Question
How to change 'IP to Country Lite database' to MaxMind as a source for blocking countries in Plesk Firewall
Answer
To switch to a MaxMind data source or change its license key apply the following steps:
1. Connect to the server via SSH
2. Open /usr/local/psa/admin/conf/panel.ini with any suitable text editor, 'vi' for example:
# vi /usr/local/psa/admin/conf/panel.ini
Add the following lines and save the file:
CONFIG_TEXT: [ext-firewall]
geoipDataSource = maxmind-lite
3. In shell execute once
# LICENSE_KEY="your_license_key_here" plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
Note: Replace "your_license_key_here" with actual MaxMind license key.
Note: the command might emit warnings like below, they can be ignored as long as the return code is 0:
CONFIG_TEXT: ipset v7.11: Set cannot be destroyed: it is in use by a kernel component
4. Then use the Plesk Firewall (UI or CLI) to re-apply the configuration.
The instruction above will use the free GeoLite2 DB. If you have access to the more precise paid GeoIP2 DB and want to use it instead, change maxmind-lite to maxmind in the steps above.
To change back to DB-IP (db-ip-lite data source), simply remove geoipDataSource line from the panel.ini and (re-)apply the Plesk Firewall configuration.
Comments
3 comments
Would be great if we could use our own up-to-date GeoIP.dat and GeoIPv6.dat files. Just like we do with ModSecurity.
I tried everything as described, and we didn't find a solution in the Plesk Facebook Community either. Today I tried again on another server, Debian 11.9 Plesk version 18.0.60. I did the following via ssh:root@pfof1 ~ # nano /usr/local/psa/admin/conf/panel.ini
root@pfof1 ~ # LICENSE_KEY=xxx plesk sbin modules/firewall/ipsets --configure --data-source maxmind-lite --force
curl: (22) The requested URL returned error: 401
Command '['/usr/local/psa/admin/sbin/modules/firewall/geoip/maxmind-lite', '--fetch']' returned non-zero exit status 22.
exit status 1
Following the instructions, step 3 fails with lots of errors mesages like "GeoLite2-Country-Blocks-IPv6.csv:...: expected 6 columns but found 7 - extras ignored". (And similar messages for the IPv4 file.)
Checking "/opt/psa/admin/sbin/modules/firewall/geoip/maxmind-lite", it appears that Maxmind has added an additional columns named "is_anycast", which is not expected in the script file and leads to the error.
It seems the import error can be fixed by adding the additional column "is_anycast TEXT" in the "CREATE TABLE" statements for "blocks_ipv4" and "blocks_ipv6".
Please sign in to leave a comment.