CSF not working if you use country codes

CSF since dec 29 2019, requires a maxmind license key to use their db to do country code lookups.  No official notice has been made on this forum, so I am doing it today.

If you restart CSF, you will notice that the last two lines of the restart log file will show a new error imploring you to get a maxmind license key.  Who knew?

Its free, but you don't need maxmind.  You can go to your csf.conf file and change the database provider from option 2 to option 1.  2 being maxmind and 1 being ipverse.

If you arent using country code filtering then this doesnt apply to you.

Update. I was using ipverse and I had trouble with country codes working.  I switched back to maxmind and its working.  Updating cwp was not working while using cc_allow_filter.  But everything is working for the moment.

interesting, i took your advice and started using ipverse, added EVERY SINGLE COUNTRY in my CC_DENY
EXCEPT three.. and it is working like a charm.. no more attacks from China, Iran, or Russia and Romania.. LOL

works for me.

Thanks for the ^ Tip padre

Cheers

pixlepadre;
did you make sure and ADD (whitelist) Country Code HR (I think it is)?  for CWP's Servers?
thats what i had to do.. it might have been FR (France), i can check if you would like,
or just do a whiois internic on centos-webpanel.com  should show it also.

yeah, i just dns'd it: whitelist coutry code FR, and you should get your updates?

re; Registrant Country: FR
for centos-webpanel.com

IP Address    37.187.72.216 - 278 other sites hosted on this server 
IP Location    France - Hauts-de-france - Roubaix - Ovh Sas
ASN    France AS16276 OVH, FR (registered Feb 15, 2001)


Cheers
X

listing more than a few countries in cc deny is a bad idea.  It will make your server crawl.

better idea is to use cc allow filter.

You can just add US if that is all you want to see your site.

^ Here we go with the bad information, again. A little knowledge is a dangerous thing.

Properly read the CSF documentation and apply some reasoning, if possible. IPset is your friend.

For American blinkered hosters: just to illustrate the misconception/futility of blocking all but US, here's a tiny snippet of csf.deny from one VPS

Code: [Select]

216.245.210.54 # lfd: (mod_security) mod_security (id:960008) triggered by 216.245.210.54 (US/United States/54-210-245-216.static.reverse.lstn.net): 1 in the last 3600 secs - Thu Jan 16 11:46:27 2020
74.42.216.43 # lfd: *Port Scan* detected from 74.42.216.43 (US/United States/static-74-42-216-43.dr01.plns.pa.frontiernet.net). 13 hits in the last 25 seconds - Fri Jan 17 07:27:40 2020
162.245.236.154 # lfd: (mod_security) mod_security (id:960911) triggered by 162.245.236.154 (US/United States/-): 1 in the last 3600 secs - Fri Jan 17 21:52:20 2020
69.162.126.62 # lfd: (mod_security) mod_security (id:960035) triggered by 69.162.126.62 (US/United States/62-126-162-69.static.reverse.lstn.net): 1 in the last 3600 secs - Sat Jan 18 06:59:21 2020
69.162.69.222 # lfd: (mod_security) mod_security (id:960035) triggered by 69.162.69.222 (US/United States/222-69-162-69.static.reverse.lstn.net): 1 in the last 3600 secs - Sat Jan 18 14:36:29 2020
40.118.237.44 # lfd: (mod_security) mod_security (id:950001) triggered by 40.118.237.44 (US/United States/-): 1 in the last 3600 secs - Sun Jan 19 17:16:17 2020
63.143.35.230 # lfd: (mod_security) mod_security (id:960008) triggered by 63.143.35.230 (US/United States/230-35-143-63.static.reverse.lstn.net): 1 in the last 3600 secs - Sun Jan 26 13:12:03 2020
63.143.35.226 # lfd: (mod_security) mod_security (id:960008) triggered by 63.143.35.226 (US/United States/226-35-143-63.static.reverse.lstn.net): 1 in the last 3600 secs - Sun Jan 26 18:21:52 2020
74.63.255.178 # lfd: (mod_security) mod_security (id:960035) triggered by 74.63.255.178 (US/United States/178-255-63-74.static.reverse.lstn.net): 1 in the last 3600 secs - Wed Jan 29 18:13:23 2020
192.228.100.222 # lfd: (smtpauth) Failed SMTP AUTH login from 192.228.100.222 (US/United States/-): 1 in the last 3600 secs - Fri Jan 31 16:22:27 2020
3.95.230.246 # lfd: *Port Scan* detected from 3.95.230.246 (US/United States/ec2-3-95-230-246.compute-1.amazonaws.com). 13 hits in the last 55 seconds - Sat Feb  1 05:44:10 2020
This also doesn't take into consideration out of date geolocation (Google it) and for example, I had one USA VPS that was considered to be in Germany!
In short, don't believe everything you read in forums and the internet in general, kiddies. 

BTW, this is an idle backup server with no active websites and the idiots still try to attack it.

Results of using cc_allow_filter

RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_us src
csf: IPSET loading set cc_us with 18450 entries
csf: IPSET creating set cc_ir
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_ir src
csf: IPSET loading set cc_ir with 1358 entries
csf: IPSET creating set cc_ie
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_ie src
csf: IPSET loading set cc_ie with 597 entries
csf: IPSET creating set cc_de
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_de src
csf: IPSET loading set cc_de with 7422 entries
csf: IPSET creating set cc_za
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_za src
csf: IPSET loading set cc_za with 1109 entries
csf: IPSET creating set cc_cu
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_cu src
csf: IPSET loading set cc_cu with 17 entries
csf: IPSET creating set cc_mx
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_mx src
csf: IPSET loading set cc_mx with 653 entries
csf: IPSET creating set cc_gb
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_gb src
csf: IPSET loading set cc_gb with 7129 entries
csf: IPSET creating set cc_fr
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_fr src
csf: IPSET loading set cc_fr with 29125 entries
csf: IPSET creating set cc_ca
RETURN  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set cc_ca src
csf: IPSET loading set cc_ca with 4674 entries

You are right about one thing, ipset is your friend.  Unfortunately, you cant seem to grasp the basic concept that the rest of the firewall users seem to understand.