[mod-security-users] Geo Proxy Blocking - I WANT THIS!
Brought to you by:
victorhora,
zimmerletw
From: Liddy <lid...@gm...> - 2011-01-27 19:05:04
|
I am seeing great results from blocking proxies via mismatched country codes, but it needs a tweak if it is to be useable. Currently, any local IP in the 10 dot, 192 dot or 127 dot range is classified as country code CG, therefore ALL local proxying is blocked. This is a big false positive that traps mobile phones, twitterbot, satellite and others. I thought I could use a simple skipnext rule but it is unsupported by mod_sec 2.5.13 - huh? So without using skipnext, how can I get this rule to NOT block if the x-fwd is a defined local IP? Current rule: SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "chain,phase:1,t:none,block,msg:'GEO Mismatch FWD/REMOTE',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}', setvar:tx.geo_x-forwarded-for=%{geo.country_code},id:999997" SecRule REMOTE_ADDR "@geoLookup" "chain,t:none" SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "t:none" Chain this to the end? SecRule REQUEST_HEADERS:X-Forwarded-For "!(^10\.|^192\.)" "t:none" I want this rule! I just can't figure out how to make it work - help! Liddy |