Without this being backported to the 2.9 branch, ModSecurity on Apache has no longer any GeoIP support.
This will be very welcome. :)
Thank you @zimmerle.
Can you give us a timeline for 2.9.3?
Hi @dune73,
There is a milestone for the version 2.9.3 here:
https://github.com/SpiderLabs/ModSecurity/milestone/10
We don't have an ETA for the release yet.
Is that anyone from the community that is willing to help with the development of this backport?
The implementation for v3 is here:
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/utils/geo_lookup.cc
The logic is available only and only if ModSecurity was compiled with maxmind support.
MaxMind and GeoIp can co-exist. In that case, the choice [run time] is based on the specified database.
If you need, count with my support during the development.
@spartantri, @franbuehler, @ossie-git, @dobin, @thhofer, @Cheesman97 can you describe the use case that you have for that specific functionality?
A standard use case is to protect certain parts of an application (-> path tree, typically the admin interface) via GeoIP and ModSecurity. This reduces your attack surface tremendously.
Other people assign different CRS anomaly thresholds based on GeoIP.
It is also very helpful to display the GeoIP country code next to the IP address in the combined access log. This works without a real format change as the position for 'logname' has been abandoned twenty years ago and it is unused every since. Putting the country code there with the help of an environment variable is very simple if you have GeoIP.
While this is not ready yet on 2.x, there are other modules on Apache that may help you to block/process based on GeoIP, including one from maxmind - https://github.com/maxmind/mod_maxminddb
any progress here?
Hi @emphazer,
Yes, there is this user Marc Stern who had a solution:
"
As you know, the geo-localisation databases used by ModSecurity are no
more updated.
Maxmind, the databases provider, developed a new DB format and provides
its own module (mod_maxminddb).
mod_maxminddb was lacking a feature to integrate it smoothly with
ModSecurity: settings the IP address from inside a rule. I introduced
this feature some time ago and I'm happy to announce that this patch was
merged in Maxmind's code and is thus officially part of the module.
You can now set an environment variable in a rule - in (real) phase 1 -
and mod_maxminddb will use this IP address as source.
Note that, for most uses, mod_remote_ip is an easier solution.
*Marc Stern*
Approach Belgium <https://www.approach.be>;
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/>;
<https://twitter.com/ApproachBe>;
/*Inspiring the cyber-security community*/
"
https://sourceforge.net/p/mod-security/mailman/message/36408909/
+1 This is certainly needed
@zimmerle thanks for this information.
for us this module is no option, because we run over 200 servers with modsecurity and complex proxy rules... there is no way to change the whole infrastructure.
thats why we choosed the way to monthly extract the information from GeoLite2-Country
and to generate our own GeoIP.dat file.
it works very well with modsecurity v2.x.
greetings,
christoph
Can you elaborate on how you do this?
@tomsommer sure, i think i will post it on a blog next 4-6weeks.
@emphazer I too am interested in converting v2 to v1 as a workaround. I see you have a Python script for this: https://github.com/emphazer/mmdb-convert but I note the warning about it being 'alpha'...
@porjo this is just a part of a bash script to generate a v1 geoip.dat file
https://github.com/emphazer/GeoIP_convert-v2-v1
@tomsommer
here can you find a script for the conversion
https://github.com/emphazer/GeoIP_convert-v2-v1
If anyone want them, I posts the DAT files I convert here
Very cool initiative. Thanks.
One question: You are sharing this via Creative Commons Attribution-ShareAlike 4.0. I presume the original databases are those of MaxMind. Are they OK with what you are doing here? In other words, do you have their formal OK? If yes, I will help to share the word. If not, it's legally dangerous to link to your site.
https://creativecommons.org/licenses/by-sa/4.0/
The licenses of both databaes are free to adapt, must share under the same license and must give attribution. All of which I have done on the page.
I will contact both maxmind and dbip to check if what I have done is ok.
Update1: I have contacted both providers, wating for reply.
Update2: Maxmind said OK.
Update3: DB-IP said OK.
Sounds like a plan. Thank you.
If anyone want them, I posts the DAT files I convert here
Thank you for sharing!
Most helpful comment
If anyone want them, I posts the DAT files I convert here