Applicable to:
- Plesk for Linux
Question
How to change 'IP to Country Lite database' to MaxMind as a source for blocking countries in Plesk Firewall
Answer
Follow these steps to switch to MaxMind or change its license key.
-
Connect to the server over SSH
-
Edit
/usr/local/psa/admin/conf/panel.ini
# vi /usr/local/psa/admin/conf/panel.ini
-
Add the following lines depending on the version to use and save the file:
-
GeoLite2 DB (free)
[ext-firewall]
geoipDataSource = maxmind-lite -
GeoIP2 DB (paid)
[ext-firewall]
geoipDataSource = maxmind
-
-
Run this command on the terminal once
Note: Replace "<license_key>" with the MaxMind license key.
# LICENSE_KEY="<license_key>" plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
This may result in warnings like the follwing. They can be ignored as long as their return code is 0:
ipset v7.11: Set cannot be destroyed: it is in use by a kernel component
-
Reapply the configuration using Plesk Firewall
To switch back to DB-IP (db-ip-lite
data source), remove the geoipDataSource
line from panel.ini
and reapply the Plesk Firewall configuration.
PPP-60724
Comments
3 comments
Would be great if we could use our own up-to-date GeoIP.dat and GeoIPv6.dat files. Just like we do with ModSecurity.
I tried everything as described, and we didn't find a solution in the Plesk Facebook Community either. Today I tried again on another server, Debian 11.9 Plesk version 18.0.60. I did the following via ssh:root@pfof1 ~ # nano /usr/local/psa/admin/conf/panel.ini
root@pfof1 ~ # LICENSE_KEY=xxx plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
curl: (22) The requested URL returned error: 401
Command '['/usr/local/psa/admin/sbin/modules/firewall/geoip/maxmind-lite', '--fetch']' returned non-zero exit status 22.
exit status 1
Following the instructions, step 3 fails with lots of errors mesages like "GeoLite2-Country-Blocks-IPv6.csv:...: expected 6 columns but found 7 - extras ignored". (And similar messages for the IPv4 file.)
Checking "/opt/psa/admin/sbin/modules/firewall/geoip/maxmind-lite", it appears that Maxmind has added an additional columns named "is_anycast", which is not expected in the script file and leads to the error.
It seems the import error can be fixed by adding the additional column "is_anycast TEXT" in the "CREATE TABLE" statements for "blocks_ipv4" and "blocks_ipv6".
Please sign in to leave a comment.