I have an Ubuntu Server 22.04 with Nginx installed along with a laravel application.
When I view the access logs I can see a lot of attempts from a certain country to exploit my server and application. For example:
109.237.97.141 - - [14/Mar/2023:05:06:49 +0000] "POST /_ignition/execute-solution HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
198.235.24.171 - - [14/Mar/2023:05:47:28 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xD8\xE1v\xDDn/\x17S\xD0:\x83J\xD0 n\xDFk\x975$S\x09\xCD\x87\xA5\xC5\xB3b\xD4<\x9AC\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:20:53 +0000] "\x05\x01\x00" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:21:57 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03M," 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:59 +0000] "POST /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
Currently UFW status is set to the following with letsencrypt ssl installed, configured in conjunction with Digital Ocean tutorials :
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
What is the best approach to block ips from this country. Would you implement it at Nginx level or UFW level? Can fail2ban achieve the same i.e. block an entire country from accessing my site?
Please can you provide a tutorial of how I can achieve this either using UFW, Fail2Ban or other technique.
PS. It would be useful if digital Ocean could produce some security article on server hardening and security.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
I’m not sure if blocking an entire country is a good idea. But it depend on your use case.
Better option would be to track those bad actors and block them individually. We can use a combination of software to achieve this. Fail2ban is good for scanning logs and detecting intruders, UFW is good for banning IPs and Naxsi is a good WAF for nginx.
You can install naxsi web application firewall to prevent attacks. https://vpsfix.com/8652/install-naxsi-web-application-firewall-for-nginx-and-virtualmin/
And then integrate Fail2ban and UFW for IP banning.
Hello there,
You can also use a third-party providers like CloudFlare that have Firewall features where you can block access from certain IP addresses or whole country IP ranges. They also regularly update their IP lists which means you’re likely to bypass some requests coming from proxies.
Just enter an IP address, an IP range, or a two-letter country code you wish to block
https://serverpilot.io/docs/how-to-block-ips-with-cloudflare/
Hope that helps!
Forever, as they say, it is not good to control countries. If you want to do this, you can use CSF. from:- Digitizing Logo