Re: [mod-security-users] Geo Blocking with new maxmind Database

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466


Am 13.04.20 um 16:36 schrieb Blason R:
> Thanks man and really appreciate your detailed response. However I am
> very much fine with Nginx but just starting with Modsec and needs to
> build solid understanding.
> 
> Any tips would be much appreciated :))

just don't insist have modsec running on the proxy

modsec on the final destinations works like a charm for over 10 years
here and you have config option you can't do on a reverse proxy anyways
like wrap modsec options in <Directory>

> On Mon, Apr 13, 2020 at 7:54 PM homesh joshi <ho...@gm...
> <mailto:ho...@gm...>> wrote:
> 
>     Hi Blason,
> 
>     I have not used Nginx  because as per Modsec official site modsec
>     3.0 is not yet fully stable for Nginx. (
>     https://modsecurity.org/download.html )
>     You are referring to Modsec 3.2.0 is Modsec CSR rule version.
>     Your modsec version will be 3.0.X
>     I will suggest to use  Apache 2.4 in reverse proxy with modsecurity
>     2.9.3 which is very stable.
>     You can configure modsecurity 2.9.3 to log in JSON format and send
>     the logs to elasticsearch using filebeat and view it on Kibana.(
>     Warning ! managing ELK requires some good training and experience :)
>     ) Consider adding kafka or redis to manage the spike in log volume (
>     e.g when someone rungs vulnerability scan on your web app, modsec
>     will generate lots of logs)
> 
>     Below lines will be required in your config to log in JSON format.
> 
>     SecAuditLogParts ABEFHIJZ
>     SecAuditLogFormat JSON
> 
>     Hope this helps.
> 
>     Thanks,
>     Homesh
> 
> 
>     On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm...
>     <mailto:bla...@gm...>> wrote:
> 
>         That is good idea Homesh and many thanks for the Input. However
>         I am using nginx as  reverse proxy and just starting with
>         modsecurity in reverse proxy.
> 
>         Just curious to know how are you analyzing the log files? ELK or
>         any other?
> 
>         On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...
>         <mailto:ho...@gm...>> wrote:
> 
>             Dear Blason,
> 
>             This is how I am using with Apache 2.4 and modsec 2.9.3
> 
>             SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat
>             SecRule REMOTE_ADDR "@geoLookup"
>             "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'"
>             SecRule GEO:COUNTRY_CODE "@pm PK CN PE"
> 
>             Yes with modsec 2.9 you need the db file in legacy dat format.
>             On searching it on google I found this third party URL where
>             maxmind db file in DAT format is available.
> 
>             https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz
> 
>             Hope this helps
> 
>             Thanks,
>             Homesh
> 
> 
> 
> 
>             On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...
>             <mailto:bla...@gm...>> wrote:
> 
>                 Hi Folks,
> 
>                 Can someone please divert me to the documentation for
>                 configuring Geo blocking with CRS modsec rules? I tried
>                 downloading the maxmind db but
> 
>                 1. After change of maxmind DB what is the way to
>                 download the maxmind GeoIP2 database? How can we enable
>                 scheduling as well?
>                 2. Since default GeoIpv2 downloads in .mmdb format I
>                 guess nginx refuse to start
> 
>                 Nginx 1.17.9
>                 Modsec 3.2.0
> 
>                 TIA
>                 blason R
>                 _______________________________________________
>                 mod-security-users mailing list
>                 mod...@li...
>                 <mailto:mod...@li...>
>                 https://lists.sourceforge.net/lists/listinfo/mod-security-users
>                 Commercial ModSecurity Rules and Support from
>                 Trustwave's SpiderLabs:
>                 http://www.modsecurity.org/projects/commercial/rules/
>                 http://www.modsecurity.org/projects/commercial/support/
> 
>             _______________________________________________
>             mod-security-users mailing list
>             mod...@li...
>             <mailto:mod...@li...>
>             https://lists.sourceforge.net/lists/listinfo/mod-security-users
>             Commercial ModSecurity Rules and Support from Trustwave's
>             SpiderLabs:
>             http://www.modsecurity.org/projects/commercial/rules/
>             http://www.modsecurity.org/projects/commercial/support/
> 
>         _______________________________________________
>         mod-security-users mailing list
>         mod...@li...
>         <mailto:mod...@li...>
>         https://lists.sourceforge.net/lists/listinfo/mod-security-users
>         Commercial ModSecurity Rules and Support from Trustwave's
>         SpiderLabs:
>         http://www.modsecurity.org/projects/commercial/rules/
>         http://www.modsecurity.org/projects/commercial/support/