite database:

  # curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

  Or download some other DB files from:

  https://www.miyuru.lk/geoiplegacy

  Or, a paid one from Maxmind.

  Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month. Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

   

  2) uncompress the file (Converted the zip *.gz file to a *.dat file):

  # gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

  3) Uploaded the COUNTRY file to:

  # /usr/share/GeoIP/GeoLiteCountry.dat

  4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

  For OWASP: # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf un-commented the following line: SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat   For COMODO:

  # vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf
  
  
  Add the below line at the end of the file:
  
  SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
  
  

   

  5) Manually Create a ModSecurity rule

  Using OWASP: # touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf

  Using COMODO:

  # touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

   

  Place the rule in the just created file:

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

   

  Note: "XX" are to be replaced with the actual country codes.
  Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

   

  Country two charts ISO code list is available here: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

   

  You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

   

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

   

  6) Test server configuration and fix before restart if needed:

  # apachectl configtest

  7) Restart the server, to make sure the new configuration takes place:

  # systemctl restart apache2

  8) Test the blocking happens.

  You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location. 

  Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.

  Then, check on the mobile Opera is set for Asia, on Google:

  “What is my IP?”

  And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

  https://ipinfo.io/8.8.8.8

   

  Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

   

  2021-mm-dd 12:51:40	Error	77.111.245.12	403	GET / HTTP/1.0			5.00 K	Apache SSL/TLS access
  2021-mm-dd 12:51:40	Error	77.111.245.12		[client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"]				Apache error
  2021-mm-dd 12:51:40	Error	77.111.245.12		62778#0: *180 upstream prematurely closed connection while reading response header from upstream				nginx error

   

  9) You may add a Whitelisting of your accessing fixed IP, Server own public and private fixed IP, and Plesk support to ModSecurity

  For OWASP, it will look something like this:

  # vi /etc/apache2/modsecurity.d/000ipwhitelist.conf 
  
  SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,fixed-ip,cidr-fixed-ip, another-fixed-ip" "id:3,phase:1,nolog,allow,ctl:ruleEngine=Off"

  Note: rule id number added in the example above, is: 3. You should make sure rules ID for all rules on your server is unique. Also, there are some rules numbering conventions.

  https://wiki.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules

  10) As sometimes, “Switch off security rules” list on Plesk was reset to null during the process, so make sure to keep the list of such rules numbers aside, and paste it once process is concluded, and click the Apply button on the Plesk GUI.

   

  11) As sometimes, that DEFAULT OWASP ModSecurity although clicked as “On” is in face in scoring mode (which does NOT block all identified attacks), you want to manually configure/change it to be set ‘Blocking’, by modifying a script as below:

  the following parameters are specified within:
  
  # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf
  
  Change from (comment out to make the below two lines inactive):
  
  # SecDefaultAction "phase:1,log,auditlog,pass"
  # SecDefaultAction "phase:2,log,auditlog,pass"
  
  
  And place below them the following:
  
  SecDefaultAction "phase:1,log,auditlog,deny,status:403"
  SecDefaultAction "phase:2,log,auditlog,deny,status:403"

   

  And, then restart:

  # systemctl restart apache2

   

  12) Also note, that as on Plesk the OWASP currently doesn’t have a GUI configuration to update rules set daily, if you want to update the OWASP rule set, this should be done manually, as follow:

  1. Connect to the server via SSH 2. Download the archive with the ruleset: # wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz 3. Unpack the archive: # tar -xzvf v3.3.0.tar.gz  4. Move the old directory (to have a copy): # mv /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk{,_bak_`date +%F`} 5. Create a new directory: # mkdir /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk 6. Copy the rules: # cp -a coreruleset-3.3.0/rules/* /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/ 7. Copy the main configuration file: # cp -a /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk_bak_`date +%F`/10-crs-setup.conf /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf 8. Restart Apache: # systemctl restart apache2

  13) You may add a manual Fail2Ban rule, that will block for a long duration and IP getting a 403 and 400 Error code:

   

  A) Whitelist your fixed IP, server IP, and Plesk Support IP on  Faile2Ban:

  Via Plesk GUI (interface) add IPs to be Fail2Ban whitelisted.

   

  B) **First file**

  # cd /etc/fail2ban/filter.d/   create file: # touch httpd-forbidden.conf   edit file content: # vi httpd-forbidden.conf     [Definition] failregex = ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 403             ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 403             ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 400             ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 400

  C) **Second file**

  Note: Edit logpath according to your logs (logs are originally in one place, and Plesk generates a second copy directory as well)

  # cd /etc/fail2ban/jail.d   create file: # touch httpd-forbidden.conf   edit file content: # vi httpd-forbidden.conf   [httpd-forbidden] enabled = true filter = httpd-forbidden backend = polling logpath = /var/log/apache2/*error.log           /var/log/apache2/*access.log           /var/log/auth.log           /var/log/maillog           /var/log/modsec_audit.log           /var/www/vhosts/system/*/logs/*access*log           /var/www/vhosts/system/*/logs/error_log           /var/www/vhosts/system/*/logs/access_ssl_log.processed           /var/www/vhosts/system/*/logs/proxy_access_ssl_log bantime  = 120h maxretry = 1 findtime = 9600 port = http,https,7080,7081 banaction = iptables-multiport action = iptables-multiport[name=httpd-forbidden, port="http,https,7080,7081"]

