Question

How to block countries using UFW, Fail2Ban or other Firewall?

I have an Ubuntu Server 22.04 with Nginx installed along with a laravel application.

When I view the access logs I can see a lot of attempts from a certain country to exploit my server and application. For example:

109.237.97.141 - - [14/Mar/2023:05:06:49 +0000] "POST /_ignition/execute-solution HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
198.235.24.171 - - [14/Mar/2023:05:47:28 +0000] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xD8\xE1v\xDDn/\x17S\xD0:\x83J\xD0 n\xDFk\x975$S\x09\xCD\x87\xA5\xC5\xB3b\xD4<\x9AC\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:20:53 +0000] "\x05\x01\x00" 400 166 "-" "-"
5.188.210.227 - - [14/Mar/2023:09:21:57 +0000] "\x04\x01\x00P\x05\xBC\xD2\xE3\x00" 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
52.27.236.62 - - [14/Mar/2023:09:21:58 +0000] "\x16\x03\x01\x02\x00\x01\x00\x01\xFC\x03\x03M," 400 166 "-" "-"
52.27.236.62 - - [14/Mar/2023:09:21:59 +0000] "POST /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

Currently UFW status is set to the following with letsencrypt ssl installed, configured in conjunction with Digital Ocean tutorials :

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

What is the best approach to block ips from this country. Would you implement it at Nginx level or UFW level? Can fail2ban achieve the same i.e. block an entire country from accessing my site?

Please can you provide a tutorial of how I can achieve this either using UFW, Fail2Ban or other technique.

PS. It would be useful if digital Ocean could produce some security article on server hardening and security.


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I’m not sure if blocking an entire country is a good idea. But it depend on your use case.

Better option would be to track those bad actors and block them individually. We can use a combination of software to achieve this. Fail2ban is good for scanning logs and detecting intruders, UFW is good for banning IPs and Naxsi is a good WAF for nginx.

You can install naxsi web application firewall to prevent attacks. https://vpsfix.com/8652/install-naxsi-web-application-firewall-for-nginx-and-virtualmin/

And then integrate Fail2ban and UFW for IP banning.

alexdo
Site Moderator
Site Moderator badge
September 27, 2023

Hello there,

You can also use a third-party providers like CloudFlare that have Firewall features where you can block access from certain IP addresses or whole country IP ranges. They also regularly update their IP lists which means you’re likely to bypass some requests coming from proxies.

Just enter an IP address, an IP range, or a two-letter country code you wish to block

https://serverpilot.io/docs/how-to-block-ips-with-cloudflare/

Hope that helps!

Forever, as they say, it is not good to control countries. If you want to do this, you can use CSF. from:- Digitizing Logo

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel