0

I'm trying to get the following rule to work but it seems to be doing nothing:

# Test IP address and block by country code
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block China IP address'"
SecRule GEO:COUNTRY_CODE "@streq CN HK"

​I have had the GeoIP database installed for a while and used it successfully for other purposes, so this isn't the problem.

As it stands the above rule does nothing - no error, and no blocking. Given the huge amount of China based traffic I've been receiving the logs should be absolutely full...

The version of Modsecurity I'm running is 2.9.2-ubuntu18.04.19091318 and the server is running Plesk. I'm wondering if there is anything else that I need to set up to get this working, or if there is at least any way of testing the various layers...

Edit: I set up Modsecurity debugging and there are lots of entries showing: 

No geo data for "IP_ADDRESS_HERE" (country 0).

Not sure why it wouldn't be finding any of these as the GeoIP.dat file is there and I can successfully run geoiplookup from the command line.

Chris Leather
  • 45
  • 11

2 Answers2

0

You have the following:

SecRule GEO:COUNTRY_CODE "@streq CN HK"

Meaning the country code has to exactly match CN HK when in reality it will be CN or HK.

I think you want the following to match any one of the listed countries.

SecRule GEO:COUNTRY_CODE "@pm CN HK"
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
0

What is the output when you configure libModSecurity for compilation?

You should have some output such as

ModSecurity - v3.x.x for Linux

Optional dependencies + GeoIP/MaxMind ....found

Pixel
  • 371
  • 4
  • 11