Using CSF firewall to block countries

Are you trying to block countries in the CSF firewall?

This guide is for you.

ConfigServer Firewall, also known as CSF, is a firewall configuration script created to provide better security for your server while giving you an advanced, easy to use interface for managing firewall settings.

It also comes with a service called Login Failure Daemon, or LFD.

You can use it to block traffic by countries for the websites hosted on WHM & cPanel.

However, errors can arise while allowing/blocking countries using the CSF firewall.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to block countrywide in CSF.

In this context, we shall look into how to block countries in the CSF firewall.

How to allow/deny countries in CSF firewall ?

CSF firewall is mainly used to ensure security to the server and it manages the firewall via command line and frontend.

Also, it helps to block/allow countries on the user's server.

In the CSF configuration file, there exists an option to block/allow an IP range of different countries.

Using the country code, CSF easily handles allow/deny of countries in CSF.

We help our customers to allow a country to their server using ‘CC_ALLOW‘ in the CSF configuration file:


Similarly, we help to deny the IP range countrywide via the directive ‘CC_DENY‘ in the CSF configuration file:

CC_DENY = ""

In both cases, we have to add the corresponding code of the countries to be blocked/allowed within the inverted comma. Note that, we can separate each code by a comma.

Finally, we restart the CSF service so that the changes we made reflect. 

Here is the command we run to restart the CSF service:

csf -r

Hence we can allow/deny the countrywide IP ranges in the server.

How to  fix issues relating to allowing/blocking the countries using CSF firewall?

Here at Ibmi Media, We focus on managing servers for our customers who might face problems while blocking countries in CSF.

Now, let's see how our Support Experts fix errors related to countrywide IP address blocking or allowing.

Recently one of our customers approached us with an error that occurred while allowing all countries to the server.

There was a section in the CSF configuration file called “Country Code Lists and Settings” which is to be tweaked to allow/deny whole countrywide CIDR ranges.

These CIDR blocks are obtained from selected sources and those sources display details of Country Code, Country, and City for reported IP addresses and lookups.

There are a number of sources for these databases and mostly CSF uses “MAXMIND” and “DB-IP, ipverse.net, iptoasn.com”.

We can switch between these of our preferred sources by tweaking CC_SRC = “1” or CC_SRC = “2”.(1 uses Maxmind, 2. uses DB-IP, ipverse.net, iptoasn.com)

By default, CSF uses CC_SRC = “1” i.e “Maxmind” as they provide a consistent dataset for blocking and reporting purposes.

But from 2019-12-29, “Maxmind” requests to create an account on their site to generate a license key to use their databases.

This results in blocking the countrywide IP ranges. So while blocking the countrywide IP ranges from the firewall, we ensure the “CC_SRC” setting as well.

If it is set to CC_SRC = “1” then we ask the customer to create an account in “Maxmind site”. Or we change the source to “DB-IP, ipverse.net, iptoasn.com” by changing the CC_SRC value to “2” (i.e) CC_SRC = “2”.

In new firewall installations by default, this was set to “CC_SRC = “2”. If it was an older firewall then it might be using Maxmind databases.

So, it was better to set “CC_SRC = “2” to use “DB-IP, ipverse.net, iptoasn.com” while blocking countrywide IP’s.

Here are the different methods we help to edit the CSF firewall configuration file.

How to modify the configuration file via WHM ?

i. First, we log in to the WHM.

ii. We then select the ConfigServer Security & Firewall under the Plugins option at the left end of the WHM interface.

iii. Thereafter we traced CSF – ConfigServer Firewall and then click Firewall Configuration.

iv. Now the configuration file opens. Here we search for Country Code Lists and Settings.

v. Then we change the CC_SRC value to 2.

How to modify firewall configuration file via Terminal?

Another method to edit the configuration file is via Terminal.

i. For that, first, we log in to the server.

ii. Next, we open the configuration file by running the below command:

vi /etc/csf/csf.conf

iii. Here we search for Country Code Lists and Settings and change the CC_SRC value to 2.

[Still having the problem with countrywide allow or deny IP ranges in CSF?- We're available 24/7 to help you. ]


This article will guide you on how to block/allow countries in the CSF #firewall. CSF is used to restrict or allow countrywide IP ranges in the server using the country codes. For every country you want to deny, you just enter those letters in the field (separated by a comma). Once you're done, scroll to the bottom of the page and click CHANGE. This will restart the firewall, and you're now all set to go.

ConfigServe Firewall (#CSF) is a firewall configuration script created to provide better security for your server while giving you an easy to use and advanced interface for managing your #firewall settings in cPanel servers.

To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must:

1. close the ports in the firewall.

2. define the country code allowed to connect on those blocked ports.

3. specify the blocked #ports to be opened for the specified country.