Enable Geographical Blocks¶
Geographical blocks allow you to blacklist or whitelist an entire country from accessing your services from within ConfigServer Firewall.
Getting Started¶
CSF allows you to pick which service you want to use for geographical blocks. By default, CSF uses db-ip, but you have the option to pick any of the following:
Maxmind-
This service is free, but it requires you to sign up for an account and generate an API key in order to use the services. Some have reported that Maxmind databases are slightly more accurate than db-ip.
If you choose this provider; you must fill out
MM_LICENSE_KEYwithin thecsf.conf.Advantages: This is a one stop shop for all of the databases required for these features. They provide a consistent dataset for blocking and reporting purposes
Disadvantages: MaxMind require a license key to download their databases. This is free of charge, but requires the user to create an account on their website to generate the required key.
db-ip, ipdeny, iptoasn-
Advantages: The ipdeny.com databases form CC blocking are better optimised and so are quicker to process and create fewer iptables entries. All of these databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could interrupt the provision of these features. It may also mean that there are inconsistences between them
Performance Impact
If using MaxMind, be aware of how many countries you allow / deny from accessing your server. The more countries you add, the more rules that will be added to CSF. These rules will be loaded every time you start or restart CSF; and may cause CSF to take longer-than-normal times to boot.
To change which database is used for geo blocking; open your CSF's csf.conf config file and locate the setting CC_SRC. If you have the ConfigServer WebUI enabled; you can access these settings from the CSF Admin WebUI.
# 2. DB-IP, ipdeny.com, iptoasn.com
#
# Advantages: The ipdeny.com databases form CC blocking are better optimised
# and so are quicker to process and create fewer iptables entries. All of these
# databases are free to download without requiring login or key
#
# Disadvantages: Multiple sources mean that any one of the three could
# interrupt the provision of these features. It may also mean that there are
# inconsistences between them
#
# https://db-ip.com/db/lite.php
# http://ipdeny.com/
# https://iptoasn.com/
# http://download.geonames.org/export/dump/readme.txt
# Set the following to your preferred source:
#
# "1" - MaxMind
# "2" - db-ip, ipdeny, iptoasn
#
# The default is "2" on new installations of csf, or set to "1" to use the
# MaxMind databases after obtaining a license key
CC_SRC = "2"
Using MaxMind¶
To configure MaxMind as your specified geo service; you must go to their website and register an account.
Once you have your account, on the left side; select Manage License Keys.
In the middle of the page, you should be able to generate a license key:
After the license key is generated, you must go back to your csf.conf and add the License key to your config. If you are using the CSF WebUI:
Next, you must install MaxMind's GeoIpUpdater utility which is what will download the IP address databases. This tool automatically updates GeoIP2 and GeoLite2 databases. The program connects to the MaxMind GeoIP Update server to check for new databases. If a new database is available, the program will download and install it.
A full set of instructions can also be found at:
Warning
If you are using a firewall, you must have the DNS and HTTPS ports open.
First, install:
Once installed make sure you have a License key generated on the maxmind website, you will then need to create a new file in /etc/:
Add the following code to your newly created /etc/GeoIP.conf. After you paste the code below; you must change the following values:
