How to block or whitelist specific countries through Plesk?

Follow

Comments

4 comments

  • Avatar
    Ehud Ziegelman (Edited )

    Such feature may be achieved using ModSecurity GeoIP module on Plesk.

    Below is a full guidance:

     

    Updating CRS (i.e., COMODO) which is done a daily basis, moves the *.conf files to a backup and creates a NEW one, thus the Plesk GUI Custom directives should be used.

     

    This is seen afterwards on the file:

    /etc/apache2/plesk.conf.d/modsecurity.conf

     

    SecDefaultAction \
    "phase:1,deny,status:403,log,auditlog"
    SecDefaultAction \
    "phase:2,deny,status:403,log,auditlog"

    SecGeoLookupDB /usr/share/GeoIP/GeoLiteCity.dat

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_name} (%{geo.country_code})',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}}'"
    SecRule GEO:COUNTRY_CODE "@pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

     

     

    If you do NOT update CRS:

     

    ModSecurity Blocking Countries Guidance

     

    1) Download the Geo2ip lite database:

    # curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz

    Or download some other DB files from:

    https://www.miyuru.lk/geoiplegacy
    Or, a paid one from Maxmind.

    Note: 1) The IP Data Base file should be updated once in a month (/a while) as IPs are transferred between ISPs in various countries. The Maxmind file updates about once a month.

    Note: 2) The Maxmind file FORMAT is expected to be change on May 2022. If not updating to a newer ModSecurity suitable module, the near future (from May 2022) Maxmind file should be converted to the legacy used file format. On December 2021, it downloads as file.dat.gz, so note the two file formats in the file name, before its uncompressed.

     

    2) uncompress the file (Converted the zip *.gz file to a *.dat file):

    # gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz

    3) Uploaded the COUNTRY file to:

    # /usr/share/GeoIP/GeoLiteCountry.dat

    4) Enable GeoIP in a file according to which ModSecurity Rule set is used:

    For OWASP:

    # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

    un-commented the following line:
    SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

     

    For COMODO:

    # vi /etc/apache2/modsecurity.d/rules/comodo_free/00_Init_Initialization.conf


    Add the below line at the end of the file:

    SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat

     

    5) Manually Create a ModSecurity rule

    Using OWASP:

    # touch /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/country_block.conf
    Using COMODO:
    # touch /etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf

     

    Place the rule in the just created file:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

    SecRule GEO:COUNTRY_CODE "@pm XX XX XX"

     

    Note: "XX" are to be replaced with the actual country codes.
    Also rule id (in the above example - "99999932392") should be unique, otherwise, the apache2 service wouldn't

     

    Country two charts ISO code list is available here:

    https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

     

    You may copy country code already set in one line, from the below example, blocking all countries, but not USA, Canada, Russia, most Western European countries, and Israel.

     

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"

    SecRule GEO:COUNTRY_CODE " @pm AF AG AI AL AM AO AQ AR AS AW AX AZ BA BB BD BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CC CD CF CG CI CK CL CM CN CO CR CU CV CW CX CZ DJ DM DO DZ EC EE EG EH ER ET FJ FK FM FO GA GD GE GF GG GH GI GL GM GN GP GQ GS GT GU GW GY HK HM HN HR HT HU ID IE IM IN IO IQ IR JE JM JO KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LK LR LS LY MA MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NP NR NU OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RW SA SB SC SD SG SH SI SJ SK SL SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM UY UZ VA VC VE VG VI VN VU WF WS XK YE YT ZA ZM ZW"

     

    6) Test server configuration and fix before restart if needed:

    # apachectl configtest

    7) Restart the server, to make sure the new configuration takes place:

    # systemctl restart apache2

    8) Test the blocking happens.

    You may use mobile phone Opera browser that has a built-in VPN, allowing to choose Asia/Europe/America as a location. 

    Choose Asia, which in my case used Singapore IP. Set Opera to also include VPN for search results.

    Then, check on the mobile Opera is set for Asia, on Google:

     “What is my IP?”

    And copy the IP to check it’s indeed in Asia, on a service as (replace the 8.8.8.8 IP with the one you got):

    https://ipinfo.io/8.8.8.8

     

    Now, access your website. You may get on the browser client a ‘502’ error on the browser. Log file will look something like:

     

    2021-mm-dd 12:51:40
    Error
    77.111.245.12
    403
    GET / HTTP/1.0
       
    5.00 K
    Apache SSL/TLS access
    2021-mm-dd 12:51:40
    Error
    77.111.245.12
     
    [client 77.111.245.12] ModSecurity: Access denied with connection close (phase 1). Matched phrase "SG" at GEO:COUNTRY_CODE. [file "/etc/apache2/modsecurity.d/rules/comodo_free/country_block.conf"] [line "1"] [id "99999932392"] [msg "Blocking SG"] [hostname "currenge.com"] [uri "/"] [unique_id "Ya88vB9V-Qu@vxwlDnpcQwAAAAA"]
         
    Apache error
    2021-mm-dd 12:51:40
    Error
    77.111.245.12
     
    62778#0: *180 upstream prematurely closed connection while reading response header from upstream
         
    nginx error

     

    9) You may add a Whitelisting of your accessing fixed IP, Server own public and private fixed IP, and Plesk support to ModSecurity

    For OWASP, it will look something like this:

    # vi /etc/apache2/modsecurity.d/000ipwhitelist.conf 

    SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,fixed-ip,cidr-fixed-ip, another-fixed-ip" "id:3,phase:1,nolog,allow,ctl:ruleEngine=Off"

    Note: rule id number added in the example above, is: 3. You should make sure rules ID for all rules on your server is unique. Also, there are some rules numbering conventions.

    https://wiki.atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules

    10) As sometimes, “Switch off security rules” list on Plesk was reset to null during the process, so make sure to keep the list of such rules numbers aside, and paste it once process is concluded, and click the Apply button on the Plesk GUI.

