Resolved Block specific countries through Plesk

[Peter Debik]

Looks good.

 

[othmaqsa]

Nginx does not support logical "or". Your best bet is to let the first if-section follow by another for the other country code. But: Nginx has issues with "if" in general, so it could lead to crashes. If is Evil… when used in location context | NGINX

If I use the function multiple times, each time, for 1 country, like:

if ($geoip2_data_country_code = "COUNTRY 1") {
        return 403;
}

if ($geoip2_data_country_code = "COUNTRY 2") {
        return 403;
}

etc...

It's not a problem, right ?

 

[Peter Debik]

I do not know. How could I predict what will happen on your system? What keeps you from testing it?

 

[othmaqsa]

I do not know. How could I predict what will happen on your system? What keeps you from testing it?

@Peter Debik
when I asked you the question, I had already tested it and there was no problem.

I just wanted to make sure if the code structure was good since you told me that NGINX and IF can cause problems.

As for the test, I always do it. Then I ask questions just to check, that's how we learn.

Thank you anyway.

 

[Peter Debik]

Well that "if" think in Nginx seems to be some weird stuff. According to their own documentation, when used in the "location" context the outcome is unpredictable, meaning that sometimes it will do something right, sometimes it will crash the whole server.

 

[mudassarkhan]

For the files I think the include is seen expanded, so you'd need to investigate further down in the included files. Regarding Nginx ModSecurity 3.0: This can be considered experimental. I am not sure if it indeed works with the rules. I think it should, but have not tested it.

Plesk is in the process or creating a general geo IP blocking feature, so maybe, if you want to save some time and it is not too urgent for you, it will be an option to just wait on that feature to be released. It is planned for 2023 and it is already being worked on.

Hi Peter, thanks for the info. Is there an further update on the ETA for this blocking?
My website chat is inundated with visitors from suspect countries.

 

[Kaspar]

@mudassarkhan you can use the Plesk firewall (if you run Plesk version 18.0.52 or newer) to block countries.

 

[mudassarkhan]

@mudassarkhan you can use the Plesk firewall (if you run Plesk version 18.0.52 or newer) to block countries.

I tied this after using some other guides. However when I used a vpn to access the website as a blocked country, the website still worked. Perversely, I could not access my 8443 panel from that country!

 

[Kaspar]

The Plesk firewall uses the DB-IP "IP to Country Lite" database from DB-IP. You can user their website (db-ip.com) to do a lookup on the IP address used by your VPN to see if it matches the country in their database. If not, you might want to switch to the MaxMind IP database (either the free or paid version) as they offer a more reliable (up to date) IP database.

 

[mudassarkhan]

Thanks, although it successfully blocks me from logging in to my plesk panel as it identifies my IP as a blocked location! I have left the firewall and rules running for now and will see what happens.

 

[othmaqsa]

Hello,

I can see now in this url https://support.plesk.com/hc/en-us/...r-whitelist-specific-countries-through-Plesk- , that I can block a country, using directly the Firewall.

Can I use the Firewall to block country for incoming traffic for the mail or it will work only with the Websites ?

Thank you.

 

[Peter Debik]

@othmaqsa Answered in your other thread: Question - Plesk Firewall

 

[othmaqsa]

@othmaqsa Answered in your other thread: Question - Plesk Firewall

Hello @Peter Debik ,

I know very well that the order of the rules in the firewall is important.

Just to confirm, can I apply this, for example ?
1- Deny connections on a specific port number.
2- Deny connections from specific IPs on a specific port number.
3- Allow connections on a specific port number.
4- Allow specific IPs to connect to specific ports.

Regarding this default rule 'System policy for incoming traffic' and this rule 'System policy for traffic forwarding', should be placed at the top in case the priority mentioned above is correct ?

Thanks.

 

[Peter Debik]

If you're talking about the same port number, the above mentioned list would block or allow all before the specific cases are processed. For that case you'll need to switch positions of the specific and general entries. If your entries are meant for different ports, the order is o.k.

 

[othmaqsa]

If you're talking about the same port number, the above mentioned list would block or allow all before the specific cases are processed. For that case you'll need to switch positions of the specific and general entries. If your entries are meant for different ports, the order is o.k.

You can now mark this thread as resolved.

Thank you @Peter Debik