Skip to main content

Setup for ModSecurity Country Block with OWASP3 910100

Leo Santis

Despite searching all possible docs and link around here couldn’t find anything clear enough to get this to work.


I have installed OWASP ModSecurity Core Rule Set V3.0 that comes with 910100 Rule that may block countries and it says:


# This rule requires activating the SecGeoLookupDB directive
# in the crs-setup.conf file and specifying
# the list of blocked countries (tx.high_risk_country_codes).

First thing I did was downloading updated database at MaxMind but noticed all files are xxx.mmdb and after some reading I believe ModSecurity latest version 2.9 is only compatible with legacy .dat MaxMind files that were discontinued and are no longer available. Is that correct?


Tried to setup it anyway at Security Center -> ModSecurity Configuration
Geolocation Database section SecGeoLookupDb set up to /usr/share/GeoIP/GeoLiteCountry.dat as I had this file in there despite of 2018 dated.


As mentioned above at OWASP3 910100 rule tried to edit and enable country block at /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/crs-setup.conf

In there I can see:


# -=[ Block Countries ]=-
#
# Rules in the IP Reputation file can check the client against a list of high
# risk country codes. These countries have to be defined in the variable
# tx.high_risk_country_codes via their ISO 3166 two-letter country code:
# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements
#
# If you are sure that you are not getting any legitimate requests from a given
# country, then you can disable all access from that country via this variable.
# The rule performing the test has the rule id 910100.
#
# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be
# downloaded (see the section "GeoIP Database" above.)
#
# By default, the list is empty. A list used by some sites was the following:
#setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN AE AF AL AM AZ BD BY ER ET GE HK HU IN KZ LK PH SG TH TW VN'"
#
# Uncomment this rule to use this feature:
#
#SecAction # "id:900600,# phase:1,# nolog,# pass,# t:none,# setvar:'tx.high_risk_country_codes='"

So just uncommented lines below:


setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN AE AF AL AM AZ BD BY ER ET GE HK HU IN KZ LK PH SG TH TW VN'"
SecAction # "id:900600,# phase:1,# nolog,# pass,# t:none,# setvar:'tx.high_risk_country_codes='"

It’s not possible to restart Apache after that as it throws me errors that says can’t recognize those country codes.

What am I missing here?

Is there a way to way to get Country Block efficient as much as possible ?

I mean, almost 100% of those countries traffic are just abusive and useless just consuming server resources.

Comments

5 comments

Date Votes
  • cPRex Jurassic Moderator

    Hey there!  You are correct that you'd need the older version of ModSecurity as cPanel systems use ModSecurity 2.

    Instead of forcing Apache to handle the traffic it would be best to block country codes at the firewall level, so Apache doesn't have to handle the traffic at all.  I would expect this to use much fewer server resources.

    0
  • Leo Santis

    Thanks for your comments cPRex

    I was thinking exactly what you said that would be better to handle that via firewall instead of Apache but I’m hosted in a Hostgator VPS and it comes with HG Firewall that’s pretty simple and can’t deal with Country Block.

    I think I can’t uninstall HG Firewall so, do you recommend any Cpanel compatible Firewall that could do this job? I was checking CSF but realized they recently closed their operations.

    0
  • cPRex Jurassic Moderator

    CSF is still a great tool, and many users have created forks of it as well, so it's still usable if you want to go that route.  Since we don't (yet) have a firewall tool, I can't make an official recommendation on what you can use.

    I will say that we're working on our own firewall system since the closure of CSF, so if you have any specific feedback or things you would like to see in it, leave those thoughts here: https://features.cpanel.net/c/202-firewall-configuration-tool

    0
  • Leo Santis

    I was wondering that would be your answer ... lol... 

    My vote is already there and look forward to see any fulture option from you guys.

    Problem about a Firewall that deals with Country Block, it should have IP Tables updated constantly. I run through Cloudflare and have lots of country block rules but CloudFlare is not efficient for that.

    Thank you.

    1
  • cPRex Jurassic Moderator

    Unfortunately that's the best I've got to offer at this point, but there will be major announcements when our firewall tool goes live.

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post