Block countries in cPanel

There can be many reasons for which you might want to block access from specific countries. We will not get into such details. We will present two methods that you can use.

Method #1 – with cPHulk

cPHulk is the cPanel solution to brute force attacks. To block countries in cPHulk:

1. Log into the WHM installation

2. Navigate to Security Center -> cPHulk Brute Force Protection

3. Here, go to the Countries Management tab.

block countires cphulk1

4. Select which countries you want to block, click the gear icon on the right of the list, and select the Blacklist Selected Countries option.

block countires cphulk2

Now, users from the selected countries will not be able to log into mail, FTP, cPanel.


Method #2 – with csf

To block countries in csf:

1. Connect to your WHM installation

2. Go to Plugins -> ConfigServer Security & Firewall

3. Access the Firewall Configuration and look for the Country Code Lists and Settings section

block countires csf1

4. The specific csf option for country code block is CC_DENY

In the following options, specify the the two-letter ISO Country Code(s).
The iptables rules are for incoming connections only

Additionally, ASN numbers can also be added to the comma separated lists
below that also list Country Codes. The same WARNINGS for Country Codes apply
to the use of ASNs. More about Autonomous System Numbers (ASN):
http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
ASNs must be listed as ASnnnn (where nnnn is the ASN number)

You should consider using LF_IPSET when using any of the following options

WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
non-geographic IP address designations for their clients

WARNING: Some of the CIDR lists are huge and each one requires a rule within
the incoming iptables chain. This can result in significant performance
overheads and could render the server inaccessible in some circumstances. For
this reason (amongst others) we do not recommend using these options

WARNING: Due to the resource constraints on VPS servers this feature should
not be used on such systems unless you choose very small CC zones

WARNING: CC_ALLOW allows access through all ports in the firewall. For this
reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
preferred

Each option is a comma-separated list of CC's, e.g. "US,GB,DE"
CC_DENY =
CC_ALLOW = 

Enter in the CC_DENY field the code of the countries you want to block. For example, to block Germany (DE) and Albany (AL), use:

CC_DENY= DE,AL
block countires csf2

Resources:

Wikipedia Country code list

Leave a Reply