I have an Ubuntu Server 22.04 with Nginx installed along with a laravel application.
When I view the access logs I can see a lot of attempts from a certain country to exploit my server and application. For example:
18.104.22.168 - - [14/Mar/2023:05:06:49 +0000] "POST /_ignition/execute-solution HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" 22.214.171.124 - - [14/Mar/2023:05:47:28 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xD8\xE1v\xDDn/\x17S\xD0:\x83J\xD0 n\xDFk\x975$S\x09\xCD\x87\xA5\xC5\xB3b\xD4<\x9AC\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-" 126.96.36.199 - - [14/Mar/2023:09:20:53 +0000] "\x05\x01\x00" 400 166 "-" "-" 188.8.131.52 - - [14/Mar/2023:09:21:57 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 166 "-" "-" 184.108.40.206 - - [14/Mar/2023:09:21:58 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 220.127.116.11 - - [14/Mar/2023:09:21:58 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03M," 400 166 "-" "-" 18.104.22.168 - - [14/Mar/2023:09:21:59 +0000] "POST /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
Currently UFW status is set to the following with letsencrypt ssl installed, configured in conjunction with Digital Ocean tutorials :
To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
What is the best approach to block ips from this country. Would you implement it at Nginx level or UFW level? Can fail2ban achieve the same i.e. block an entire country from accessing my site?
Please can you provide a tutorial of how I can achieve this either using UFW, Fail2Ban or other technique.
PS. It would be useful if digital Ocean could produce some security article on server hardening and security.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $200 of credit to try our products over 60 days!
I’m not sure if blocking an entire country is a good idea. But it depend on your use case.
Better option would be to track those bad actors and block them individually. We can use a combination of software to achieve this. Fail2ban is good for scanning logs and detecting intruders, UFW is good for banning IPs and Naxsi is a good WAF for nginx.
You can install naxsi web application firewall to prevent attacks. https://vpsfix.com/8652/install-naxsi-web-application-firewall-for-nginx-and-virtualmin/
And then integrate Fail2ban and UFW for IP banning.
I’ll recommend using CSF in order to achieve the desired results. I’ve personally used it for the same purposes and it always works just fine.
You can check this question that was previolsly posted in our community:
Again as it’s said, it’s not a really good idea to block countries. If you however still want to do this, you can try using CSF
You can do this using
CSF(ConfigServer Firewall) as well. In order to block a country, you can use the
CC_DENYoption which accepts two-letter country codes such as the US, GB and etc.
In order to list more than one country you just need to separate them using commas:
CC_DENY = "AB,CD,EF"
You may find a list of ISO 3166-1 alpha-2 code at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
If you’re not familiar with CSF or you want to install it on CentOS or Ubuntu droplet check out this mini tutorial:
and for Ubuntu: