This is assuming you have CSF installed already and setup properly. Assuming that, you will want to go into the configuration via WHM (WHM > Plugins > ConfigServer Security & Firewall > Firewall Configuration) or in SSH via vi /etc/csf/csf.conf
What you are looking for is CC_ALLOW_FILTER
First, you will want to get a list of ISO Country Codes to allow.
For example, if you only wanted United States, Canada, Great Britian, Australia, and Mexico to be whitelisted, you would specify:
US,CA,GB,AU,MX
What this will do is download a list of IP ranges belonging to those countries, then add them to a whitelist, and deny everything else, that is, deny all other countries’ IP ranges. So, India will not be able to connect to your server, Russia will not be able to connect, etc..
Once you have change this in your configuration, don’t forget to restart your firewall to apply the new configuration.
Sweet! Now I can block China like Google’s gonna. Whoops…should I have said that?
This is pretty cool. Is there an opposite way of blacklisting countries commonly attempting to hack the server? You know…like Romania?
Curious about what this would do to my existing hosting clientele, but I don’t know if they’d praise me for blocking those common scam countries or if they’d think I’m being too controlling.
Hey Will,
Yeah, you can use CC_DENY to blacklist specific countries the same way.
So i just started using the CC_DENY the problem there is say with Maracco or however it is spelled (MA) has too many IP ranges. I just got a FLOOD about 70 separate IP addresses that attempted to access root. (maybe not knowing is better but none the less). I had 5 countries blacklisted and it was unable to keep track of all of those ranges now because there were so many in MA. I want to try the allow but the description warns against it because it said it will allow all ports and therefore is pretty useless:
Exactly it states:
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
Here is the entire warning around this function.
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Warning: These lists are never 100% accurate and some ISP’s (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# Warning: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# Warning: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# Warning: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use
#
For now, you could put this in your /etc/csf/csf.deny:
41.92.0.0/17
41.137.0.0/16
41.140.0.0/14
41.205.192.0/19
41.214.128.0/17
41.216.224.0/22
41.248.0.0/14
62.134.185.168/29
62.145.89.160/27
62.251.128.0/17
66.178.16.152/29
66.178.22.96/29
67.15.212.0/25
67.15.212.192/26
67.15.220.0/24
67.15.234.0/24
67.15.237.0/24
67.15.249.0/24
67.215.1.0/29
67.215.3.176/29
67.215.13.0/25
67.215.13.128/27
67.215.15.248/29
67.222.133.150/31
67.222.133.152/30
67.222.133.156/31
67.222.135.212/30
67.222.135.216/30
67.222.135.220/32
67.222.145.90/31
67.222.145.92/30
67.222.145.96/31
67.222.146.10/31
67.222.146.12/30
67.222.146.16/31
67.222.147.74/31
67.222.147.76/30
67.222.147.80/31
67.222.150.18/31
67.222.150.20/30
67.222.150.24/31
67.222.150.95/32
67.222.150.96/30
67.222.150.100/31
67.222.150.102/32
67.222.151.82/31
67.222.151.84/30
67.222.151.88/31
67.222.153.138/31
67.222.153.140/30
67.222.153.144/31
67.222.153.190/31
67.222.153.192/30
67.222.153.196/31
68.168.112.88/29
68.168.112.96/27
68.168.112.208/28
68.168.113.128/27
68.168.125.0/24
72.9.144.125/32
72.9.144.126/31
72.9.144.128/30
72.9.144.132/32
72.9.149.110/31
72.9.149.112/30
72.9.149.116/31
72.10.164.192/28
72.10.164.216/29
72.10.166.112/29
72.10.168.0/27
72.10.168.32/28
72.10.168.48/29
72.10.168.72/29
72.10.168.80/28
72.10.168.112/29
72.10.168.208/28
72.10.168.240/29
72.10.169.0/28
72.10.169.16/29
72.10.169.48/28
72.10.171.80/29
72.10.171.160/29
75.125.58.128/25
80.85.27.208/29
81.31.203.48/29
81.192.0.0/16
84.16.28.0/22
193.188.7.0/24
193.194.1.0/24
193.194.2.0/23
193.194.4.0/23
193.194.32.0/19
193.220.16.32/27
194.6.224.0/24
194.117.121.190/32
194.204.192.0/18
195.112.182.71/32
195.112.183.91/32
196.2.80.0/20
196.12.192.0/18
196.200.128.0/18
196.206.0.0/16
196.217.0.0/16
196.220.3.8/29
196.222.0.0/16
202.174.133.48/28
202.174.133.128/28
202.174.133.152/29
202.174.133.160/28
202.174.133.200/29
202.174.133.216/29
202.174.133.224/29
203.88.80.64/27
203.88.80.112/28
209.170.96.64/26
212.63.164.56/30
212.63.166.152/30
212.63.170.216/30
212.63.176.58/32
212.217.0.0/17
213.140.60.0/23
216.235.253.64/28
217.77.243.218/32
I was looking into the CC allow/deny a little while ago as I was considering setting up a GeoLocked server for shoutcast streaming, eg only allows UK users to connect to stream (due to licensing laws technically speaking PRS only covers the UK so if someone outside the UK starts listening the station isn’t paying copyright etc which is a concern for some customers)
But when I was looking at it it looked like it might cause problems :/
What would be the most effective way to lock down a server so only UK users (and also pref a list of other IPs which I can manually allow) can access the server and connect to the SC streams on it?
@Dan,
You can use CC_ALLOW_FILTER=”GB”, then manually allow the IPs using csf -a, that would be the most effective way.
I have been searching for this information and finally found it. Thanks!
I was actually looking for this resource a few weeks back. Thanks for sharing with us your wisdom.This will absolutely going to help me in my projects .