[mod-security-users] Blocking Open Proxies using GEO
Brought to you by:
victorhora,
zimmerletw
From: Liddy <lid...@gm...> - 2011-01-09 17:57:40
|
I am currently blocking countries via the following ruleset: SecGeoLookupDb /home/base/modsecurity/GeoIP.dat SecRule REMOTE_ADDR|REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "phase:1,nolog,status:411,drop,msg:'Country Code',chain" SecRule GEO:COUNTRY_CODE "@rx (CN|RU|TR|CZ|ID|VE|RO|AE|LV|UA|MD|HU|VE|CO|PS|BR|RS)" "t:none" And I ID proxy routing by checking the X-Forwarded-For header. What I would like to do is chain a ruleset together that would so this... * Get remote IP country id * get X-Forwarded-For country id * if the two don't match, block. This should stop 90% of the badly configured / default settings open proxies and save me from ID-ing and blocking proxies by hand. I've tried to do this a number of times but failed. Any suggestions how to construct a rule that can do that? Liddy |