[Resolved]lsws + mod_geoip + modsec = fail

[mistwang]

SecRule ENV:GEOIP_COUNTRY_CODE "@streq UK"

should work, if it does not, please turn on mod_security debug logging with log level 9, check the error log see what happened with that rule.

 

[DraCoola]

Hi George,

I have use this rule to test :

 SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
 SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
 SecRule REMOTE_ADDR "@geoLookup" "chain"
 SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"

And also this :

 <IfModule LiteSpeed>
 SecGeoLookupDb /usr/local/share/GeoIP/GeoIP.dat
 SecRule REQUEST_URI "/asu.php" "chain,drop,log,msg:'Non-CA',ID:69696999"
 SecRule REMOTE_ADDR "@geoLookup" "chain"
 SecRule ENV:GEOIP_COUNTRY_CODE "!@streq CA" "t:none"
 </IfModule>

Set mod_security log level to 9 as your suggestion, and then accessing asu.php from other than Canada.
But it seems like both of rules above still doen't recognized as bellow :

root@evilism [/usr/local/apache/logs]# tail -f error_log | grep asu.php
2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:(?:/wp-admin/post|privmsg|/ticket/admin|/misc|tiki-editpage|/post|/horde3?/imp/compose|/posting)\.php|/modules\.php\?op=modload&name=(?:Downloads|Submit_News)|/admin\.php\?module=NS\-AddStory\&op=|/index\.php\?name=pnphpbb2&file=posting&mode=reply|/phpmyadmin/|/pnphpbb2-posting\.html|/otrs/index\.pl|tiki-index\.php\?page=|/index\.php\?title=.*&action=edit|/node/[0-9]+/edit|/joomla/administrator/index2\.php|module=admin&act=dispLayoutAdminEdit&layout_srl=|upgrade.php?step=|^/ubbthreads/install/|^/projects/csb/milestone$|^/backoffice/index\.php\?controller=admintranslations)', len: 8, String '/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(/mod_cmd/index\.php)', len: 29, String '/home/tes/public_html/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.622 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm php chr fopen fwrite globals system passthru serialize include php_uname popen proc_open mysql_query exec eval proc_nice proc_terminate proc_get_status proc_close pfsockopen leak apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid phpinfo preg_ decode_base64 base64_decode base64_url_decode rot13 <? mfunc mclude dynamic-cached-content', len: 8, String '/asu.php', result: 3, reverse: 0
2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:(/~[a-z0-9]+)?/\?q=node/[0-9]+/edit|\?(?:s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/support/agent/|^/content/item/edit/|^/index\.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/p(?:age_save|roduct_groups/edit/))', len: 8, String '/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(?:/(?:admin/(?:(?:build(?:/translate|/language/edit|/edit)?|catalog_category)/|settings/site-information|catalog/edit)|(?:miadmin/catalog_product|sitebuilder)/|wizard/edit/html|node/add/|filter-xss)|\/(?:admin\/(?:surveys\/[0-9]+\/edit\/|\?page=spageedit)|node\/[0-9]+\/(?:webform\/components\/|edit|clone))|^(?:\/\?(?:q=node\/[0-9]+\/edit|(s|v))|\?(s|v))|c=myaccount&m=update_profile$|mt\.cgi|/nav\.php\?nav=addnews|/products\.php\?action=(?:edit|update)|/systemadmin/configproducts\.php|/admin/catalog_product/|/index\.php\?tab=admincatalog|/admin/settings/customerror|^/ndxz-?studio/\?a=|/editform\?|/wizard/edit/|\?tab=admin|\?content=admin|\?action=modif|\?exec=articles_edit$|/admin/preview\.php|/sysext/tstemplate/|/site-builder/|/(?:new|edit)/[0-9]+/(?:confirm|add)|/admin/editform|/cms/admin/editform|^/filemanager/filemanager\.php|^/([a-z]+/)?admin/structure/|^/index.php/admin/system_config/|^/administrator/\?option=com_civicrm|^/za/zcadm|^/blog/roller-ui/authoring/entryedit|^/admin/page_save)', len: 8, String '/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.623 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(\.asmx$)', len: 8, String '/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '@pm ls find mysqldump ifconfig php echo perl killall kill python rpm yum apt-get emerge lynx links mkdir elinks wget lwp- uname cvs svn scp rcp ssh rsh netstat cat rexec smclient tftp ncftp curl telnet cc cpp g++ /sbin/ /bin/ /tmp /var fetch rm print mv unzip tar rm rar', len: 8, String '/asu.php', result: 26, reverse: 0
2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 29, String '/home/tes/public_html/asu.php', result: 1, reverse: 0
2014-02-20 08:12:55.624 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '!(^/livehelp/admin_users_refresh\.php)', len: 8, String '/asu.php', result: 0, reverse: 1
2014-02-20 08:12:55.625 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
2014-02-20 08:12:55.626 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '\.php', len: 8, String '/asu.php', result: 1, reverse: 0
2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] Pattern: '/asu.php', len: 8, String '/asu.php', result: 1, reverse: 0
2014-02-20 08:12:55.627 [INFO] [140.0.69.xxx:11700-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 1
2014-02-20 08:12:56.071 [INFO] [140.0.69.xxx:10004-0#APVH_mydomain.com] [SECURITY] match [REQUEST_URI] against pattern [/asu.php], result: 0

