Enable Geographical Blocks¶
Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
Getting Started¶
CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
Maxmind-
This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out
MM_LICENSE_KEYwithin thecsf.conf.Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn-
Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
Using MaxMind¶
To configure MaxMind as your specified geo service; you must go to their website and register an account.
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
| Argument | Description |
|---|---|
-d, --database-directory |
Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. |
-f, --config-file |
The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. |
--parallelism |
Set the number of parallel database downloads. |
-h, --help |
Display help and exit. |
--stack-trace |
Show a stack trace on any error message. This is primarily useful for debugging. |
-V, --version |
Display version information and exit. |
-v, --verbose |
Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. |
-o, --output |
Output download/update results in JSON format. |
Using db-ip, ipdeny, iptoasn¶
This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
Allow / Deny Countries¶
After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
Manage with csf.conf¶
Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
To specify multiple countries; add a comma , delimiter between each country.
Our rules above mean:
| Setting | Countries | Description |
|---|---|---|
CC_DENY |
China |
Blacklisted countries: cannot access our server |
CC_ALLOW |
United States Great Britain Germany |
Whitelisted countries: can access our server |
Manage with CSF WebUI¶
Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
Restart CSF¶
After you have whitelisted / blacklisted your desired countries; give CSF a restart:
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files