[Resolved]lsws + mod_geoip + modsec = fail

Status
Not open for further replies.

DraCoola

Well-Known Member
#1
I have try mod_geoip and combined with mod security as below :

--------------------------------------------------------------------------------------
>> http://dev.maxmind.com/geoip/legacy/mod_geoip2/

>> http://www.modsecurity.org/projects/modsecurity/apache/feature_geo_ip_lookups.html
--------------------------------------------------------------------------------------

After mod_geoip and db binary file from MaxMind installed, lsws v4.2.6 - v4.2.5 - v4.2.4 are always ignoring this basic rule :

Code:
SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
SecRule GEO:COUNTRY_CODE "!@streq UK" "t:none"
But then I'm switching to apache and, voila! the rule above get just work as expected.


While using lsws, I have done setting Yes/No for "Enable IP GeoLocation" LiteSpeed option and also placing the righ path for "IP to GeoLocation DB".

I hope there will be an lsws bug fix patch or new version launch regarding to this "SecGeoLookupDb" and "@geoLookup" operator issue/bug.
 
#2
This does not work since the beginning.
In theory, you may try to verify GeoIP match also via enviroement variables,
if you have a working standard LSWS+GeoIP setup already.
( phpinfo -> _SERVER["GEOIP_COUNTRY_CODE"] to verify )
Server should pass env variables to mod_security related code.
Frankly, I never tested that.
LSWS mod_security module is "wicked", so I left playing with it after a while.
 

DraCoola

Well-Known Member
#3
Hi poirot,

Yes geoip with lsws is just work fine with lsphp5.
But this time I need to use lsws + mod_geoip with mod security in purpose to automatically drop all of brute-force-bot POST and GET access from bad countries to /wp-login.php, /administrator/index.php, etc.

Because those brute-force-bot working everyday and all day long and sometimes really hog my server resource.
And the super bad thing is :
If /wp-login.php were able to login because of those continous password dictionary attack, hacker will continue to install fake wordpress plugin/theme which contain many kinds of mail bomber script and then start to send thousands of spam emails to everywhere destinations in this world.

So I'am deeply hope that lsws implementation for this @geoLookup operator will be not as very hard as @rbl operator
Because queries will running directly from geoip database inside the same server.
 

NiteWave

Administrator
#4
geoip works with mod_rewrite as well.
how about block these requests in rewrite rules as a workaround ?

while I have no objection to your request.
 

DraCoola

Well-Known Member
#5
Thank you NiteWave for your kind suggestion.
But it will be very hard to ask thousands of wordpress/joomla/drupal owner to modify into their .htaccess of each website that they have.

So it will be more effective doing that -login page blocking- from server side by mod security.
And I will be thankful if LiteSpeed finally do that.
 

DraCoola

Well-Known Member
#8
Hi George so many thanks for adding this to lsws 5.0 to-do list.
By the way I did try your suggestion and found error result after save httpd.conf :

Code:
Failed to generate a syntactically correct Apache configuration.
Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.kRCRSXH0Hf2rWj3r
Error:
Configuration problem detected on line 48 of file /usr/local/apache/conf/modsec2.user.conf:	Error creating rule: Unknown variable: GEOIP_COUNTRY_CODE
Evidently GEOIP_COUNTRY_CODE syntax is unknown for mod_security it self.
 

DraCoola

Well-Known Member
#10
<IfModule LiteSpeed>
SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
SecRule GEOIP_COUNTRY_CODE "!@streq UK" "t:none"
</IfModule>
That bring successfuly httpd.conf save without error.
But it still cannot drop connection from any other location than UK.



SecGeoLookupDb /path/to/directory-of/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
<IfModule LiteSpeed>
SecRule GEOIP_COUNTRY_CODE "!@streq UK" "t:none"
</IfModule>
Above method generating error after save httpd.conf and cannot drop connection other than UK location
 
Last edited:

DraCoola

Well-Known Member
#12
Thank you, George.
Using SecRule ENV:GEOIP_COUNTRY_CODE makes httpd.conf keep fine even with or without <IfModule LiteSpeed>.....</IfModule>

But I am so sorry, it's still bypass all of incoming http connection.
 

DraCoola

Well-Known Member
#14
Thanks for the latest build of 4.2.7.

I perform /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.7
And continue tryng various combination methods of GEO:COUNTRY_CODE and ENV:GEOIP_COUNTRY_CODE as before.
And also add and remove <IfModule LiteSpeed></IfModule>.

But unfortunately it still ignoring the @streq value, George.
 

mistwang

LiteSpeed Staff
#15
how about just use regular pattern match?
Make sure the GeoIP setup is working properly, and GEOIP_XXXX variables appear in a phpinfo() page.
 

DraCoola

Well-Known Member
#16
Using regular pattern match also doesn't bring an expected action.
It seems lsws does not recognize any value inside @streq or !@streq and just pass it.

And GeoIP setup showing correct variables through phpinfo() :

Code:
_SERVER["GEOIP_COUNTRY_CODE"]	CA
_SERVER["GEOIP_COUNTRY_NAME"]	Canada
_SERVER["GEOIP_CONTINENT_CODE"]	NA
Perhaps you have any additonal way more to make this GEO:COUNTRY_CODE works?
It will be useful to secure chosen website files from brute force/flood/spam, without the need to block the entire specific country from server.
 

mistwang

LiteSpeed Staff
#17
Please try updated 4.2.7 .
The previous build works for me. Maybe need to enable modsec debug logging to find out what happened with that rule.
 

DraCoola

Well-Known Member
#18
Hi george, thank you for update.
Would you mind to write down your exact rule that were works at your labs so I can try that also?
Because mine won't work until now.
 
Status
Not open for further replies.
Top