Hello all,
I have a questions regarding security.
My site is under attack almost 24/7, and I handle it on some usual ways ssh, fail2ban, firewalld etc…
I want to start to block a countries, such as China, Brasil etc… But I am not sure how to do that and I am not sure is that really good idea…
So if someone have any idea about securing site against Brute force I would appreciate it on answers.
Thanks a lot
Probably best to take a few steps back. What do you host? What kind of attacks are you referring to - floods, spam, site injections, network etc. General server hardened configs of core systems e.g. use ssh keys and change port. Control who’s got access to server. Control what is used on the server. Follow best practice on managing a server. You can only mitigate/ reduce where possible. There will always be people who will try to access a service or server. Many scripts if not managed properly have vulnerabilities that must be blocked/ resolved.
All sites are. 
Disconectt all cables of the box , put it in a bunker go to sleep on the box yourself there and your site… 
No joking
You can learn from this tool
Lynis - Security auditing tool for Linux, macOS, and Unix-based systems - CISOfy
Basic and good is free
if you need to block country then hard while ip’s v4 are hard to get and changes … then you need that geo ip payed stuff as in config csf firewall to be somewhat on safe side not to block wrong ip’s
I use Cloudflare for that very reason. It’s much easier to let them handle it. I’ve never had an issue ever since.
@Gomez_Adams Well… I am thinking every day to get Cloudflare.
I am still not sure what to do, but it seems that this best solution.
You just use it for DNS. You don’t have to change a thing on your Virtual Servers. You sign up for Cloudflare, then you point your name servers to Cloudflare (it will tell you which entries to make) and that’s it.
Cloudflare will scan and make all the records you need more times than not.
That use of DNS cloudflare is only for hmm some basic protection automatic attacks on domainurls.
YES DDOS protection is also a basic…
But not protecting server itself , you still have to take care of security on the box itself ofcourse. for example on ip… while most boxes / sites / domains / services / WHOIS data or WHOIS history leaks real ip (s) even if using cloudflare (ip-address-behind-cloudflare)
I only write this for readers that could think, ok use cloudflare and box is safe then. 
There is no such thing as a hackproof site. Even the U.S. Army, Citibank and the IRS have been hacked.
But using Cloudflare eliminates about half the work you’d otherwise half to do to set up basic protection strategies, which for the beginner or layman makes it the easiest, fastest, most effective protection available.
And it’s free.
“which for the beginner or layman makes it the easiest, fastest, most effective protection available.”
Your view not mine
If you forget a simple thing it brings nothing only mess , and false safe / security.
So even there you have to know what your doing and have knowledge and practice it the right way. ( so beginner or layman should hire compentents persons or services!)
For example there are many ways to find out more.
One is cert history on base domain and then looking further this is normal needed basic info about certs so this is not the basic tools you can find on the web for finding ip but yes more info already crt.sh | Certificate Search
But if you do yourself a lookup for certs mostly history leaks info
IN short also beginners should start with secure and basic settings services on their box and know what todo before extra’s as cloudflare and co.
Therefore scroll up that free tool in link of me above helps a lot lynis
Using other external protections doesn’t free you from basic Secure server Administration as ADMIN 
Important to know hacked boxes are used to destroy important public infra structures by those hackers , even your own health could be depending on those facts if your Hostpital is hacked over (partly) your BOX.
So for driving CARS you have a driver license , for secure server Administration you have… YES or NO?
So my view, the best option to secure sites and boxes virtualmin is knowledge and best practices as Server Admin for security also Applications need to be secure, and yes follow those , then maybe somewhere after those steps cloudflare or other external services, but very important only after box itself is secured you can test then.
While if after cloudflare you can’t mostly do all needed relaible tests for security on applications or server itself anymore. You have to switch it off therefore.
And @Whoops mentioned go a few steps backward to find out what is needed and must be done.
US. Army, Citibank and the IRS have been hacked.
while messed up whith security rules!
As Server Admin , it is also good to know Applications and if possible plugins running on the BOX to keep a eye on versions and CVE’s for those , so you can if needed warn those Site Admins.
Therefore your log files could help and are important.
Please don’t do to quickly updates but better after reading changelogs and understanding those. Sometimes a version can’t be updated and you have to take care of manual configs to handle CVE’s
I guess that’s why over 4,000,000 entities use it to help secure their sites and servers.
But whatever.
Sorry i didn’t say it doesn’t help at all.
But first things first starting with @Whoops mentioned before.
I’m using the ConfigServer Security & Firewall (CSF) with good success. It configures your firewall, watches connections (attempts) and watches processes resource usage. It takes some time to fine tune it though. My boxes are more quite than before and I see many blocked connection attempts because CSF figured it is an attack. CSF is the first thing I install at new boxes.
I did write in earlier post:
That in csf then you need the paid version for geoip blocking subscription , while Topic strarter mentioned blocking country ip’s
In Cloudflare you just select Firewall / Firewall rules / New rule / Pick the country you want to block / Apply.
Done.
Yup i liked you hihi
CSF uses (1) MaxMind GeoLite2 Country/City and ASN databases or (2) DB-IP, ipdeny.com, iptoasn.com. Both are free, there is no fee to be paid.
Correct me if i understand things wrong but 1000 ip per day?
Other site ipdeny.com has no https… so security and…? then the public api iptoasn doesn’t work
I could be wrong in understanding this all ?
Users of the GeoLite2 web services are limited to 1000 IP address lookups per service per day.
Ihre Verbindung ist nicht privat.
Angreifer versuchen möglicherweise Ihre Informationen von www.ipdeny.com zu stehlen
And iptoasn.com
Public API
The public API has been phased out on December 31, 2020.
In spite of the dataset being freely downloadable, the public API was receiving a growing and significant amount of traffic. ( As a result, the public API was disabled. You can still run a local server while the database remains available for download.)
EDit: with no https i mean ssl cert is not working as it should for ipdeny.com
@jotst Any questions left only me can answer
I second this. Also, Cloudflare, although Cloudflare will only handle attacks that are going through the domain it hosts. That’s why a good firewall in the server is also important. Cloudflare will not manage attacks made directly to your IP (port scanning, SSH login attempts, etc.).
That’s right. CSF is not able to effectively protect against DoS attacks. For that something like Cloudflare is necessary in front of your server.
CSF has some capabilities against DoS like exchanging firewall deny rules between your own servers, protection against port flooding or obtaining IP blocks from Cloudflare, if you use it. But this probably will not help much if your server or network segments just can not handle DoS like network requests.