Alex Ruben
How To Block Countries Using CSF Firewall in WHM/CPanel
Securing your server from unwanted access is crucial, especially when it comes to blocking traffic from specific countries. In practice, configuring CSF within WHM/cPanel can be a bit finicky, but it works if you get all the dots connected. If you notice some traffic from the blocked countries still sneaking through, it’s probably because the country codes weren’t set up right or CSF needs a nudge to reload those rules.
Before diving in, make sure you have admin rights on WHM, and that CSF is installed. If not, the CSF documentation walks through install stuff. Usually, just running the installer script from the command line does the trick.
Step 1: Access the CSF Configuration
First off, log into your WHM. It’s the usual way:
- Click on Plugins.
- Then hit ConfigServer Security & Firewall.
Once inside, look for the button or link that says Firewall Configuration. The layout can vary a bit depending on your WHM version, but it’s usually pretty quick to spot.
Step 2: Open Firewall Configuration
In the CSF configuration tab, scroll down a good chunk till you find the section named Country Code Lists and Settings. It’s kinda hidden in the sea of options, so don’t stress if you need to scan for it.
Step 3: Manage Country Codes
This is where things get slightly weird. The main reason blocking whole countries can fail is because the country code list isn’t set up right. Locate the CC Deny List field. That’s where you slap in the codes for the countries you want to block. For example:
CN(China)RU(Russia)PL(Poland)
Just separate them with commas. So a typical input would look like RU, PL. One thing to note: the country codes are uppercase and have to be exact; otherwise, CSF ignores them. Weirdly enough, on some setups, you might need to restart the firewall or even the server for the changes to stick.
Pro tip: Always double-check the country codes on the IANA list. It’s possible you’re using the wrong code if it’s not working.
Step 4: Save Changes
Once you’ve got your list, scroll to the bottom, hit the Change button (or Save — depending on your WHM version), then locate and click Restart CSF + LFD. This reloads all settings and applies the block rules. Sometimes, especially on cloud or VPS setups, this step requires a bit of patience. On some servers, you might even need to restart the server itself for these rules to kick in.
Step 5: Test the Block
If you really wanna see if it works, use a VPN to connect to your site from a blocked country’s IP. Or, check the CSF logs — they’re usually in /var/log/messages or accessible via CSF log tabs in WHM.
Sometimes, websites with CDN caching or proxies can throw a wrench in the test. You might see traffic from blocked countries still getting through, but that’s often because the IP isn’t properly geolocated or CSF hasn’t fully applied the rules. In those cases, wait a few minutes or restart the firewall again. Of course, geolocation isn’t 100%, so some edge cases exist.
Additional Tips & Common Issues
Heads up: if blocking doesn’t work, check if CSF is using its default geolocation service (LSM or MaxMind). Sometimes, the IP database can be outdated or misconfigured, leading to false negatives. Updating MaxMind’s database can help:
cd /var/lib/csf
perl -MCPAN -e shell
install Geo::IP::PurePerl (sometimes needed)
# Or just update the database if out of date
perl /usr/local/csf/bin/CSFInstall.plAnd yeah, on one setup it worked immediately; on another, it took restarting the server or waiting a bit. Because of course, Windows/Linux has to make it harder than necessary.
Conclusion
Blocking countries in CSF within WHM/cPanel isn’t tricky once you get the hang of the config files. Just remember to double-check your country codes, restart the firewall, and test from a VPN. Geolocation-based blocks aren’t bulletproof, but they do weed out a bunch of bad traffic.
Frequently Asked Questions
How do I find the country codes?
Check the IANA ISO 3166 list — it’s pretty much the go-to. Sometimes, your server’s geolocation service uses different codes, so it’s good to verify what’s actually being used.
What if the block isn’t working after setting the codes?
Go grab a VPN and try accessing your site from a known IP in the blocked country. If it’s still up, restart CSF with csf -r command or restart the server. Double-check the codes for typos or spacing.
Can I block specific IP addresses instead?
Of course. Use the csf -d <IP> command for quick blocking, or add them in the CSF interface’s deny list. But country blocks help automate that whole process if you’re dealing with lots of IPs from a certain region.
Summary
- Make sure CSF is installed and running.
- Find the CC Deny List in the config.
- Input country codes separated by commas.
- Save and restart CSF.
- Test with VPN or log review.
Hopefully this shaves off a few hours for someone. Just something that worked on multiple machines. Fingers crossed this helps.