DigitalOcean

Report this

What is the reason for this report?
Question

How to block countries using UFW, Fail2Ban or other Firewall?

Posted on March 14, 2023
Ubuntu 22.04
Nginx
Security
Firewall
Adam

By Adam

I have an Ubuntu Server 22.04 with Nginx installed along with a laravel application.

When I view the access logs I can see a lot of attempts from a certain country to exploit my server and application. For example:

109.237.97.141 - - [14/Mar/2023:05:06:49 +0000] "POST /_ignition/execute-solution HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
198.235.24.171 - - [14/Mar/2023:05:47:28 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xD8\xE1v\xDDn/\x17S\xD0:\x83J\xD0 n\xDFk\x975$S\x09\xCD\x87\xA5\xC5\xB3b\xD4<\x9AC\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:20:53 +0000] "\x05\x01\x00" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:21:57 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03M," 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:59 +0000] "POST /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

Currently UFW status is set to the following with letsencrypt ssl installed, configured in conjunction with Digital Ocean tutorials :

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

What is the best approach to block ips from this country. Would you implement it at Nginx level or UFW level? Can fail2ban achieve the same i.e. block an entire country from accessing my site?

Please can you provide a tutorial of how I can achieve this either using UFW, Fail2Ban or other technique.

PS. It would be useful if digital Ocean could produce some security article on server hardening and security.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
March 14, 2023

Hi there,

I’ve personally used Configure Config Server Firewall (CSF) to do that.

Here is a step by step tutorial on how to install CSF:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

And then once you have it installed, you can edit the /etc/csf/csf.conf file, find the CC_DENY line and add the list of the country codes that you want to deny.

Hope that this helps!

Best,

Bobby

0
Tharindu Kumara
Tharindu Kumara
March 15, 2023

I’m not sure if blocking an entire country is a good idea. But it depend on your use case.

Better option would be to track those bad actors and block them individually. We can use a combination of software to achieve this. Fail2ban is good for scanning logs and detecting intruders, UFW is good for banning IPs and Naxsi is a good WAF for nginx.

You can install naxsi web application firewall to prevent attacks. https://vpsfix.com/8652/install-naxsi-web-application-firewall-for-nginx-and-virtualmin/

And then integrate Fail2ban and UFW for IP banning.

0
KFSys
KFSys
March 15, 2023

Hey @adam,

Again as it’s said, it’s not a really good idea to block countries. If you however still want to do this, you can try using CSF

CSF

You can do this using CSF (ConfigServer Firewall) as well. In order to block a country, you can use the CC_DENY option which accepts two-letter country codes such as the US, GB and etc.

In order to list more than one country you just need to separate them using commas:

CC_DENY = "AB,CD,EF"

You may find a list of ISO 3166-1 alpha-2 code at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

If you’re not familiar with CSF or you want to install it on CentOS or Ubuntu droplet check out this mini tutorial:

For CentOS:

https://www.digitalocean.com/community/questions/how-to-install-and-configure-config-server-firewall-csf-on-centos

and for Ubuntu:

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.