• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved Block specific countries through Plesk

O

othmaqsa

Regular Pleskian
Server operating system version
Ubuntu 20.04.6 LTS
Plesk version and microupdate number
Version 18.0.51
Hello,

I want to block few countries through Plesk via ModSec. I have read the documentation in this url: https://support.plesk.com/hc/en-us/articles/12377285410839

If I apply the Workaround 2, the Website hosted in the server will be unavailable in the blocked countries, right ?

Thank you.
 
The database is only a collection of IP addresses and their association with a country code. This is an independent database. The data from the database is applied to a ModSecurity rule. Where the rule applies depends on the ModSecurity version you are using. When you want ModSecurity to work with Nginx, you will need version 3.0, for Apache you need to select version 2.9. This does not depend on the geoip database.
 
Peter Debik said:
The database is only a collection of IP addresses and their association with a country code. This is an independent database. The data from the database is applied to a ModSecurity rule. Where the rule applies depends on the ModSecurity version you are using. When you want ModSecurity to work with Nginx, you will need version 3.0, for Apache you need to select version 2.9. This does not depend on the geoip database.
Click to expand...
Got it.

I use already ModSec 3.0 + Nginx + OWASP.

I'll try this night to install Geo2ip lite database and configure it with ModSec.

Thanks.
 
Hello @Peter Debik ,

When I try to save the custom directives in ModSec, this error occur:

Invalid ModSecurity configuration: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity.d/main.conf. Line: 6. Column: 44. Expecting an action, got: Include /etc/nginx/modsecurity.d/rules.conf in /etc/nginx/conf.d/modsecurity.conf:6 nginx: configuration file /etc/nginx/nginx.conf test failed

Any idea please ?
 
Well, you'll need to check what is in line 6, column 44 or right before or right behind that.
 
@Peter Debik , I have checked this file /etc/nginx/modsecurity.d/main.conf but I see nothing in Line 6
 

Attachments

  • Screenshot from 2023-04-04 11-03-57.png
    Screenshot from 2023-04-04 11-03-57.png
    27.7 KB · Views: 22
@Peter Debik , I have tried again, I can't save this Custom directives in ModSecurity.

I use Nginx + ModSec 3.0 + OWASP . Maybe this Workaround II work only for Apache ?
 

Attachments

  • Screenshot from 2023-04-04 12-21-56.png
    Screenshot from 2023-04-04 12-21-56.png
    74.1 KB · Views: 12
For the files I think the include is seen expanded, so you'd need to investigate further down in the included files. Regarding Nginx ModSecurity 3.0: This can be considered experimental. I am not sure if it indeed works with the rules. I think it should, but have not tested it.

Plesk is in the process or creating a general geo IP blocking feature, so maybe, if you want to save some time and it is not too urgent for you, it will be an option to just wait on that feature to be released. It is planned for 2023 and it is already being worked on.
 
Peter Debik said:
For the files I think the include is seen expanded, so you'd need to investigate further down in the included files. Regarding Nginx ModSecurity 3.0: This can be considered experimental. I am not sure if it indeed works with the rules. I think it should, but have not tested it.

Plesk is in the process or creating a general geo IP blocking feature, so maybe, if you want to save some time and it is not too urgent for you, it will be an option to just wait on that feature to be released. It is planned for 2023 and it is already being worked on.
Click to expand...
Okay, I'll wait so.

Do I need to uninstall Geo2ip lite database PACKAGE or I can keep it ?
 
That's merely unpacked files, not a system service. So it should not matter whether they are there or not unless they are addressed by any software. If there is no software that uses them, they can be removed.
 
Peter Debik said:
For the files I think the include is seen expanded, so you'd need to investigate further down in the included files. Regarding Nginx ModSecurity 3.0: This can be considered experimental. I am not sure if it indeed works with the rules. I think it should, but have not tested it.

Plesk is in the process or creating a general geo IP blocking feature, so maybe, if you want to save some time and it is not too urgent for you, it will be an option to just wait on that feature to be released. It is planned for 2023 and it is already being worked on.
Click to expand...
Hello @Peter Debik ,

Sincerely, it's urgent now. I receive a lot of fake comments each day from a lot of IPs based in Russia/ China.

If I solve this, no bad bots from Russia and China can access to my site.

Can you confirm in the last post that the documentation apply for Plesk Obsidian ?
 
Peter Debik said:
Yes, it applies to Plesk Obsidian.
Click to expand...
Got it.

I have successfully configured this in my server. All work as expected.

If I want to combine multiple ISO CODE (Countries) in 1 function, is it possible ? I have tried with , and space, but it doesn't work.

Code: 
if ($geoip2_data_country_code = "XX") {
        return 403;
}
 
Apparently, i must run a weekly update for geoipupdate, so I need to create a cron tab.

This cron tab below is correct ?

Code: 
# top of crontab

[email protected]

0 12 * * 3 geoipupdate

# end of crontab
 
If I want to combine multiple ISO CODE (Countries) in 1 function, is it possible ? I have tried with , and space, but it doesn't work.
Click to expand...
Nginx does not support logical "or". Your best bet is to let the first if-section follow by another for the other country code. But: Nginx has issues with "if" in general, so it could lead to crashes. If is Evil… when used in location context | NGINX

I think the cron entry is correct, but maybe you need to add the full path to geoipupdate.
 
You must log in or register to reply here.

Similar threads

X
Question Blocked IP and Country ISO Code
Replies
3
Views
382
XTech
X
majdi draouil
Question How to Block Direct IP Access and Ensure All Traffic Routes Through Cloudflare
Replies
1
Views
598
Raul A.
R
M
Issue Let's Encrypt Bulk Domain Renewal
Replies
4
Views
505
MacGyver
M
O
Question Plesk Firewall Version 2.2.3-449 and GeoLite2
Replies
3
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
M
Question Wordpress admin using plesk preview
Replies
1
Views
509
Raul A.
R
Back
Top