Yes, you can do it with GeoIP lookup. You don't say what platform you're using, but if you are running Apache and mod_security, here's what you can do:
- Download the latest MaxMind GeoLite2 Country database in legacy format (the binary gzip one).
- Unzip the file, and upload it to your server. You can put it wherever you like; e.g., /usr/share/GeoIP.
- Log on to WHM, and go Security Center -> ModSecurity Configuration.
- Scroll down to the Geolocation Database section, and enter the path to the GeoIP.dat file you uploaded. If you used the file location above, it would be: /usr/share/GeoIP/GeoIP.dat
- Scroll down and Save your changes.
That adds an IP-to-country-code database to your server. MaxMind updates their database on the first Tuesday of each month, so you should set a reminder to download the database once a month and update the copy on your server to keep it up-to-date.
Next, you need to add a custom ModSecurity rule to block the countries you want to exclude. You should look up their two-character country codes and enter them in the following, replacing the "XX"s with the countries you want to block:
Code:
# Test IP address and block by country code
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking %{geo.country_code}'"
SecRule GEO:COUNTRY_CODE "@pm XX XX XX"
Note: The "id" must be a unique number, but unless you have added other custom rules, "1" should be available. If not, change it to a number between 1-99,999, the range reserved for local use. The "drop" tells ModSecurity to immediately close the TCP connection when it detects one of the countries you've chosen to block.
- Go Security Center -> ModSecurity Tools ->Rules List -> Add Rule.
- Paste your edited rule in the Rule Text box.
- Check the box for "Deploy and Restart Apache".
- Click "Save".
That's it. The rule is written so it will leave a message in your Hits List in ModSecurity when it blocks a country you've chosen.
