Applicable to:
- Plesk for Linux
Question
How to block specific countries in Plesk?
Answer
On Plesk 18.0.52 and higher with Firewall extension 2.0 installed this could be achieved following the next steps:
- Log into Plesk
- Navigate to Tools & Settings > Firewall
- Click
to add a new rule.
- Specify the required countries in the following fields:
For older Plesk versions the following workaround is available:
Follow the next steps to block particular countries via ModSecurity:
-
Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
-
Unpack it:
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
-
Navigate to Tools & Settings > Web Application Firewall(ModSecurity) > Settings and add the following Custom directives:
CONFIG_TEXT: SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"Note: "XX XX XX" are to be replaced with the required country codes.
Comments
please update it
Plesk Obsidian 18.0.52
Hello,
Thanks, the article is updated.
For anyone looking this is the complete security rule with all countries except US and CO
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm AD AE AF AG AI AL AM AO AQ AR AS AT AU AW AX AZ BA BB BD BE BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CA CC CD CF CG CH CI CK CL CM CN CR CU CV CW CX CY CZ DE DJ DK DM DO DZ EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GB GD GE GF GG GH GI GL GM GN GP GQ GR GS GT GU GW GY HK HM HN HR HT HU ID IE IL IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM USs UY UZ VA VC VE VG VI VN VU WF WS YE YT ZA ZM ZW "
Is there also a way to block a specific ISP, IP to ISP.
i.e. block DigitalOcean, LLC
Hello, Khaled Zeid-El-Kailani
Yes, you can find the list of DO subnets here:
https://docs.digitalocean.com/products/platform/
Yeah this is not working.
After I have blocked countries like Bulgaria and Latvia, still manage to try to hack my server and the countries ip still shows up in IP Address Banning (Fail2Ban)
Hope for the best :)
@bragi you should try workaround 2. It does work , test it with a vpn . I confirm it does work
@Daniel Vengoechea
Method II dos not work and is uselesss.
This method is useless I'm running the latest Plesk panel and this dos not work at all just like opening a new port in firewall for SSH that doesn't work either.
And I'm paying money for this panel that can't even open a new port nor block country with country code
I'm forced to block every IP that is trying to hack my server using the firewall.
bragi in case you require clarifications on how to use that or have some additional questions regarding behavior in your environment - you can contact technical support.
@Stefan Yakubov
I found out why blocking countries and opening custom port did not work it was do to my server has FirewallD running, after disabling firewallD everything started to work.
I found out that opening port via plesk firewall interface will not open port in firewallD. Just follow this and you will be all set. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
WORKAROUND II
https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
This URL is down
@Daniel Vengoechea
Do you have your "...complete security rule with all countries except US and CO..." in JSON format so I can Import it directly in Plesk after fine-tuning it?
Thank you,
If your lifetime is limited, create just ONE Geoblock-Country and EXPORT, EDIT, then IMPORT your Fireall rules als json.
Here is my "DE"-Only allowed rule.
[
{
"action": "deny",
"class": "custom",
"direction": "input",
"from": "AD,AE,AF,AG,AI,AL,AM,AO,AQ,AR,AS,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BL,BM,BN,BO,BQ,BR,BS,BT,BV,BW,BY,BZ,CA,CC,CD,CF,CG,CH,CI,CK,CL,CM,CN,CO,CR,CU,CV,CW,CX,CY,CZ,DJ,DK,DM,DO,DZ,EC,EE,EG,EH,ER,ES,ET,FI,FJ,FK,FM,FO,FR,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MF,MG,MH,MK,ML,MM,MN,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NC,NE,NF,NG,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,SS,ST,SV,SX,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TR,TT,TV,TW,TZ,UA,UG,UM,US,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,YE,YT,ZA,ZM,ZW",
"id": 114,
"name": "Geoblock",
"ports": "",
"type": "custom"
}
]
Is there a way to get Let´s Encrypt work with Geoblock? Because LE validation servers are all around the world, you can´t create or renew certificates with geoblock. Would be a good feature to automatic, temporary open port 80 for LE without geoblock.
Please sign in to leave a comment.