Re: [mod-security-users] Geo Blocking with new maxmind Database
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Geo Blocking with new maxmind Database
|
From: homesh j. <ho...@gm...> - 2020-04-13 14:21:38
|
Hi Blason, I have not used Nginx because as per Modsec official site modsec 3.0 is not yet fully stable for Nginx. ( https://modsecurity.org/download.html ) You are referring to Modsec 3.2.0 is Modsec CSR rule version. Your modsec version will be 3.0.X I will suggest to use Apache 2.4 in reverse proxy with modsecurity 2.9.3 which is very stable. You can configure modsecurity 2.9.3 to log in JSON format and send the logs to elasticsearch using filebeat and view it on Kibana.( Warning ! managing ELK requires some good training and experience :) ) Consider adding kafka or redis to manage the spike in log volume ( e.g when someone rungs vulnerability scan on your web app, modsec will generate lots of logs) Below lines will be required in your config to log in JSON format. SecAuditLogParts ABEFHIJZ SecAuditLogFormat JSON Hope this helps. Thanks, Homesh On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm...> wrote: > That is good idea Homesh and many thanks for the Input. However I am using > nginx as reverse proxy and just starting with modsecurity in reverse proxy. > > Just curious to know how are you analyzing the log files? ELK or any other? > > On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...> wrote: > >> Dear Blason, >> >> This is how I am using with Apache 2.4 and modsec 2.9.3 >> >> SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat >> SecRule REMOTE_ADDR "@geoLookup" >> "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" >> SecRule GEO:COUNTRY_CODE "@pm PK CN PE" >> >> Yes with modsec 2.9 you need the db file in legacy dat format. >> On searching it on google I found this third party URL where maxmind db >> file in DAT format is available. >> >> https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz >> >> Hope this helps >> >> Thanks, >> Homesh >> >> >> >> >> On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: >> >>> Hi Folks, >>> >>> Can someone please divert me to the documentation for configuring Geo >>> blocking with CRS modsec rules? I tried downloading the maxmind db but >>> >>> 1. After change of maxmind DB what is the way to download the maxmind >>> GeoIP2 database? How can we enable scheduling as well? >>> 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse >>> to start >>> >>> Nginx 1.17.9 >>> Modsec 3.2.0 >>> >>> TIA >>> blason R >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
