Re: [mod-security-users] ModSec / CRS: Use of GeoIP & ASN information

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thanks Christian! I enjoyed the article.

I agree that ASN is underrated - I get a lot of scans from well-known and generally reputable cloud providers which operate in multiple countries, and blocking these providers seems like a much safer way to avoid false positives than doing it by country. However there is still a risk that people are using personal VPSes to run proxies or have good reasons to use services like Tor. While this is probably not a very significant proportion of people I’m reluctant to block access to customer sites outright with no recourse for these users. On the other hand, blocking access by these ASNs to specific resources like the WordPress wp-login.php page would probably be OK.

One idea I’m toying with is creating an interstitial page similar to Cloudflare’s “Checking your browser..” page. For ASNs which are problematic it would be a bit safer to force someone to perform a hCaptcha or something check before they can get through to the intended site and set a cookie. I think this might be possible but a little bit difficult to create entirely using mod_security though, so I’m thinking about writing a new (and relatively simple) Apache module. I’d love to hear if someone has already done this!

Joel

> On 19 Oct 2022, at 12:04 am, Christian Folini <chr...@ne...> wrote:
> 
> Hi there,
> 
> During the years, I have found the use of GeoIP (& ASN) information in 
> #ModSecurity / @CoreRuleSet very useful. Yet very few people do 
> this for GeoIP and practically nobody for ASN. 
> 
> It really helps to weed out false positives or defend in case of certain 
> persistent attacks.
> 
> Since good documentation on the subject is scare, here is how to get this 
> into your setup:
> 
> https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/(Also covered in my 2nd webcast last week: https://www.youtube.com/watch?v=OBVwdqEFmX0)
> 
> I have also covered this in my 2nd ModSec / CRS webcast last week (plus some
> additional interesting stuff):
> https://www.youtube.com/watch?v=OBVwdqEFmX0
> 
> Best,
> 
> Christian
> 
> 
> -- 
> Ultimately, motivation gets us started, 
> but discipline and habit are what enable us to finish.
> -- Matthew Helmke
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/