Question

How to block countries using UFW, Fail2Ban or other Firewall?

I have an Ubuntu Server 22.04 with Nginx installed along with a laravel application.

When I view the access logs I can see a lot of attempts from a certain country to exploit my server and application. For example:

109.237.97.141 - - [14/Mar/2023:05:06:49 +0000] "POST /_ignition/execute-solution HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
198.235.24.171 - - [14/Mar/2023:05:47:28 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xD8\xE1v\xDDn/\x17S\xD0:\x83J\xD0 n\xDFk\x975$S\x09\xCD\x87\xA5\xC5\xB3b\xD4<\x9AC\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:20:53 +0000] "\x05\x01\x00" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:21:57 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03M," 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:59 +0000] "POST /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

Currently UFW status is set to the following with letsencrypt ssl installed, configured in conjunction with Digital Ocean tutorials :

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

What is the best approach to block ips from this country. Would you implement it at Nginx level or UFW level? Can fail2ban achieve the same i.e. block an entire country from accessing my site?

Please can you provide a tutorial of how I can achieve this either using UFW, Fail2Ban or other technique.

PS. It would be useful if digital Ocean could produce some security article on server hardening and security.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I’m not sure if blocking an entire country is a good idea. But it depend on your use case.

Better option would be to track those bad actors and block them individually. We can use a combination of software to achieve this. Fail2ban is good for scanning logs and detecting intruders, UFW is good for banning IPs and Naxsi is a good WAF for nginx.

You can install naxsi web application firewall to prevent attacks. https://vpsfix.com/8652/install-naxsi-web-application-firewall-for-nginx-and-virtualmin/

And then integrate Fail2ban and UFW for IP banning.

alexdo
Site Moderator
Site Moderator badge
March 15, 2023

Hello @adam

I’ll recommend using CSF in order to achieve the desired results. I’ve personally used it for the same purposes and it always works just fine.

You can check this question that was previolsly posted in our community:

https://www.digitalocean.com/community/questions/block-countries-using-ufw-or-fail2ban-or-block-ip-if-login-failed-outside-exempt-countries

Regards

KFSys
Site Moderator
Site Moderator badge
March 15, 2023

Hey @adam,

Again as it’s said, it’s not a really good idea to block countries. If you however still want to do this, you can try using CSF

CSF

You can do this using CSF (ConfigServer Firewall) as well. In order to block a country, you can use the CC_DENY option which accepts two-letter country codes such as the US, GB and etc.

In order to list more than one country you just need to separate them using commas:

CC_DENY = "AB,CD,EF"

You may find a list of ISO 3166-1 alpha-2 code at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

If you’re not familiar with CSF or you want to install it on CentOS or Ubuntu droplet check out this mini tutorial:

For CentOS:

https://www.digitalocean.com/community/questions/how-to-install-and-configure-config-server-firewall-csf-on-centos

and for Ubuntu:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up