 

[mistwang]

just get rid of
SecRule REMOTE_ADDR "@geoLookup" "chain"

 

[DraCoola]

Wonderful!
It's now works like heaven!

So many thanks, George!

 

[fisher006]

Hi, I have little question Im using atomicorp modsecurity rules and I need geolocation in my audit.log

--2c20f52b-A--
[22/Oct/2015:19:57:24 +0200] - 162.243.171.45 37847 185.23.21.15:80 80 - I WANT HERE COUNTRY CODE
--2c20f52b-B--

I'm trying this rule but don't work:

SecGeoLookupDb /usr/local/lsws/geoip/GEOIP-Country.dat
SecRule REMOTE_ADDR "@geoLookup", phase:1,t:none,pass,nolog


Any sugesstions?

 

[mistwang]

Your need to configure GeoIP database in LiteSpeed native configuration.
SecGeoLookupDB does not work.

 

[fisher006]

I have this configuration but audit.log still don't have GEO
but in access logs i have this information.

example "....eWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36" PL -"

audit:

--0d5fcf52-A--
[22/Oct/2015:20:47:43 +0200] - myip 40664 serverip:80 80
--0d5fcf52-B--

 

[mistwang]

Does Apache's audit log have the GEO COUNTRY code in part A?

As there is no clear definition of format of audit log part A, litespeed does not log the GEO COUNTRY code logged there.

We can update our log format to include that.

 

[fisher006]

Does Apache's audit log have the GEO COUNTRY code in part A?

No GEO COUNTRY here.

Full example

--37281efc-A--
[22/Oct/2015:21:07:50 +0200] - 178.216.201.88 51548 xxx:443 443
--37281efc-B--
HEAD / HTTP/1.1
User-Agent: Zabbix 2.4.5
Host: xxx
Accept: */*

--37281efc-F--

--37281efc-H--
Message: Detected , [Rule: 'REMOTE_ADDR' '!@ipMatch 127.0.0.1,::1'] [id "331032"] [msg "Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address"] [severity "NOTICE"] [MatchedString "xxx"]
--37281efc-Z--

--6bafa1c0-A--
[22/Oct/2015:21:08:51 +0200] - xxx 55683 xxx:443 443
--6bafa1c0-B--
HEAD / HTTP/1.1
User-Agent: Zabbix 2.4.5
Host: xxx
Accept: */*

--6bafa1c0-F--

--6bafa1c0-H--
Message: Detected , [Rule: 'REMOTE_ADDR' '!@ipMatch 127.0.0.1,::1'] [id "331032"] [msg "Atomicorp.com WAF Rules: Suspicious activity detected - Host header is a numeric IP address"] [severity "NOTICE"] [MatchedString "xxx"]
--6bafa1c0-Z--

As there is no clear definition of format of audit log part A, litespeed does not log the GEO COUNTRY code logged there.

We can update our log format to include that.

lovely, how i can get this feature?

 

[mistwang]

We need to follow the official mod_security format, cannot add something arbitrary to the log message.

 

[fisher006]

We need to follow the official mod_security format, cannot add something arbitrary to the log message.

ok, I must wait for update lsws?

 

[fisher006]

Or maybe i can change it myself?

 

[innovot]

fisher006, LSWS is following what the modsec team write out to that log. You will need to ask upstream for that to be included and then it would filter through to LSWS.