How to block a Country using CSF Firewall

If you are having own VPS or Dedicated server, you will be getting “N” number of hacking attempt from unauthorized country (Hackers country). The best option to secure linux server use the “CSF” firewall to do it. In CSF firewall you can block any country to access your website. For example if you want to block china, use the Two digit country code to block it.
To block country from “CSF” firewall, for this you need to login shell.

1) How to open the csf config file

Use your favourite text editor to open the csf config file.

[email protected] [~]# nano /etc/csf/csf.conf

Output of csf config file

Open CSF main configuration file “/etc/csf/csf.conf” and find CC_DENY = “”, you will see like below

# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""

# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses

2) How to add hackers country

Just add the Two digit country code to “CC_DENY” line by separate comma if you want to add more then one country. To get country code list Click Here

CC_DENY = "CN,PK,NG,BD,IR,KZ,BY"

3) How to restart csf

Use the below command to reload/restart the CSF configuration

# csf -r
DROP  all opt -- in !lo out *  216.245.221.90  -> 0.0.0.0/0
DROP  all opt -- in * out !lo  0.0.0.0/0  -> 216.245.221.90
DROP  all opt -- in !lo out *  201.207.197.134  -> 0.0.0.0/0
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  icmp type 3
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  icmp type 11
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...

Shares
Close
Please support the site
By clicking any of these buttons you help our site to get better