Create ModSecurity Rule to Block Country From Webserver Access

Issue: A cPanel powered server, using Apache, where the majority of websites on the server are experiencing excessive traffic from an excessive number of IP addresses from one country. Using .htaccess or firewall rules to block all IP address ranges is not effcient.

Solution: Use ModSecurity, create a rule to temporarily block the specific country (geographic region). Naturally the rule can later be disabled or deleted.

In WHM/cPanel navigate to:
Home >> Security Center >> ModSecurity Configuration

Navigate to the setting for:
Geolocation Database SecGeoLookupDb

Input the path (Specify a path for the geolocation database):

/usr/share/GeoIP/GeoIP.dat

(The above is the default location of cPanel powered servers)

Save the changes.

Navigate to:
Home >> Security Center >> ModSecurity Tools
Click on “Rules List
Click on “Add Rule

In the “Add a new custom ModSecurity rule“, add the following rule into the “Rule Text” area. In this case we are randomly selecting France, just as an example for this post, France is not an area that should be blocked.

# Inspect IP address and block by country code
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking IP Address - France '"
SecRule GEO:COUNTRY_CODE "@streq FR"

Select checkbox, on: “Enable Rule
Select checkbox, on: “Deploy and Restart Apache

Save the changes.

The rule will now be active. It will block the country from all websites on the server.

1 thought on “Create ModSecurity Rule to Block Country From Webserver Access”

Leave a comment

BlogLogistics