RFE: GEO support for ModSecurity

innovot

Well-Known Member
#1
Please enable support for GEO based rules within ModSecurity as they are a very effective way of blocking threats.

[ERROR] [ModSecurity] unknown server variable while parsing: GEO:COUNTRY_CODE
 

mistwang

LiteSpeed Staff
#4
Should be available in 5.0.4 release now.
/usr/local/lsws/admin/misc/lsup.sh -f -v 5.0.4

You need to configure GeoIP stuff through LiteSpeed Web Console first, ModSecurity's GeoIP related configuration does not work.
 

mistwang

LiteSpeed Staff
#6
"stuff" refers to SecGeoLookupDb configuration, it wont work with litespeed. GeoIP DB must be set in LiteSpeed native configuration.
 

innovot

Well-Known Member
#7
Hello mistwang,

Have upgraded to 5.0.4 and set up the LS native GeoIP DB in the control panel. No hits yet which has made me suspicious of whether it is working or not so I have switched on debugging and see:

error_log:2015-08-05 12:55:00.116 [DEBUG] [/etc/httpd/modsecurity.d/innovot.conf:3] processing direcitve: SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:999999,pass,msg:'INNOVOT WAF Rules - Blocking Wordpress Login Attempt by Country Code'".
error_log:2015-08-05 12:55:00.116 [DEBUG] [/etc/httpd/modsecurity.d/innovot.conf:4] processing direcitve: SecRule GEO:COUNTRY_CODE "@pm BR BY CN RU KZ UA".

then to perform the block we use the following stanza:

<LocationMatch /wp-login.php>
<IfModule mod_security2.c>
SecRuleUpdateActionById 999999 "chain,deny,log,status:403"
</IfModule>
</LocationMatch>

Can you see anything wrong with the configuration please ? Thank you.
 
Last edited:

mistwang

LiteSpeed Staff
#8
LiteSpeed does not support "SecRuleUpdateActionById". Just move that rule to <LocationMatch /wp-login.php> ...</LocationMatch>

You can turn on ModSecurity debug logging with "SecDebugLogLevel 9" to find out what happened.
 
Top