Question Best Practices: Blocking A Large Number of IP Addresses

[tetrahall]

Server operating system version

Centos 7.7

Plesk version and microupdate number

Plesk OBSIDIAN 18.0.44

Hello,

I'm getting very suspicious visits from a large number of IP addresses - something like 3000 - 4000 on a daily basis. I've considered the following options:

.htaccess is an option, but I am advised against it because it slows the website due to processing overhead

Plesk Firewall Blocking Countries: It doesn't always work. For example, I had some suspicious IP addresses from Lithuania and Italy. I added LT and IT but it didn't work for me - still getting visitors from both countries.

IP Tables: It involved adding many "rules" and to be honest I'm not familiar with this method

I was just wondering if there is something more straightforwards, like a BLACK LIST, where I can copy and paste the list of IP address in some form field.

Please advise

 

[scsa20]

GeoIP blocking relies on a database to be up to date so some IPs assigned to a country could still slip by. Default database is by DB-IP but you can change it to Maxmind by following the instructions at https://support.plesk.com/hc/en-us/...urce-for-blocking-countries-in-Plesk-Firewall

As for IPTables, Plesk firewall basically uses IPTables anyways so you could technically block IP addresses by utilizing the Plesk firewall itself.

The other method is utilizing ModSecurity, you can refer to https://support.plesk.com/hc/en-us/...or-whitelist-specific-countries-through-Plesk for how to set it up.

 

[tetrahall]

scsa20, thank you for your reply.

I will try changing the database to Maxmind.

You mentioned "The other method is utilizing ModSecurit ..", but it looks like the same as blocking countries in Plesk's firewall, isn't it? And if one is to use IP addresses instead of countries, each address has to be entered individually.

I was wondering if there was a method where a list of addresses could be entered as a list - there are thousands of them?

 

[tetrahall]

In addition, one may need to block IP addresses from a certain country, not the country - some visitors might be genuine or useful, for example, Google from USA

 

[ChristophRo]

ipset is the way to go

can be used for (automated) geo-ip feeds as well as manually maintained csv/txt files with 100k+ IP addesses/subnets
and if you need to "whitelist" certain IPs, just put them in another ipset and put the ALLOW iptables rule for that ipset before the geo-ip/manual blocking

 

[tetrahall]

ChristophRo, thank you. This looks more like it.

I will try to learn ipset, hope it is not complex.

 

[tetrahall]

One last question, please:

Does/can it ever happen that the actual source of the visitor is from a country X, but when I check the country of the ip address I find it is from country Y?

In other words, can users fake their actual locations?

 

[scsa20]

Through a VPN sure, since it would be routed to the VPN service thus showing up that IP instead of their actual IP.

It's also possible that the IP was originally assigned for one country but was later reassigned to a different country so some IP look up tools will show one country whereas another lookup tool will show another.

Basically it's not going to be 100% accurate but it can overall help cut down noise/bad actors