Re: [mod-security-users] mod_maxminddb support
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_maxminddb support
|
From: Marc S. <mar...@ap...> - 2018-09-07 10:54:23
|
Here is how I use it (simplified version):
Initialisation:
# TX.remote_addr contains the IP I want to use, depending on reverse
proxy, ...
SecAction "phase:1,nolog,setenv:MMDB_ADDR=%{TX.remote_addr}"
# Enable MaxMindDB
MaxMindDBEnable On
MaxMindDBFile CITY_DB "path_to_the_DB"
MaxMindDBEnv geo_country_code CITY_DB/country/iso_code
Block a country (e.g. Japan):
SecRule ENV:geo_country_code "@streq JP" "phase:2,t:none,deny"
Regards
*Marc Stern
*Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/>
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/
This e-mail and any attachment are confidential and intended solely for
the use of the individual to whom it is addressed. If you are not the
intended recipient, please contact the sender and delete this message
and any attachment from your system. Unauthorised publication, use,
dissemination, forwarding, printing or copying of this e-mail and its
associated attachments is strictly prohibited.
On 06-09-18 15:28, Christian Folini wrote:
> Hey Marc,
>
> This sounds very good. Thank you for your work.
>
> Could you given an example of you we can integrate the mod_maxminddb and
> the new db into ModSecurity. Say use a 2-letter country code in a SecRule
> construct? I have not tried this out yet.
>
> Best,
>
> Christian
>
> On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
>> As you know, the geo-localisation databases used by ModSecurity are no more
>> updated.
>> Maxmind, the databases provider, developed a new DB format and provides its
>> own module (mod_maxminddb).
>> mod_maxminddb was lacking a feature to integrate it smoothly with
>> ModSecurity: settings the IP address from inside a rule. I introduced this
>> feature some time ago and I'm happy to announce that this patch was merged
>> in Maxmind's code and is thus officially part of the module.
>> You can now set an environment variable in a rule - in (real) phase 1 - and
>> mod_maxminddb will use this IP address as source.
>> Note that, for most uses, mod_remote_ip is an easier solution.
>>
>> *Marc Stern*
>> Approach Belgium <https://www.approach.be>
>> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
>> Follow us: <https://www.linkedin.com/company/16513/>
>> <https://twitter.com/ApproachBe>
>> /*Inspiring the cyber-security community*/
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
