我为Apache配置了mod_security和GeoIP2。由cron触发的geoipupdate每周都会下载GeoLite2-Country.mdb。我的/etc/modsecurity/modsecurity.conf配置看起来像:
SecRuleEngine On
SecRule ARGS:modsecparam "@contains test" "id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20000,deny,status:403,msg:'NON PL IP addresses'"
SecRule GEO:COUNTRY_CODE "!@streq PL"
...
我的/etc/modsecurity/crs-setup.conf指向GeoIP数据库:
SecGeoLookupDB /etc/modsecurity/GeoLite2-Country.mmdb
从本地机器运行curl:curl 'https://host/login/index.html?modsecparam=test'将跟踪留在日志中:
...
SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION"
SecRule "ARGS:modsecparam" "@contains test" "phase:2,log,auditlog,id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"
SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.2.0,chain,skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule "&TX:dos_counter_threshold" "@eq 0" "chain"
SecRule "&TX:dos_block_timeout" "@eq 0"
...
然而,出于某种原因,它不会阻止PL以外的国家。我做错了什么?
请查看crs-setup.conf示例,根据您使用的版本,我们将解释您应该为geodb使用的文件类型。
可能核心是:
# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
# and ModSecurity v3 uses GeoLite2 (.mmdb files).
...
# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
# from CSV files first.
#
# You can achieve this using https://github.com/sherpya/geolite2legacy
# Pick the zip files from maxmind site:
# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
#
# Follow the guidelines for installing the tool and run:
# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip
# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat
正如您提到的apache,您可能需要.dat文件。
费利佩。ModSecurity Dev值班项目