How to Block a Whole Country Via CSF

If you notice a lot of visits to your web site from places you don't do business or if you see a lot of blocked attempts to hack into your server from certain countries, you might find it useful to attempt to block traffic from those places using your server firewall manager. If you use the popular ConfigServer Firewall (CSF), you can set up such a block quite easily.

Considerations

Before you begin, there are a few things you should consider before implementing a country-wide block in CSF.

  1. Blocking an entire country is not an exact science: This feature works by blocking a list of IP addresses that are believed to currently resolve to locations within a specific country. IP address ranges can and do move periodically, and the list of IPs is only as good as how carefully and frequently it gets updated. You could end up accidentally blocking some traffic from other countries or letting through some traffic from the target country.
  2. Blocking an entire country may have unintended consequences for your website: You never know when you might miss out on an opportunity because someone cannot get through to your site. Whether it is an expat looking for a little slice of home, or a foreign media site looking to do a piece about you, those people won't be able to see your site and will move on.
  3. Blocking a lot of IPs can slow down access to your server. When you implement a block like this there is a lot of work CSF needs to do every time an IP attempts to access your server. For just a few IP blocks your server will likely be fine, but when you start blocking entire countries the IP list gets quite long and your server may not be able to keep up with the load. This will slow down access for everyone to your server, not just stop those from a target country. In fact, if you set up a block for too many IPs you may completely overwhelm your server altogether and end up stopping all traffic.
  4. Hackers have means that regular users do not: Hackers can often easily get around a block by this by using VPN connections or a network of infected devices from other countries.
  5. If you do decide to block an entire country, consider making the block temporary: If you're getting a lot of bad traffic from a particular location, try blocking it for a while and then lifting the block after a bit of time has passed. The hackers or bad traffic may have moved on to easier targets.

If you're still intent on implementing a country-wide block via CSF, read on.

Implementing a Block

This article assumes you already have a supported server with CSF installed and the web interface configured on your server platform.

The screenshots in this article show CSF from within WHM (cPanel), but the UI should look similar on all supported platforms.

If you prefer to forego working in the web interface, you could always manually edit the csf.conf file and restart CSF from the command line.

  1. Log in and access CSF on your platform of choice.
  2. You can click the CSF tab at the top of the page or scroll down the list of options from the main interface until you find the Firewall Configuration button. Click it.
    Click on the Firewall Configuration Button in CSF
  3. The CSF configuration file is enormous, so rather than hunting manually for the section we are interested in, select Country Code Lists and Settings from the drop-down list near the top of the screen. This will automatically show only the section that we need.
    Select Country Code Lists and Settings from the Drop-Down List at the Top of the Screen
  4. First you need to decide what IP geolocation services you want to use. If you want to use MaxMind's GeoIP Lite service (this is what CSF used to use exclusively), you now need to register for a free license. You can register here. Once you have a license key (be aware you will only be shown this license key one time, when you first sign up for it), enter the key into the MM_License_Key field. Leave this field blank if you don't want to use MaxMind's service.
    Enter your MaxMind GeoIP License in the MM_LICENSE_KEY field if you Want to use This Service
  5. Now you need to tell CSF which geolocation service to use. Enter the number 1 to use MaxMind (only do this if you've entered the license key in step 4) or enter the number 2 to use three different currently free services (no license required). If in doubt, set CC_SRC to 2.
    Enter 2 to use the Free Geolocation Services or 1 to use Max Mind if You've Entered a Valid License in the Previous Step

  6. Next, look for CC_DENY:
    Enter a Comma Separated List of ISO Country Codes in the CC_DENY field
  7. Enter a comma separated list of ISO country codes into that field.
  8. When you are done, scroll all the way to the bottom of the page and click the Change button to apply your changes to the csf.conf file.
    Click the Change Button at the Bottom of the Screen
  9. Finally, click the Restart csf+lfd button to immediately implement the changes you just made.

Testing the Changes

The only reliable way to test your block is to try to access your site from an IP within the range you just blocked.

  • There are a lot of inexpensive VPN services these days and they may have VPNs in one of the countries you are trying to block. If so, connect to a VPN in the country you are trying to block and then try visiting your website. If you can't get through then the block is working.
  • There are also a number of web-based proxy or site testing services that can try to access your website from a variety of different locations and show you the results.