ModSecurity Hits List Status Code

plove79

• January 02, 2017 10:03

I have a ModSecurity rule that blocks several countries.
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,log,msg:'Blocking Countries'" SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
However, on the ModSecurity Hits List, while I am seeing status codes of 403 and 404, I am also seeing status codes of 302 and 200. When I click on 'More', it says "Access denied with connection close (phase 1). Justification Matched phrase "XX" at GEO-COUNTRY_CODE." I am still seeing these hits show up in my Wordfence logs and apache logs. If these requests were in fact Dropped, shouldn't (1) All Status Codes = 40x? (2) nothing show up in apache logs and (3) Definitely nothing shows up in WordFence live logs on Wordpress? Thanks!

• 

  cPanelMichael

  • January 06, 2017 18:14

  Hello, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  linux4me2

  • January 13, 2017 20:16

  I may be wrong, but if you have the log action included in your rule, you're going to get an entry in your Apache error log and ModSecurity audit log. I don't know where Wordfence pulls the data in its log. I would try the following modifications to your rule, which sets the status to 403, includes a status of "INFO", and does not log the entry, but it will still include a message in your Hits list, including the country code of the country that is blocked:
  SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:1,drop,severity:INFO,status:403,msg:'Blocking %{geo.country_code}'" SecRule GEO:COUNTRY_CODE "@pm XX YY ZZ"
  

  0

Please sign in to leave a comment.