RFE: GEO support for ModSecurity

[innovot]

Please enable support for GEO based rules within ModSecurity as they are a very effective way of blocking threats.

[ERROR] [ModSecurity] unknown server variable while parsing: GEO:COUNTRY_CODE

 

[mistwang]

This one can be added easily.

 

[innovot]

Awesome

 

[mistwang]

Should be available in 5.0.4 release now.
/usr/local/lsws/admin/misc/lsup.sh -f -v 5.0.4

You need to configure GeoIP stuff through LiteSpeed Web Console first, ModSecurity's GeoIP related configuration does not work.

 

[innovot]

*stuff* perhaps an explanation would be helpful please ?

 

[mistwang]

"stuff" refers to SecGeoLookupDb configuration, it wont work with litespeed. GeoIP DB must be set in LiteSpeed native configuration.

 

[innovot]

Hello mistwang,

Have upgraded to 5.0.4 and set up the LS native GeoIP DB in the control panel. No hits yet which has made me suspicious of whether it is working or not so I have switched on debugging and see:

error_log:2015-08-05 12:55:00.116 [DEBUG] [/etc/httpd/modsecurity.d/innovot.conf:3] processing direcitve: SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:999999,pass,msg:'INNOVOT WAF Rules - Blocking Wordpress Login Attempt by Country Code'".
error_log:2015-08-05 12:55:00.116 [DEBUG] [/etc/httpd/modsecurity.d/innovot.conf:4] processing direcitve: SecRule GEO:COUNTRY_CODE "@pm BR BY CN RU KZ UA".

then to perform the block we use the following stanza:

<LocationMatch /wp-login.php>
<IfModule mod_security2.c>
SecRuleUpdateActionById 999999 "chain,deny,log,status:403"
</IfModule>
</LocationMatch>

Can you see anything wrong with the configuration please ? Thank you.

 

[mistwang]

LiteSpeed does not support "SecRuleUpdateActionById". Just move that rule to <LocationMatch /wp-login.php> ...</LocationMatch>

You can turn on ModSecurity debug logging with "SecDebugLogLevel 9" to find out what happened.

 

[innovot]

Ah that will explain it Will that be added ?