If you are having own VPS or Dedicated server, you will be getting “N” number of hacking attempt from unauthorized country (Hackers country). The best option to secure linux server use the “CSF” firewall to do it. In CSF firewall you can block any country to access your website. For example if you want to block china, use the Two digit country code to block it.
To block country from “CSF” firewall, for this you need to login shell.
1) How to open the csf config file
Use your favourite text editor to open the csf config file.
root@2daygeek [~]# nano /etc/csf/csf.conf
Output of csf config file
Open CSF main configuration file “/etc/csf/csf.conf” and find CC_DENY = “”, you will see like below
# SECTION:Country Code Lists and Settings
###############################################################################
# Country Code to CIDR allow/deny. In the following two options you can allow
# or deny whole country CIDR ranges. The CIDR blocks are generated from the
# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""
# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""
# This option allows access from the following countries to specific ports
# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
#
# Note: The rules for this feature are inserted after the allow and deny
# rules to still allow blocking of IP addresses
2) How to add hackers country
Just add the Two digit country code to “CC_DENY” line by separate comma if you want to add more then one country. To get country code list Click Here
CC_DENY = "CN,PK,NG,BD,IR,KZ,BY"
3) How to restart csf
Use the below command to reload/restart the CSF configuration
# csf -r DROP all opt -- in !lo out * 216.245.221.90 -> 0.0.0.0/0 DROP all opt -- in * out !lo 0.0.0.0/0 -> 216.245.221.90 DROP all opt -- in !lo out * 201.207.197.134 -> 0.0.0.0/0 ACCEPT icmp opt -- in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 icmp type 3 ACCEPT icmp opt -- in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 icmp type 11 LOCALOUTPUT all opt in * out !lo ::/0 -> ::/0 LOCALINPUT all opt in !lo out * ::/0 -> ::/0
wey good, but the CC_DENY not support on my CFS . whats the matter?
i need your helps.
so thanks 🙂