Plesk for Windows
kb: how-to
Plesk for Linux
ABT: Group A
Applicable to:
- Plesk for Linux
Question
How to block specific countries in Plesk?
Answer
On Plesk 18.0.52 and higher with Firewall extension 2.0 installed this could be achieved following the next steps:
- Navigate to Tools & Settings > Firewall
- Click to add a new rule.
- Specify the required countries in the following fields:
For older Plesk versions the following workaround is available:
By the means of ModSecurity:
Follow the next steps to block particular countries via ModSecurity:
- Download the Geo2ip lite database:
# curl -Lo /usr/share/GeoIP/GeoLiteCountry.dat.gz https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
-
Unpack it:
# gunzip /usr/share/GeoIP/GeoLiteCountry.dat.gz
- Navigate to Tools & Settings > Web Application Firewall(ModSecurity) > Settings and add the following Custom directives:
CONFIG_TEXT: SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"Note: "XX XX XX" are to be replaced with the required country codes.
Comments
16 comments
please update it
Plesk Obsidian 18.0.52
Hello,
Thanks, the article is updated.
For anyone looking this is the complete security rule with all countries except US and CO
SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932392,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm AD AE AF AG AI AL AM AO AQ AR AS AT AU AW AX AZ BA BB BD BE BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CA CC CD CF CG CH CI CK CL CM CN CR CU CV CW CX CY CZ DE DJ DK DM DO DZ EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GB GD GE GF GG GH GI GL GM GN GP GQ GR GS GT GU GW GY HK HM HN HR HT HU ID IE IL IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM USs UY UZ VA VC VE VG VI VN VU WF WS YE YT ZA ZM ZW "
Is there also a way to block a specific ISP, IP to ISP.
i.e. block DigitalOcean, LLC
Hello, Fadi Asbih
Yes, you can find the list of DO subnets here:
https://docs.digitalocean.com/products/platform/
Yeah this is not working.
After I have blocked countries like Bulgaria and Latvia, still manage to try to hack my server and the countries ip still shows up in IP Address Banning (Fail2Ban)
Hope for the best :)
@bragi you should try workaround 2. It does work , test it with a vpn . I confirm it does work
@Daniel Vengoechea
Method II dos not work and is uselesss.
This method is useless I'm running the latest Plesk panel and this dos not work at all just like opening a new port in firewall for SSH that doesn't work either.
And I'm paying money for this panel that can't even open a new port nor block country with country code
I'm forced to block every IP that is trying to hack my server using the firewall.
Bragi Austfjörð in case you require clarifications on how to use that or have some additional questions regarding behavior in your environment - you can contact technical support.
@Stefan Yakubov
I found out why blocking countries and opening custom port did not work it was do to my server has FirewallD running, after disabling firewallD everything started to work.
I found out that opening port via plesk firewall interface will not open port in firewallD. Just follow this and you will be all set. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
WORKAROUND II
https://dl.miyuru.lk/geoip/dbip/country/dbip4.dat.gz
This URL is down
@Daniel Vengoechea
Do you have your "...complete security rule with all countries except US and CO..." in JSON format so I can Import it directly in Plesk after fine-tuning it?
Thank you,
If your lifetime is limited, create just ONE Geoblock-Country and EXPORT, EDIT, then IMPORT your Fireall rules als json.
Here is my "DE"-Only allowed rule.
[
{
"action": "deny",
"class": "custom",
"direction": "input",
"from": "AD,AE,AF,AG,AI,AL,AM,AO,AQ,AR,AS,AT,AU,AW,AX,AZ,BA,BB,BD,BE,BF,BG,BH,BI,BJ,BL,BM,BN,BO,BQ,BR,BS,BT,BV,BW,BY,BZ,CA,CC,CD,CF,CG,CH,CI,CK,CL,CM,CN,CO,CR,CU,CV,CW,CX,CY,CZ,DJ,DK,DM,DO,DZ,EC,EE,EG,EH,ER,ES,ET,FI,FJ,FK,FM,FO,FR,GA,GB,GD,GE,GF,GG,GH,GI,GL,GM,GN,GP,GQ,GR,GS,GT,GU,GW,GY,HK,HM,HN,HR,HT,HU,ID,IE,IL,IM,IN,IO,IQ,IR,IS,IT,JE,JM,JO,JP,KE,KG,KH,KI,KM,KN,KP,KR,KW,KY,KZ,LA,LB,LC,LI,LK,LR,LS,LT,LU,LV,LY,MA,MC,MD,ME,MF,MG,MH,MK,ML,MM,MN,MO,MP,MQ,MR,MS,MT,MU,MV,MW,MX,MY,MZ,NA,NC,NE,NF,NG,NI,NL,NO,NP,NR,NU,NZ,OM,PA,PE,PF,PG,PH,PK,PL,PM,PN,PR,PS,PT,PW,PY,QA,RE,RO,RS,RU,RW,SA,SB,SC,SD,SE,SG,SH,SI,SJ,SK,SL,SM,SN,SO,SR,SS,ST,SV,SX,SY,SZ,TC,TD,TF,TG,TH,TJ,TK,TL,TM,TN,TO,TR,TT,TV,TW,TZ,UA,UG,UM,US,UY,UZ,VA,VC,VE,VG,VI,VN,VU,WF,WS,YE,YT,ZA,ZM,ZW",
"id": 114,
"name": "Geoblock",
"ports": "",
"type": "custom"
}
]
Please sign in to leave a comment.