[Resolved]lsws + mod_geoip + modsec = fail

[DraCoola]

I have try mod_geoip and combined with mod security as below :

--------------------------------------------------------------------------------------
>> http://dev.maxmind.com/geoip/legacy/mod_geoip2/

>> http://www.modsecurity.org/projects/modsecurity/apache/feature_geo_ip_lookups.html
--------------------------------------------------------------------------------------

After mod_geoip and db binary file from MaxMind installed, lsws v4.2.6 - v4.2.5 - v4.2.4 are always ignoring this basic rule :

SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
SecRule GEO:COUNTRY_CODE "!@streq UK" "t:none"

But then I'm switching to apache and, voila! the rule above get just work as expected.


While using lsws, I have done setting Yes/No for "Enable IP GeoLocation" LiteSpeed option and also placing the righ path for "IP to GeoLocation DB".

I hope there will be an lsws bug fix patch or new version launch regarding to this "SecGeoLookupDb" and "@geoLookup" operator issue/bug.

 

[poirot]

This does not work since the beginning.
In theory, you may try to verify GeoIP match also via enviroement variables,
if you have a working standard LSWS+GeoIP setup already.
( phpinfo -> _SERVER["GEOIP_COUNTRY_CODE"] to verify )
Server should pass env variables to mod_security related code.
Frankly, I never tested that.
LSWS mod_security module is "wicked", so I left playing with it after a while.

 

[DraCoola]

Hi poirot,

Yes geoip with lsws is just work fine with lsphp5.
But this time I need to use lsws + mod_geoip with mod security in purpose to automatically drop all of brute-force-bot POST and GET access from bad countries to /wp-login.php, /administrator/index.php, etc.

Because those brute-force-bot working everyday and all day long and sometimes really hog my server resource.
And the super bad thing is :
If /wp-login.php were able to login because of those continous password dictionary attack, hacker will continue to install fake wordpress plugin/theme which contain many kinds of mail bomber script and then start to send thousands of spam emails to everywhere destinations in this world.

So I'am deeply hope that lsws implementation for this @geoLookup operator will be not as very hard as @rbl operator
Because queries will running directly from geoip database inside the same server.

 

[NiteWave]

geoip works with mod_rewrite as well.
how about block these requests in rewrite rules as a workaround ?

while I have no objection to your request.

 

[DraCoola]

Thank you NiteWave for your kind suggestion.
But it will be very hard to ask thousands of wordpress/joomla/drupal owner to modify into their .htaccess of each website that they have.

So it will be more effective doing that -login page blocking- from server side by mod security.
And I will be thankful if LiteSpeed finally do that.

 

[mistwang]

We add that to our LSWS 5.0 to-do list.

 

[mistwang]

However, in the mean time,

SecRule GEOIP_COUNTRY_CODE "!@streq UK" "t:none"

might work.

 

[DraCoola]

Hi George so many thanks for adding this to lsws 5.0 to-do list.
By the way I did try your suggestion and found error result after save httpd.conf :

Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.kRCRSXH0Hf2rWj3r
Error:
Configuration problem detected on line 48 of file /usr/local/apache/conf/modsec2.user.conf:	Error creating rule: Unknown variable: GEOIP_COUNTRY_CODE

Evidently GEOIP_COUNTRY_CODE syntax is unknown for mod_security it self.

 

[mistwang]

add
<IfModule LiteSpeed>
...
</IfModule>

around it.

 

[DraCoola]

<IfModule LiteSpeed>
SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
SecRule GEOIP_COUNTRY_CODE "!@streq UK" "t:none"
</IfModule>

That bring successfuly httpd.conf save without error.
But it still cannot drop connection from any other location than UK.

SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
<IfModule LiteSpeed>
SecRule GEOIP_COUNTRY_CODE "!@streq UK" "t:none"
</IfModule>

Above method generating error after save httpd.conf and cannot drop connection other than UK location

 

[mistwang]

SecRule ENV:GEOIP_COUNTRY_CODE "!@streq UK" "t:none"

it should be.

 

[DraCoola]

Thank you, George.
Using SecRule ENV:GEOIP_COUNTRY_CODE makes httpd.conf keep fine even with or without <IfModule LiteSpeed>.....</IfModule>

But I am so sorry, it's still bypass all of incoming http connection.

 

[mistwang]

Please force reinstall 4.2.7 see if it works.

 

[DraCoola]

Thanks for the latest build of 4.2.7.

I perform /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.7
And continue tryng various combination methods of GEO:COUNTRY_CODE and ENV:GEOIP_COUNTRY_CODE as before.
And also add and remove <IfModule LiteSpeed></IfModule>.

But unfortunately it still ignoring the @streq value, George.

 

[mistwang]

how about just use regular pattern match?
Make sure the GeoIP setup is working properly, and GEOIP_XXXX variables appear in a phpinfo() page.

 

[DraCoola]

Using regular pattern match also doesn't bring an expected action.
It seems lsws does not recognize any value inside @streq or !@streq and just pass it.

And GeoIP setup showing correct variables through phpinfo() :

_SERVER["GEOIP_COUNTRY_CODE"]	CA
_SERVER["GEOIP_COUNTRY_NAME"]	Canada
_SERVER["GEOIP_CONTINENT_CODE"]	NA

Perhaps you have any additonal way more to make this GEO:COUNTRY_CODE works?
It will be useful to secure chosen website files from brute force/flood/spam, without the need to block the entire specific country from server.

 

[mistwang]

Please try updated 4.2.7 .
The previous build works for me. Maybe need to enable modsec debug logging to find out what happened with that rule.

 

[DraCoola]

Hi george, thank you for update.
Would you mind to write down your exact rule that were works at your labs so I can try that also?
Because mine won't work until now.

 

[DraCoola]

By the way, congratulations for your new web and forum interface

 

[DraCoola]

What kind of complete rule that suppose to use to make this work?