Thread: [mod-security-users] mod_maxminddb support
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Marc S. <mar...@ap...> - 2018-09-06 07:22:15
|
As you know, the geo-localisation databases used by ModSecurity are no more updated. Maxmind, the databases provider, developed a new DB format and provides its own module (mod_maxminddb). mod_maxminddb was lacking a feature to integrate it smoothly with ModSecurity: settings the IP address from inside a rule. I introduced this feature some time ago and I'm happy to announce that this patch was merged in Maxmind's code and is thus officially part of the module. You can now set an environment variable in a rule - in (real) phase 1 - and mod_maxminddb will use this IP address as source. Note that, for most uses, mod_remote_ip is an easier solution. *Marc Stern* Approach Belgium <https://www.approach.be> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium Follow us: <https://www.linkedin.com/company/16513/> <https://twitter.com/ApproachBe> /*Inspiring the cyber-security community*/ |
|
From: Christian F. <chr...@ne...> - 2018-09-06 13:28:37
|
Hey Marc, This sounds very good. Thank you for your work. Could you given an example of you we can integrate the mod_maxminddb and the new db into ModSecurity. Say use a 2-letter country code in a SecRule construct? I have not tried this out yet. Best, Christian On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote: > As you know, the geo-localisation databases used by ModSecurity are no more > updated. > Maxmind, the databases provider, developed a new DB format and provides its > own module (mod_maxminddb). > mod_maxminddb was lacking a feature to integrate it smoothly with > ModSecurity: settings the IP address from inside a rule. I introduced this > feature some time ago and I'm happy to announce that this patch was merged > in Maxmind's code and is thus officially part of the module. > You can now set an environment variable in a rule - in (real) phase 1 - and > mod_maxminddb will use this IP address as source. > Note that, for most uses, mod_remote_ip is an easier solution. > > *Marc Stern* > Approach Belgium <https://www.approach.be> > Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium > Follow us: <https://www.linkedin.com/company/16513/> > <https://twitter.com/ApproachBe> > /*Inspiring the cyber-security community*/ > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Marc S. <mar...@ap...> - 2018-09-07 10:54:23
|
Here is how I use it (simplified version):
Initialisation:
# TX.remote_addr contains the IP I want to use, depending on reverse
proxy, ...
SecAction "phase:1,nolog,setenv:MMDB_ADDR=%{TX.remote_addr}"
# Enable MaxMindDB
MaxMindDBEnable On
MaxMindDBFile CITY_DB "path_to_the_DB"
MaxMindDBEnv geo_country_code CITY_DB/country/iso_code
Block a country (e.g. Japan):
SecRule ENV:geo_country_code "@streq JP" "phase:2,t:none,deny"
Regards
*Marc Stern
*Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/>
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/
This e-mail and any attachment are confidential and intended solely for
the use of the individual to whom it is addressed. If you are not the
intended recipient, please contact the sender and delete this message
and any attachment from your system. Unauthorised publication, use,
dissemination, forwarding, printing or copying of this e-mail and its
associated attachments is strictly prohibited.
On 06-09-18 15:28, Christian Folini wrote:
> Hey Marc,
>
> This sounds very good. Thank you for your work.
>
> Could you given an example of you we can integrate the mod_maxminddb and
> the new db into ModSecurity. Say use a 2-letter country code in a SecRule
> construct? I have not tried this out yet.
>
> Best,
>
> Christian
>
> On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
>> As you know, the geo-localisation databases used by ModSecurity are no more
>> updated.
>> Maxmind, the databases provider, developed a new DB format and provides its
>> own module (mod_maxminddb).
>> mod_maxminddb was lacking a feature to integrate it smoothly with
>> ModSecurity: settings the IP address from inside a rule. I introduced this
>> feature some time ago and I'm happy to announce that this patch was merged
>> in Maxmind's code and is thus officially part of the module.
>> You can now set an environment variable in a rule - in (real) phase 1 - and
>> mod_maxminddb will use this IP address as source.
>> Note that, for most uses, mod_remote_ip is an easier solution.
>>
>> *Marc Stern*
>> Approach Belgium <https://www.approach.be>
>> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
>> Follow us: <https://www.linkedin.com/company/16513/>
>> <https://twitter.com/ApproachBe>
>> /*Inspiring the cyber-security community*/
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christian F. <chr...@ne...> - 2018-09-07 12:26:52
|
Thank you Marc. This is most useful. Could have looked this up myself,
but I thought it was faster that way.
Cheers,
Christian
On Fri, Sep 07, 2018 at 11:19:46AM +0200, Marc Stern wrote:
> Here is how I use it (simplified version):
>
> Initialisation:
>
> # TX.remote_addr contains the IP I want to use, depending on reverse
> proxy, ...
> SecAction "phase:1,nolog,setenv:MMDB_ADDR=%{TX.remote_addr}"
> # Enable MaxMindDB
> MaxMindDBEnable On
> MaxMindDBFile CITY_DB "path_to_the_DB"
> MaxMindDBEnv geo_country_code CITY_DB/country/iso_code
>
> Block a country (e.g. Japan):
>
> SecRule ENV:geo_country_code "@streq JP" "phase:2,t:none,deny"
>
>
> Regards
>
>
> *Marc Stern
> *Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> Follow us: <https://www.linkedin.com/company/16513/>
> <https://twitter.com/ApproachBe>
> /*Inspiring the cyber-security community*/
>
>
> This e-mail and any attachment are confidential and intended solely for the
> use of the individual to whom it is addressed. If you are not the intended
> recipient, please contact the sender and delete this message and any
> attachment from your system. Unauthorised publication, use, dissemination,
> forwarding, printing or copying of this e-mail and its associated
> attachments is strictly prohibited.
> On 06-09-18 15:28, Christian Folini wrote:
> > Hey Marc,
> >
> > This sounds very good. Thank you for your work.
> >
> > Could you given an example of you we can integrate the mod_maxminddb and
> > the new db into ModSecurity. Say use a 2-letter country code in a SecRule
> > construct? I have not tried this out yet.
> >
> > Best,
> >
> > Christian
> >
> > On Thu, Sep 06, 2018 at 09:22:00AM +0200, Marc Stern wrote:
> > > As you know, the geo-localisation databases used by ModSecurity are no more
> > > updated.
> > > Maxmind, the databases provider, developed a new DB format and provides its
> > > own module (mod_maxminddb).
> > > mod_maxminddb was lacking a feature to integrate it smoothly with
> > > ModSecurity: settings the IP address from inside a rule. I introduced this
> > > feature some time ago and I'm happy to announce that this patch was merged
> > > in Maxmind's code and is thus officially part of the module.
> > > You can now set an environment variable in a rule - in (real) phase 1 - and
> > > mod_maxminddb will use this IP address as source.
> > > Note that, for most uses, mod_remote_ip is an easier solution.
> > >
> > > *Marc Stern*
> > > Approach Belgium <https://www.approach.be>
> > > Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> > > Follow us: <https://www.linkedin.com/company/16513/>
> > > <https://twitter.com/ApproachBe>
> > > /*Inspiring the cyber-security community*/
> > >
> > > ------------------------------------------------------------------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
Thanks for helping keep SourceForge clean.
X