[solved]lsws + mod_geoip + modsec = fail

Discussion in 'Bug Reports' started by DraCoola, Jan 24, 2014.

  1. mistwang

    mistwang LiteSpeed Staff

    SecRule ENV:GEOIP_COUNTRY_CODE "@streq UK"

    should work, if it does not, please turn on mod_security debug logging with log level 9, check the error log see what happened with that rule.
  2. DraCoola

    DraCoola Member

    Hi George,

    I have use this rule to test :

    Code:
     SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
     SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
     SecRule REMOTE_ADDR "@geoLookup" "chain"
     SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"
    
    And also this :

    Code:
     <IfModule LiteSpeed>
     SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
     SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
     SecRule REMOTE_ADDR "@geoLookup" "chain"
     SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"
     </IfModule>
    



    Set mod_security log level to 9 as your suggestion, and then accessing asu.php from other than Canada.
    But it seems like both of rules above still doen't recognized as bellow :

    Code:
    root@evilism [/usr/local/apache/logs]# tail -f error_log | grep asu.php
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/|^/projects/csb/milestone$|^/backoffice/index\.php\?controller=admintranslations)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(/mod_cmd/index\.php)', len: 29, String '/home/tes/public_html/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 <? mfunc mclude dynamic-cached-content', len: 8, String '/asu.php', result: 3, reverse: 0
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:(/~[a-z0-9]+)?/\?q=node/[0-9]+/edit|\?(?:s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/support/agent/|^/content/item/edit/|^/index\.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/p(?:age_save|roduct_groups/edit/))', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|/language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:\/\?(?:q=node\/[0-9]+\/edit|(s|v))|\?(s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/index.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/page_save)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(\.asmx$)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar', len: 8, String '/asu.php', result: 26, reverse: 0
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(^/livehelp/admin_users_refresh\.php)', len: 8, String '/asu.php', result: 0, reverse: 1
    2014-02-20 08:12:55.625 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.626 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '/asu.php', len: 8, String '/asu.php', result: 1, reverse: 0
    2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 1
    2014-02-20 08:12:56.071 [INFO] [140.0.69.xxx:10004-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 0
    
  3. mistwang

    mistwang LiteSpeed Staff

    just get rid of
    SecRule REMOTE_ADDR "@geoLookup" "chain"
  4. DraCoola

    DraCoola Member

    Wonderful!
    It's now works like heaven!

    So many thanks, George!

Share This Page