Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking a range of IPs in CSF?

Discussion in 'Security' started by 247forever, Nov 10, 2017.

  1. 247forever

    247forever Registered

    Joined:
    Nov 10, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    Seeking opinions on the advisability of blocking some countries by range on a webserver in the csf deny. The server itself is high-powered with lots of resources.

    We are setting up a new server specifically for domestic sites. We have config server installed, and have some tight rules in cphulk as well.

    But of course we can see that the logs are filling up with blocks from some of the usual suspects.

    We use project honeypot and several of the lfd blocklists already, although the benefits are hard to quantify (one can only hope....).

    We were thus thinking to just block some ranges in csf deny, and one question that immediately comes to mind is impact on serving sites, and server resources although as noted this server is well allocated in that respect. Obviously as looking to block foreign ranges such traffic is not an issue for the sites that will be placed on this server.

    Just wanted to canvass for opinions and we thank in advance all who respond.
     
  2. Muhammed Fasal

    Muhammed Fasal Active Member

    Joined:
    Aug 9, 2017
    Messages:
    40
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format.

    For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list.

    If you are unsure how to convert a range of IP’s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you.

    IP to CIDR online converter

    You will likely receive better support on the CSF application from their support forums found at:

    ConfigServer Community Forum - Index page
     
    247forever likes this.
  3. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    56
    Likes Received:
    9
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    We block thousands of individual IPs and ranges (CIDRs) and even several countries using CC_DENY which adds thousands of more ranges, with virtually 0 impact on resource usage.
     
    247forever likes this.
  4. 247forever

    247forever Registered

    Joined:
    Nov 10, 2017
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is one of the matters we were concerned about - resource usage. We thought there would be minimal impact but its great to get some third party thoughts and your input is appreciated. The other issue we potentially foresee is site loading time as the deny files are parsed but we will do some a/b testing and if we find anything notable we will advise.

    You know, we forgot about CC_Deny option in the config serv setting as we have not had past occasion to use it or custom lists at the server level (LF_GLOBAL) as all our servers had a mixed bag of customers (so we did such blocks at the .htaccess level typically, or guided them to use the cpanel options for simple blocks). So this was a great reminder that the option(s) is there and we are feeling a little silly for not remembering it given how many thousands of times we have been through the configserv settings panel.....


    Thank you for your responses although this info we already knew - its simply that in the past we typically blocked at the website level via .htaccess files and wanted a better global solution. In respect of the ConfServ form we did think about posting at it but thought why not here first as these forums are very active.

    In the spirit of contributing, for anyone reading some sites we find handy for determining range blocks and other useful info:

    CIPB - Create Country ACL
    IP Address Ranges by Country
    https://dev.maxmind.com/geoip/geoip2/geolite2/

    Sometimes they will produce different results for the same query, which one can compare.
     
  5. MickFlorence

    MickFlorence Registered

    Joined:
    Nov 14, 2017
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Website Owner
    CSF should be efficient enough to filter the traffics by IP address range. You could give it a try.

    If you need IP address list by country in multiple firewall formats, you can export it free from Block Visitors by Country | IP2Location

    Good luck!
     
Loading...

Share This Page