Are you trying to block countries in the CSF firewall?
This guide is for you.
ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an advanced, easy to use interface for managing firewall settings.
It also comes with a service called Login Failure Daemon, or LFD.
You can use it to block traffic by countries for the websites hosted on WHM & cPanel.
However, errors can arise while allowing/blocking countries using the CSF firewall.
In this context, we shall look into how to block countries in the CSF firewall.
How to allow/deny countries in CSF firewall ?
CSF firewall is mainly used to ensure security to the server and it manages the firewall via command line and frontend.
Also, it helps to block/allow countries on the user's server.
In the CSF configuration file, there exists an option to block/allow an IP range of different countries.
Using the country code, CSF easily handles allow/deny of countries in CSF.
We help our customers to allow a country to their server using ‘CC_ALLOW‘ in the CSF configuration file:
CC_ALLOW = ""
Similarly, we help to deny the IP range countrywide via the directive ‘CC_DENY‘ in the CSF configuration file:
CC_DENY = ""
In both cases, we have to add the corresponding code of the countries to be blocked/allowed within the inverted comma. Note that, we can separate each code by a comma.
Finally, we restart the CSF service so that the changes we made reflect.
Here is the command we run to restart the CSF service:
Hence we can allow/deny the countrywide IP ranges in the server.
How to fix issues relating to allowing/blocking the countries using CSF firewall?
Here at Ibmi Media, We focus on managing servers for our customers who might face problems while blocking countries in CSF.
Now, let's see how our Support Experts fix errors related to countrywide IP address blocking or allowing.
Recently one of our customers approached us with an error that occurred while allowing all countries to the server.
There was a section in the CSF configuration file called “Country Code Lists and Settings” which is to be tweaked to allow/deny whole countrywide CIDR ranges.
These CIDR blocks are obtained from selected sources and those sources display details of Country Code, Country, and City for reported IP addresses and lookups.
There are a number of sources for these databases and mostly CSF uses “MAXMIND” and “DB-IP, ipverse.net, iptoasn.com”.
We can switch between these of our preferred sources by tweaking CC_SRC = “1” or CC_SRC = “2”.(1 uses Maxmind, 2. uses DB-IP, ipverse.net, iptoasn.com)
By default, CSF uses CC_SRC = “1” i.e “Maxmind” as they provide a consistent dataset for blocking and reporting purposes.
But from 2019-12-29, “Maxmind” requests to create an account on their site to generate a license key to use their databases.
This results in blocking the countrywide IP ranges. So while blocking the countrywide IP ranges from the firewall, we ensure the “CC_SRC” setting as well.
If it is set to CC_SRC = “1” then we ask the customer to create an account in “Maxmind site”. Or we change the source to “DB-IP, ipverse.net, iptoasn.com” by changing the CC_SRC value to “2” (i.e) CC_SRC = “2”.
In new firewall installations by default, this was set to “CC_SRC = “2”. If it was an older firewall then it might be using Maxmind databases.
So, it was better to set “CC_SRC = “2” to use “DB-IP, ipverse.net, iptoasn.com” while blocking countrywide IP’s.
Here are the different methods we help to edit the CSF firewall configuration file.
How to modify the configuration file via WHM ?
i. First, we log in to the WHM.
ii. We then select the ConfigServer Security & Firewall under the Plugins option at the left end of the WHM interface.
iii. Thereafter we traced CSF – ConfigServer Firewall and then click Firewall Configuration.
iv. Now the configuration file opens. Here we search for Country Code Lists and Settings.
v. Then we change the CC_SRC value to 2.
How to modify firewall configuration file via Terminal?
Another method to edit the configuration file is via Terminal.
i. For that, first, we log in to the server.
ii. Next, we open the configuration file by running the below command:
iii. Here we search for Country Code Lists and Settings and change the CC_SRC value to 2.