The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking visitors from certain countries

Discussion in 'Security' started by Mugoma, Oct 2, 2016.

Tags:
  1. Mugoma

    Mugoma Member

    Joined:
    Aug 1, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    We are seeing increased brute force attacks. These attacks are coming from particular countries, for which we have no clients.

    We spend valuable time everyday having to blacklist these IPs. This is time wasted.

    To save time is it possible to block visitors/users from these countries once?
     
  2. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Yes, you can do it with GeoIP lookup. You don't say what platform you're using, but if you are running Apache and mod_security, here's what you can do:
    1. Download the latest MaxMind GeoLite2 Country database in legacy format (the binary gzip one).
    2. Unzip the file, and upload it to your server. You can put it wherever you like; e.g., /usr/share/GeoIP.
    3. Log on to WHM, and go Security Center -> ModSecurity Configuration.
    4. Scroll down to the Geolocation Database section, and enter the path to the GeoIP.dat file you uploaded. If you used the file location above, it would be: /usr/share/GeoIP/GeoIP.dat
    5. Scroll down and Save your changes.
    That adds an IP-to-country-code database to your server. MaxMind updates their database on the first Tuesday of each month, so you should set a reminder to download the database once a month and update the copy on your server to keep it up-to-date.

    Next, you need to add a custom ModSecurity rule to block the countries you want to exclude. You should look up their two-character country codes and enter them in the following, replacing the "XX"s with the countries you want to block:
    Code:
    # Test IP address and block by country code
    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'"
    SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
    
    Note: The "id" must be a unique number, but unless you have added other custom rules, "1" should be available. If not, change it to a number between 1-99,999, the range reserved for local use. The "drop" tells ModSecurity to immediately close the TCP connection when it detects one of the countries you've chosen to block.
    1. Go Security Center -> ModSecurity Tools ->Rules List -> Add Rule.
    2. Paste your edited rule in the Rule Text box.
    3. Check the box for "Deploy and Restart Apache".
    4. Click "Save".
    That's it. The rule is written so it will leave a message in your Hits List in ModSecurity when it blocks a country you've chosen.
     
  3. Mugoma

    Mugoma Member

    Joined:
    Aug 1, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    I probably phrased the title wrongly.

    Actually, what we need is to protect brute force attempts on cPanel but realise instructions provided are for protecting Apache (mod_security).

    We already have a module for automatically blocking brute force against Apache.

    To my understanding Apache and cPanel run differently - different ports, etc.

    Will the instructions provided also protect brute force against cPanel?
     
  4. Mugoma

    Mugoma Member

    Joined:
    Aug 1, 2016
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Nairobi
    cPanel Access Level:
    Root Administrator
    From information logged by cpHulk it's able to identify the country from which brute force attemp is coming from.

    Can cpHulk be configured to automatically block logins from certain countries? This will save time spend blacklisting IPs from those countries.
     
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    If you have CSF installed, then you can block counties quite easily using the country code.
    However, bear in mind that this will also block legitimate traffic like DNS, so if you are going to use this method, don't block the USA and Europe, otherwise, you might start to see issues. EG GoogleBot.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    There are no native features to automatically blacklist countries with cPHulk at this time. Feel free to open a feature request for this via:

    Submit A Feature Request

    In the meantime, the previous suggestion regarding the ability to block countries with CSF is a viable solution.

    Thank you.
     
Loading...

Share This Page