Re: [mod-security-users] Geo Blocking with new maxmind Database
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Geo Blocking with new maxmind Database
|
From: Blason R <bla...@gm...> - 2020-04-13 14:36:39
|
Thanks man and really appreciate your detailed response. However I am very much fine with Nginx but just starting with Modsec and needs to build solid understanding. Any tips would be much appreciated :)) On Mon, Apr 13, 2020 at 7:54 PM homesh joshi <ho...@gm...> wrote: > Hi Blason, > > I have not used Nginx because as per Modsec official site modsec 3.0 is > not yet fully stable for Nginx. ( https://modsecurity.org/download.html ) > You are referring to Modsec 3.2.0 is Modsec CSR rule version. > Your modsec version will be 3.0.X > I will suggest to use Apache 2.4 in reverse proxy with modsecurity 2.9.3 > which is very stable. > You can configure modsecurity 2.9.3 to log in JSON format and send the > logs to elasticsearch using filebeat and view it on Kibana.( Warning ! > managing ELK requires some good training and experience :) ) Consider > adding kafka or redis to manage the spike in log volume ( e.g when someone > rungs vulnerability scan on your web app, modsec will generate lots of logs) > > Below lines will be required in your config to log in JSON format. > > SecAuditLogParts ABEFHIJZ > SecAuditLogFormat JSON > > Hope this helps. > > Thanks, > Homesh > > > On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm...> wrote: > >> That is good idea Homesh and many thanks for the Input. However I am >> using nginx as reverse proxy and just starting with modsecurity in reverse >> proxy. >> >> Just curious to know how are you analyzing the log files? ELK or any >> other? >> >> On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...> wrote: >> >>> Dear Blason, >>> >>> This is how I am using with Apache 2.4 and modsec 2.9.3 >>> >>> SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat >>> SecRule REMOTE_ADDR "@geoLookup" >>> "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" >>> SecRule GEO:COUNTRY_CODE "@pm PK CN PE" >>> >>> Yes with modsec 2.9 you need the db file in legacy dat format. >>> On searching it on google I found this third party URL where maxmind db >>> file in DAT format is available. >>> >>> https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz >>> >>> Hope this helps >>> >>> Thanks, >>> Homesh >>> >>> >>> >>> >>> On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: >>> >>>> Hi Folks, >>>> >>>> Can someone please divert me to the documentation for configuring Geo >>>> blocking with CRS modsec rules? I tried downloading the maxmind db but >>>> >>>> 1. After change of maxmind DB what is the way to download the maxmind >>>> GeoIP2 database? How can we enable scheduling as well? >>>> 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse >>>> to start >>>> >>>> Nginx 1.17.9 >>>> Modsec 3.2.0 >>>> >>>> TIA >>>> blason R >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
