How to block or whitelist specific countries through Plesk?

• 

  Ehud Ziegelman December 07, 2021 12:40 (Edited December 08, 2021 15:17)

  Such feature may be achieved using ModSecurity GeoIP module on Plesk.

  Below is a full guidance:

   

  Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.

   

  This is seen afterwards on the file:

  /etc/apache2/plesk.conf.d/modsecurity.conf

   

  SecDefaultAction \
  "phase:1,deny,status:403,log,auditlog"
  SecDefaultAction \
  "phase:2,deny,status:403,log,auditlog"

  SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
  SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

   

   

  If you do NOT update CRS:

   

  ModSecurity Blocking Countries Guidance

   

  1) Download the Geo2ip lite database:

  # curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

  Or download some other DB files from:

  https://www.miyuru.lk/geoiplegacy

  Or, a paid one from Maxmind.

  Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month. Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

   

  2) uncompress the file (Converted the zip *.gz file to a *.dat file):

  # gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

  3) Uploaded the COUNTRY file to:

  # /usr/share/GeoIP/GeoLiteCountry.dat

  4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

  For OWASP: # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf un-commented the following line: SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat   For COMODO:

  # vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf
  
  
  Add the below line at the end of the file:
  
  SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
  
  

   

  5) Manually Create a ModSecurity rule

  Using OWASP: # touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf

  Using COMODO:

  # touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

   

  Place the rule in the just created file:

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

   

  Note: "XX" are to be replaced with the actual country codes.
  Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

   

  Country two charts ISO code list is available here: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

   

  You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

   

  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

   

  6) Test server configuration and fix before restart if needed:

  # apachectl configtest

  7) Restart the server, to make sure the new configuration takes place:

  # systemctl restart apache2

  8) Test the blocking happens.

  You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location. 

  Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.

  Then, check on the mobile Opera is set for Asia, on Google:

  “What is my IP?”

  And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

  https://ipinfo.io/8.8.8.8

   

  Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

   

  2021-mm-dd 12:51:40	Error	77.111.245.12	403	GET / HTTP/1.0			5.00 K	Apache SSL/TLS access
  2021-mm-dd 12:51:40	Error	77.111.245.12		[client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"]				Apache error
  2021-mm-dd 12:51:40	Error	77.111.245.12		62778#0: *180 upstream prematurely closed connection while reading response header from upstream				nginx error

   

  9) You may add a Whitelisting of your accessing fixed IP, Server own public and private fixed IP, and Plesk support to ModSecurity

  For OWASP, it will look something like this:

  # vi /etc/apache2/modsecurity.d/000ipwhitelist.conf 
  
  SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,fixed-ip,cidr-fixed-ip, another-fixed-ip" "id:3,phase:1,nolog,allow,ctl:ruleEngine=Off"

  Note: rule id number added in the example above, is: 3. You should make sure rules ID for all rules on your server is unique. Also, there are some rules numbering conventions.

  https://wiki.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules

  10) As sometimes, “Switch off security rules” list on Plesk was reset to null during the process, so make sure to keep the list of such rules numbers aside, and paste it once process is concluded, and click the Apply button on the Plesk GUI.

   

  11) As sometimes, that DEFAULT OWASP ModSecurity although clicked as “On” is in face in scoring mode (which does NOT block all identified attacks), you want to manually configure/change it to be set ‘Blocking’, by modifying a script as below:

  the following parameters are specified within:
  
  # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf
  
  Change from (comment out to make the below two lines inactive):
  
  # SecDefaultAction "phase:1,log,auditlog,pass"
  # SecDefaultAction "phase:2,log,auditlog,pass"
  
  
  And place below them the following:
  
  SecDefaultAction "phase:1,log,auditlog,deny,status:403"
  SecDefaultAction "phase:2,log,auditlog,deny,status:403"

   

  And, then restart:

  # systemctl restart apache2

   

  12) Also note, that as on Plesk the OWASP currently doesn’t have a GUI configuration to update rules set daily, if you want to update the OWASP rule set, this should be done manually, as follow:

  1. Connect to the server via SSH 2. Download the archive with the ruleset: # wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz 3. Unpack the archive: # tar -xzvf v3.3.0.tar.gz  4. Move the old directory (to have a copy): # mv /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk{,_bak_`date +%F`} 5. Create a new directory: # mkdir /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk 6. Copy the rules: # cp -a coreruleset-3.3.0/rules/* /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/ 7. Copy the main configuration file: # cp -a /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk_bak_`date +%F`/10-crs-setup.conf /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf 8. Restart Apache: # systemctl restart apache2

  13) You may add a manual Fail2Ban rule, that will block for a long duration and IP getting a 403 and 400 Error code:

   

  A) Whitelist your fixed IP, server IP, and Plesk Support IP on  Faile2Ban:

  Via Plesk GUI (interface) add IPs to be Fail2Ban whitelisted.

   

  B) **First file**

  # cd /etc/fail2ban/filter.d/   create file: # touch httpd-forbidden.conf   edit file content: # vi httpd-forbidden.conf     [Definition] failregex = ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 403             ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 403             ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 400             ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 400

  C) **Second file**

  Note: Edit logpath according to your logs (logs are originally in one place, and Plesk generates a second copy directory as well)

  # cd /etc/fail2ban/jail.d   create file: # touch httpd-forbidden.conf   edit file content: # vi httpd-forbidden.conf   [httpd-forbidden] enabled = true filter = httpd-forbidden backend = polling logpath = /var/log/apache2/*error.log           /var/log/apache2/*access.log           /var/log/auth.log           /var/log/maillog           /var/log/modsec_audit.log           /var/www/vhosts/system/*/logs/*access*log           /var/www/vhosts/system/*/logs/error_log           /var/www/vhosts/system/*/logs/access_ssl_log.processed           /var/www/vhosts/system/*/logs/proxy_access_ssl_log bantime  = 120h maxretry = 1 findtime = 9600 port = http,https,7080,7081 banaction = iptables-multiport action = iptables-multiport[name=httpd-forbidden, port="http,https,7080,7081"]

  D) test tool via special fail2ban testing command:

  # fail2ban-regex /var/www/vhosts/system/currenge.com/logs/access_ssl_log httpd-forbidden.conf --print-all-matched

  E) Restart Fail2Ban Via Plesk GUI on “Service Management” Plesk page:

  restart Fail2Ban

   

  Or optional, cia SSH CLI:

  # service fail2ban restart

  F) If you lock yourself out, via SSH:

  # fail2ban-client set httpd-forbidden unbanip your-ip-address-here

   

  0

  Comment actions Permalink
• 

  Ehud Ziegelman December 13, 2021 23:06

  And, it seems there is an additional way to do so on nginx:

  https://linuxadmin.io/nginx-geoip-block-countries/

  0

  Comment actions Permalink

Please sign in to leave a comment.