[solved]lsws + mod_geoip + modsec = fail

Discussion in 'Bug Reports' started by DraCoola, Jan 24, 2014.

  1. DraCoola

    DraCoola Well-Known Member

    I have try mod_geoip and combined with mod security as below :

    >> http://dev.maxmind.com/geoip/legacy/mod_geoip2/

    >> http://www.modsecurity.org/projects/modsecurity/apache/feature_geo_ip_lookups.html

    After mod_geoip and db binary file from MaxMind installed, lsws v4.2.6 - v4.2.5 - v4.2.4 are always ignoring this basic rule :

    SecGeoLookupDb /path/to/directory-of/GeoIP.dat
    SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'Non-UK IP address'"
    SecRule GEO:COUNTRY_CODE "!@streq UK" "t:none"
    But then I'm switching to apache and, voila! the rule above get just work as expected.

    While using lsws, I have done setting Yes/No for "Enable IP GeoLocation" LiteSpeed option and also placing the righ path for "IP to GeoLocation DB".

    I hope there will be an lsws bug fix patch or new version launch regarding to this "SecGeoLookupDb" and "@geoLookup" operator issue/bug.
  2. poirot

    poirot Member

    This does not work since the beginning.
    In theory, you may try to verify GeoIP match also via enviroement variables,
    if you have a working standard LSWS+GeoIP setup already.
    ( phpinfo -> _SERVER["GEOIP_COUNTRY_CODE"] to verify )
    Server should pass env variables to mod_security related code.
    Frankly, I never tested that.
    LSWS mod_security module is "wicked", so I left playing with it after a while.
  3. DraCoola

    DraCoola Well-Known Member

    Hi poirot,

    Yes geoip with lsws is just work fine with lsphp5.
    But this time I need to use lsws + mod_geoip with mod security in purpose to automatically drop all of brute-force-bot POST and GET access from bad countries to /wp-login.php, /administrator/index.php, etc.

    Because those brute-force-bot working everyday and all day long and sometimes really hog my server resource.
    And the super bad thing is :
    If /wp-login.php were able to login because of those continous password dictionary attack, hacker will continue to install fake wordpress plugin/theme which contain many kinds of mail bomber script and then start to send thousands of spam emails to everywhere destinations in this world.

    So I'am deeply hope that lsws implementation for this @geoLookup operator will be not as very hard as @rbl operator
    Because queries will running directly from geoip database inside the same server.
  4. NiteWave

    NiteWave Administrator

    geoip works with mod_rewrite as well.
    how about block these requests in rewrite rules as a workaround ?

    while I have no objection to your request.
  5. DraCoola

    DraCoola Well-Known Member

    Thank you NiteWave for your kind suggestion.
    But it will be very hard to ask thousands of wordpress/joomla/drupal owner to modify into their .htaccess of each website that they have.

    So it will be more effective doing that -login page blocking- from server side by mod security.
    And I will be thankful if LiteSpeed finally do that.
  6. mistwang

    mistwang LiteSpeed Staff

    We add that to our LSWS 5.0 to-do list.
  7. mistwang

    mistwang LiteSpeed Staff

    However, in the mean time,

    might work.
  8. DraCoola

    DraCoola Well-Known Member

    Hi George so many thanks for adding this to lsws 5.0 to-do list.
    By the way I did try your suggestion and found error result after save httpd.conf :

    Failed to generate a syntactically correct Apache configuration.
    Bad configuration file located at /usr/local/apache/conf/httpd.conf.work.kRCRSXH0Hf2rWj3r
    Configuration problem detected on line 48 of file /usr/local/apache/conf/modsec2.user.conf:	Error creating rule: Unknown variable: GEOIP_COUNTRY_CODE
    Evidently GEOIP_COUNTRY_CODE syntax is unknown for mod_security it self.
  9. mistwang

    mistwang LiteSpeed Staff

    <IfModule LiteSpeed>

    around it.
  10. DraCoola

    DraCoola Well-Known Member

    That bring successfuly httpd.conf save without error.
    But it still cannot drop connection from any other location than UK.

    Above method generating error after save httpd.conf and cannot drop connection other than UK location
    Last edited: Jan 27, 2014
  11. mistwang

    mistwang LiteSpeed Staff

    it should be.
  12. DraCoola

    DraCoola Well-Known Member

    Thank you, George.
    Using SecRule ENV:GEOIP_COUNTRY_CODE makes httpd.conf keep fine even with or without <IfModule LiteSpeed>.....</IfModule>

    But I am so sorry, it's still bypass all of incoming http connection.
  13. mistwang

    mistwang LiteSpeed Staff

    Please force reinstall 4.2.7 see if it works.
  14. DraCoola

    DraCoola Well-Known Member

    Thanks for the latest build of 4.2.7.

    I perform /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.7
    And continue tryng various combination methods of GEO:COUNTRY_CODE and ENV:GEOIP_COUNTRY_CODE as before.
    And also add and remove <IfModule LiteSpeed></IfModule>.

    But unfortunately it still ignoring the @streq value, George.
  15. mistwang

    mistwang LiteSpeed Staff

    how about just use regular pattern match?
    Make sure the GeoIP setup is working properly, and GEOIP_XXXX variables appear in a phpinfo() page.
  16. DraCoola

    DraCoola Well-Known Member

    Using regular pattern match also doesn't bring an expected action.
    It seems lsws does not recognize any value inside @streq or !@streq and just pass it.

    And GeoIP setup showing correct variables through phpinfo() :

    Perhaps you have any additonal way more to make this GEO:COUNTRY_CODE works?
    It will be useful to secure chosen website files from brute force/flood/spam, without the need to block the entire specific country from server.
  17. mistwang

    mistwang LiteSpeed Staff

    Please try updated 4.2.7 .
    The previous build works for me. Maybe need to enable modsec debug logging to find out what happened with that rule.
  18. DraCoola

    DraCoola Well-Known Member

    Hi george, thank you for update.
    Would you mind to write down your exact rule that were works at your labs so I can try that also?
    Because mine won't work until now.
  19. DraCoola

    DraCoola Well-Known Member

    By the way, congratulations for your new web and forum interface :)
  20. DraCoola

    DraCoola Well-Known Member

    What kind of complete rule that suppose to use to make this work?

Share This Page