  D) test tool via special fail2ban testing command:

  # fail2ban-regex /var/www/vhosts/system/currenge.com/logs/access_ssl_log httpd-forbidden.conf --print-all-matched

  E) Restart Fail2Ban Via Plesk GUI on “Service Management” Plesk page:

  restart Fail2Ban

   

  Or optional, cia SSH CLI:

  # service fail2ban restart

  F) If you lock yourself out, via SSH:

  # fail2ban-client set httpd-forbidden unbanip your-ip-address-here

   

  0

  Comment actions Permalink
• 

  Ehud Ziegelman December 13, 2021 23:06

  And, it seems there is an additional way to do so on nginx:

  https://linuxadmin.io/nginx-geoip-block-countries/

  0

  Comment actions Permalink
• 

  Xyonet Hosting August 17, 2022 15:45

  It's installed.  Can't see how to use it.  It's not obvious where to make changes

   

  0

  Comment actions Permalink
• 

  Stefan Yakubov September 05, 2022 09:58

  Hello, @Xyonet Hosting

  Once the extension is installed in Plesk, it is also needed to perform the backend installation following the guide:

  https://pleskext.configbox.com/en/deny-country/

  Once done, you will be redirected to the extension's configuration interface.

  0

  Comment actions Permalink
• 

  Frank Palaia October 12, 2022 16:45

  I host a website in the U.S., with a client who has a form.   For the past week or so, the form is being bombarded with spam submissions that have IP addresses from mostly non U.S. origin.  Most appear to be originating from China and Russia, but with proxy servers, we can't really know for sure where they originate.  Because my client is U.S. based, with no international interests, I chose to block access to this website from all countries except for the U.S. today, until this blows over, using the htaccess file.  Here are the steps:

  Visit this site:  https://www.countryipblocks.net/acl.php  
  Select the U.S., and then Apache htaccess allow.  Generate your list.

  Open your htaccess file and paste the generated list into it.
  Preceed the list with deny from all
  upload it to the public directory - (usually httpdocs)

  0

  Comment actions Permalink
• 

  Ehud Ziegelman October 13, 2022 16:40

  Hi Frank,

   

  Note: I'm not a Plesk team member, but a user.

  I'm afraid the size of the list would break your clients server.

  I recommend the ModSecurity blocking.

  Or you may add to the Plesk FW the x.x.0.0/16 ranges of main attackers.

   

   

  0

  Comment actions Permalink
• 

  Frank Palaia October 18, 2022 03:40

  Thank you for the suggestion, Ehud.  The Mod Security option seems way too complicated for my current skillset. 

  To my surprise, even though the IP list that I generated is about 76,000 lines, it seems to be working fine in the htaccess file, in blocking all counties but the U.S.   A handful of spam submissions are still coming in from the U.S., and I have seen a couple from some other countries that must have I.P addresses that weren't covered by what was generated by https://www.countryipblocks.net/acl.php    But three or four spam submissions per day is better than dozens.  I don't understand the motives of an attacker of this nature.   This is a rhetorical question, but what could an attacker hope to gain by these nuisance submissions?  I don't understand why he (or his automation) persists.

  0

  Comment actions Permalink
• 

  Ehud Ziegelman October 18, 2022 10:41 (Edited October 18, 2022 10:41)

  Hi Frank Palaia,

   

  I'm happy to hear it didn't break the website.

  May I ask, if you have checked website upload time influence?

   

  Also, you may choose to block ASN (Internet providers) that attacks come from, identifying them, by IP check, as in:

  https://ipinfo.io/8.8.8.8

  And then, fetching the entire IP range list, by posting the numeric ASN found above at the end of a link as below instead of 'AS12975', where the third bottom from the button would fetch such list:

  https://asn.ipinfo.app/downloads/AS12975

   

  0

  Comment actions Permalink
• 

  Frank Palaia October 19, 2022 01:24

  I appreciate your thoughts, Ehud.

  "May I ask, if you have checked website upload time influence?"   I'm afraid I am confused by this question.   Would updating an htaccess file impact my file upload speed?  Or - did you mean to say download?

  Let's look at a specific example.   An attacker IP address from today was 5.59.133.26.  (It managed to get past my htaccess update that should be blocking most non-U.S. countries from accessing the site - and I'm not sure how).

  So I can visit https://ipinfo.io/5.59.133.26.  From this, I would get AS47626, am I right? 

  With this, you're suggesting that I go here:   https://asn.ipinfo.app/downloads/AS47626  ?

  If I'm following you up until this point, why not go to the htaccess text link, and grab the ten lines there to add to my htaccess file?   It looks like this: 

  Order Deny,Allow
  Deny from 5.59.128.0/19
  Deny from 193.7.216.0/22
  Deny from 2a05:9c00::/29
  Deny from 91.205.190.0/23
  Deny from 78.24.100.0/22
  Deny from 5.180.240.0/22
  Deny from 193.35.48.0/22
  Deny from 91.208.35.0/24
  Deny from 213.241.199.0/24
  Deny from 188.93.64.0/22

  Are you saying that this will block all requests from this questionable internet service provider?

  0

  Comment actions Permalink

Please sign in to leave a comment.