ModSecurity rule not working as I expected
Hi all,
I have added the rule below to ModSecurity Tools. I have cobbled it together from documentation and online forums as I couldn't find an existing rule that would do what I wanted. I'm no guru so any help is much appreciated!
It's meant to restrict access to the Wordpress login page (wp-login.php) for IP addresses outside of the UK. I wanted to ignore one domain (e.g. mydomain.co.uk) which needs to be accessed from abroad.
The rule seems to work great however it's still blocking mydomain.co.uk Any ideas? Cheers, Tom
# Test IP address on Wordpress login by country code
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'"
SecRule SERVER_NAME "!@rx mydomain\.co\.uk$" "chain"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"The rule seems to work great however it's still blocking mydomain.co.uk Any ideas? Cheers, Tom
-
Hello, You may want to install a plugin such as: ConfigServer ModSecurity Control (cmc) Per the website, one of the features is: [LIST] - Disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
Thank you.0 - Disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
-
Thanks cPanelMichael, I'd rather avoid installing any other software if I can avoid it, I was hoping that I'd just made a simple mistake in the rule... can anyone spot the mistake? Tom 0 -
Have you tried: # Test IP address on Wordpress login by country code SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'" SecRule SERVER_NAME "!@streq mydomain.co.uk" "chain,t:lowercase" SecRule REMOTE_ADDR "@geoLookup" "chain" SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"0 -
I don't see any obvious mistakes in the rule, I agree with the above post to try a string rather than regex match for the domain. Honestly though the way you have it "should" work. 0 -
Thanks linux4me2 and quizknows I have deployed your suggested amendments to see what happens. Fingers crossed :)
I'm outside the UK, and I will test it for you if you're comfortable posting a link to the site that allows outside-the-UK login and one that doesn't. If your server allows the connection on the former and drops it on the latter we'll know right now if you've got it working.0 -
I'm outside the UK, and I will test it for you if you're comfortable posting a link to the site that allows outside-the-UK login and one that doesn't. If your server allows the connection on the former and drops it on the latter we'll know right now if you've got it working.
Thanks so much! Of course, the address is Let's Think once on the site, there's a login button top right. This should take you to the login page (and not block you), if not then it's still not working.0 -
I'm getting the following when I click the login link: Error 503 Service Unavailable Service Unavailable Guru Meditation: XID: 1325643687 Varnish cache server
At first, I thought the problem might be because the Login or Register link on the site has a redirect in the URL, but I tried the regular wp-login link, and I still got a 503. I'm not sure that's ModSecurity blocking my access. You might try setting the status code in the rule explicitly like this:# Test IP address on Wordpress login by country code SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK'" SecRule SERVER_NAME "!@streq mydomain.co.uk" "chain,t:lowercase" SecRule REMOTE_ADDR "@geoLookup" "chain" SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
I can try it again, and if I get a 403, it will be more likely that it's ModSecurity blocking me.0 -
Thanks again for your perseverance! Have updated the rule however I've been getting these 2017-01-30 22:04:50 www.example.org.uk 24.113.XXX.XXX 302 Request: GET /wp-login.php Action Description: Access denied with connection close (phase 1). Justification: Match of "streq GB" against "GEO:COUNTRY_CODE" required.
I've just thought... might it be that SERVER_NAME is wrong - should I be testing againstREQUEST_HEADERS:Host
I have multiple domain names running on the same server.0 -
SERVER_NAME should function the same as REQUEST_HEADERS:Host, but it certainly can't hurt to use the latter. 0 -
Ahhhh! Interesting. I included the SERVER_NAME variable in the msg action and it was not returning the domain name as I expected, rather it was returning it as a subdomain of the server that the sites are hosted on. I'm sure I could configure the server to correct this but for the time being, I'll just change the rule to reflect the value of SERVER_NAME. I'm not sure why I didn't test this before. 0 -
I tried it just now, but the connection to the site times out. I don't even get the home page now. 0 -
Just in case anyone else finds this useful, here's the rule I used in the end; # Test IP address on Wordpress login by country code SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK, %{SERVER_NAME}'" SecRule SERVER_NAME "!@streq subdomain.serverdomain.co.uk" "chain,t:lowercase" SecRule REMOTE_ADDR "@geoLookup" "chain" SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
I didn't realise but you can output variables in the msg action for debugging - this was the key to working out my problem. This seems to be working beautifully now. Thanks to linux4me2 for their patience!0 -
Hello, I'm happy to see you were able to get it working. Thank you for taking the time to update this thread with the outcome. 0
Please sign in to leave a comment.
Comments
14 comments