     

    11) As sometimes, that DEFAULT OWASP ModSecurity although clicked as “On” is in face in scoring mode (which does NOT block all identified attacks), you want to manually configure/change it to be set ‘Blocking’, by modifying a script as below:

    the following parameters are specified within:

    # vi /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

    Change from (comment out to make the below two lines inactive):

    # SecDefaultAction "phase:1,log,auditlog,pass"
    # SecDefaultAction "phase:2,log,auditlog,pass"


    And place below them the following:

    SecDefaultAction "phase:1,log,auditlog,deny,status:403"
    SecDefaultAction "phase:2,log,auditlog,deny,status:403"

     

    And, then restart:

    # systemctl restart apache2

     

    12) Also note, that as on Plesk the OWASP currently doesn’t have a GUI configuration to update rules set daily, if you want to update the OWASP rule set, this should be done manually, as follow:


    1. Connect to the server via SSH

    2. Download the archive with the ruleset:

    # wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz

    3. Unpack the archive:

    # tar -xzvf v3.3.0.tar.gz

     4. Move the old directory (to have a copy):

    # mv /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk{,_bak_`date +%F`}

    5. Create a new directory:

    # mkdir /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk

    6. Copy the rules:
    # cp -a coreruleset-3.3.0/rules/* /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/

    7. Copy the main configuration file:
    # cp -a /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk_bak_`date +%F`/10-crs-setup.conf /etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/10-crs-setup.conf

    8. Restart Apache:
    # systemctl restart apache2

     

    13) You may add a manual Fail2Ban rule, that will block for a long duration and IP getting a 403 and 400 Error code:

     

    A) Whitelist your fixed IP, server IP, and Plesk Support IP on  Faile2Ban:

    Via Plesk GUI (interface) add IPs to be Fail2Ban whitelisted.

     

    B) **First file**

    # cd /etc/fail2ban/filter.d/

     

    create file:

    # touch httpd-forbidden.conf

     

    edit file content:

    # vi httpd-forbidden.conf

     

     

    [Definition]

    failregex = ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 403

                ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 403

                ^<HOST> - - .*HTTP/[0-9]+(.[0-9]+)?" 400

                ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"/[0-9]+(.[0-9]+)?" 400


    C) **Second file**

    Note: Edit logpath according to your logs (logs are originally in one place, and Plesk generates a second copy directory as well)

    # cd /etc/fail2ban/jail.d

     

    create file:

    # touch httpd-forbidden.conf

     

    edit file content:

    # vi httpd-forbidden.conf

     

    [httpd-forbidden]

    enabled = true

    filter = httpd-forbidden

    backend = polling

    logpath = /var/log/apache2/*error.log

              /var/log/apache2/*access.log

              /var/log/auth.log

              /var/log/maillog

              /var/log/modsec_audit.log

              /var/www/vhosts/system/*/logs/*access*log

              /var/www/vhosts/system/*/logs/error_log

              /var/www/vhosts/system/*/logs/access_ssl_log.processed

              /var/www/vhosts/system/*/logs/proxy_access_ssl_log




    bantime  = 120h

    maxretry = 1

    findtime = 9600

    port = http,https,7080,7081

    banaction = iptables-multiport

    action = iptables-multiport[name=httpd-forbidden, port="http,https,7080,7081"]


    D) test tool via special fail2ban testing command:

    # fail2ban-regex /var/www/vhosts/system/currenge.com/logs/access_ssl_log httpd-forbidden.conf --print-all-matched

    E) Restart Fail2Ban Via Plesk GUI on “Service Management” Plesk page:

    restart Fail2Ban

     

    Or optional, cia SSH CLI:

    # service fail2ban restart

    F) If you lock yourself out, via SSH:

    # fail2ban-client set httpd-forbidden unbanip your-ip-address-here

     

    0
    Comment actions Permalink
  • Avatar
    Stefan Yakubov

    Hello, @Xyonet Hosting

    Once the extension is installed in Plesk, it is also needed to perform the backend installation following the guide:

    https://pleskext.configbox.com/en/deny-country/

    Once done, you will be redirected to the extension's configuration interface.

    0
    Comment actions Permalink
  • Avatar
    Xyonet Hosting

    It's installed.  Can't see how to use it.  It's not obvious where to make changes

     

    0
    Comment actions Permalink
  • Avatar
    Ehud Ziegelman

    And, it seems there is an additional way to do so on nginx:

    https://linuxadmin.io/nginx-geoip-block-countries/

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request