AccountIDLicenseKey
# Please see https://dev.maxmind.com/geoip/updating-databases?lang=en for
# instructions on setting up geoipupdate, including information on how to
# download a pre-filled GeoIP.conf file.
# Replace YOUR_ACCOUNT_ID_HERE and YOUR_LICENSE_KEY_HERE with an active account
# ID and license key combination associated with your MaxMind account. These
# are available from https://www.maxmind.com/en/my_license_key.
AccountID 1000101
LicenseKey ABC1234_56af7s8dshF53Ha_abck
# Enter the edition IDs of the databases you would like to update.
# Multiple edition IDs are separated by spaces.
EditionIDs GeoLite2-ASN GeoLite2-City GeoLite2-Country
# The remaining settings are OPTIONAL.
# The directory to store the database files. Defaults to /usr/share/GeoIP
# DatabaseDirectory /usr/share/GeoIP
# The server to use. Defaults to "updates.maxmind.com".
# Host updates.maxmind.com
# The proxy host name or IP address. You may optionally specify a
# port number, e.g., 127.0.0.1:8888. If no port number is specified, 1080
# will be used.
# Proxy 127.0.0.1:8888
# The user name and password to use with your proxy server.
# ProxyUserPassword username:password
# Whether to preserve modification times of files downloaded from the server.
# Defaults to "0".
# PreserveFileTimes 0
# The lock file to use. This ensures only one geoipupdate process can run at a
# time.
# Note: Once created, this lockfile is not removed from the filesystem.
# Defaults to ".geoipupdate.lock" under the DatabaseDirectory.
# LockFile /usr/share/GeoIP/.geoipupdate.lock
# The amount of time to retry for when errors during HTTP transactions are
# encountered. It can be specified as a (possibly fractional) decimal number
# followed by a unit suffix. Valid time units are "ns", "us" (or "µs"), "ms",
# "s", "m", "h".
# Defaults to "5m" (5 minutes).
# RetryFor 5m
# The number of parallel database downloads.
# Defaults to "1".
# Parallelism 1
After you have created the above config; you need to launch the geoipupdate app. Multiple commands are provided below depending on if you want to specify where you placed your downloaded databases. A list of arguments are also provided. In our example, we are going to start geoipupdate and download the databases to the path /var/lib/csf/Geo/.
| Argument | Description |
|---|---|
-d, --database-directory |
Install databases to a custom directory. This is optional. If provided, it overrides the DatabaseDirectory value from the configuration file and the GEOIPUPDATE_DB_DIR environment variable. |
-f, --config-file |
The configuration file to use. See GeoIP.conf and its documentation for more information. This is optional. It defaults to the environment variable GEOIPUPDATE_CONF_FILE if it is set, or CONFFILE otherwise. |
--parallelism |
Set the number of parallel database downloads. |
-h, --help |
Display help and exit. |
--stack-trace |
Show a stack trace on any error message. This is primarily useful for debugging. |
-V, --version |
Display version information and exit. |
-v, --verbose |
Enable verbose mode. Prints out the steps that geoipupdate takes. If provided, it overrides any GEOIPUPDATE_VERBOSE environment variable. |
-o, --output |
Output download/update results in JSON format. |
Using db-ip, ipdeny, iptoasn¶
This is the second option you can pick within CSF for Geographical blocking. When initially tried, it worked right out of box. It required no modifications, no packages to be installed, and no license keys.
Allow / Deny Countries¶
After you've completed the steps above; you can now whitelist or blacklist specific countries from accessing your server and will be managed through your ConfigServer Firewall.
Pick your preferred method:
Manage with csf.conf¶
Open up your csf.conf file in a text editor and locate the following settings:
CC_DENYCC_ALLOW
# In the following options, specify the the two-letter ISO Country Code(s).
# The iptables rules are for incoming connections only
#
# Additionally, ASN numbers can also be added to the comma separated lists
# below that also list Country Codes. The same WARNINGS for Country Codes apply
# to the use of ASNs. More about Autonomous System Numbers (ASN):
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
# ASNs must be listed as ASnnnn (where nnnn is the ASN number)
#
# You should consider using LF_IPSET when using any of the following options
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
In our example, we will blacklist the country China, which uses the abbreviation CN. To do so; our config will look like the following:
To specify multiple countries; add a comma , delimiter between each country.
Our rules above mean:
| Setting | Countries | Description |
|---|---|---|
CC_DENY |
China |
Blacklisted countries: cannot access our server |
CC_ALLOW |
United States Great Britain Germany |
Whitelisted countries: can access our server |
Manage with CSF WebUI¶
Sign into the ConfigServer WebUI.
Select the tab CSF, scroll down and select Firewall Configuration, and then in the top dropdown box in the middle of the page, select Country Code Lists and Settings.
We will add the following to each setting:
Below is an animated gif showing the steps.
Once you have modified your country values; scroll to the very bottom and press the Change button.
Restart CSF¶
After you have whitelisted / blacklisted your desired countries; give CSF a restart:
Restart firewall rules (csf) and then restart lfd daemon. Both csf and then lfd should be restarted after making any changes to the configuration files