Bobcares

How to block countries in CSF firewall – Let’s figure it out

by | Feb 15, 2021

Wondering how to block countries in the CSF firewall? We can help you with it.

ConfigServer Firewall(CSF) is a security Plugin. It helps to block traffic by countries for the websites hosted on WHM & cPanel.

However, errors can arise while allowing/blocking countries using the CSF firewall.

Here at Bobcares, we often get requests from our customers to block countrywide in CSF as part of our Server Management Services.

Today, let’s see how our Support Engineers block countries in the CSF firewall.

 

How to allow/deny countries in CSF firewall

CSF firewall is mainly used to ensure security to the server and it manages the firewall via command line and frontend.

Also, it helps to block/allow countries on the user’s server.

In the CSF configuration file, there exists an option to block/allow an IP range of different countries.

Using the country code, CSF easily handles allow/deny of countries in CSF.

We help our customers to allow a country to their server using ‘CC_ALLOW‘ in the CSF configuration file.

CC_ALLOW = ""

Similarly, we help to deny the IP range countrywide via the directive ‘CC_DENY‘ in the CSF configuration file.

CC_DENY = ""

In both cases, we have to add the corresponding code of the countries to be blocked/allowed within the inverted comma. Note that, we can separate each code by a comma.

Finally, we restart the CSF service so that the changes we made reflect. Here is the command we run to restart the CSF service.

csf -r

Hence we can allow/deny the countrywide IP ranges in the server.

 

How we fix issues relating to allowing/blocking the countries using CSF firewall.

At Bobcares, where we have more than a decade of expertise in managing servers, we see many customers face problems while blocking countries in CSF.

Now, let’s see how our Support Engineers fix errors related to countrywide IP address blocking or allowing.

Recently one of our customers approached us with an error that occurred while allowing all countries to the server.

Here is the error message that he was receiving.

How to block countries in CSF firewall

 

There was a section in the CSF configuration file called “Country Code Lists and Settings” which is to be tweaked to allow/deny whole countrywide CIDR ranges.

These CIDR blocks are obtained from selected sources and those sources display details of Country Code, Country, and City for reported IP addresses and lookups.

There are a number of sources for these databases and mostly CSF uses “MAXMIND” and “DB-IP, ipverse.net, iptoasn.com”.

We can switch between these of our preferred sources by tweaking CC_SRC = “1” or CC_SRC = “2”.(1 uses Maxmind, 2. uses DB-IP, ipverse.net, iptoasn.com)

By default, CSF uses CC_SRC = “1” i.e “Maxmind” as they provide a consistent dataset for blocking and reporting purposes.

But from 2019-12-29, “Maxmind” requests to create an account on their site to generate a license key to use their databases.

This results in blocking the countrywide IP ranges. So while blocking the countrywide IP ranges from the firewall, we ensure the “CC_SRC” setting as well.

If it is set to CC_SRC = “1” then we ask the customer to create an account in “Maxmind site”. Or we change the source to “DB-IP, ipverse.net, iptoasn.com” by changing the CC_SRC value to “2” (i.e) CC_SRC = “2”.

In new firewall installations by default, this was set to “CC_SRC = “2”. If it was an older firewall then it might be using Maxmind databases.

So, it was better to set “CC_SRC = “2” to use “DB-IP, ipverse.net, iptoasn.com” while blocking countrywide IP’s.

Here are the different methods we help to edit the CSF firewall configuration file.

 

Editing the configuration file via WHM

First, we log in to the WHM.

We then select the ConfigServer Security & Firewall under the Plugins option at the left end of the WHM interface.

Thereafter we traced CSF – ConfigServer Firewall and then click Firewall Configuration.

Now the configuration file opens. Here we search for Country Code Lists and Settings.

Then we change the CC_SRC value to 2.

 

Edit firewall configuration file via Terminal.

Another method to edit the configuration file is via Terminal.

For that, first, we log in to the server.

Next, we open the configuration file by running the below command.

vi /etc/csf/csf.conf

Here we search for Country Code Lists and Settings and change the CC_SRC value to 2.

[Still having the problem with countrywide allow or deny IP ranges in CSF?- We’re available 24/7 to help you.]

 

Conclusion

In short, CSF is used to restrict or allow countrywide IP ranges in the server using the country codes. Today, we saw how our Support Engineers help our customers to block/allow countries in the CSF firewall.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

2 Comments

  1. T

    hi,
    i realized websites in our server cant access all country except one(our country), so checked everything like server IP and i noticed no problem with ping in all country but its not the same for websites.
    so after that when check csf in my whm realized this is a problem but i never set any rule to block countries and when csf is off everything is going to normal,
    so whats the problem in my csf? that section you said in this article is fine but when csf is on, countries blocked again and show time out.

    Reply
    • Krishna Priya

      Hello,
      Our experts are available to assist you with your concerns. We would be delighted to discuss this with you via our live chat feature. Simply click on the icon located in the bottom right corner to get started.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.