Modsecurity: Cannot load local GeoIPDB

Created on 18 Oct 2019  路  8Comments  路  Source: SpiderLabs/ModSecurity

Hey guys.

I am trying to integrate modsecurity 3 with geoIP support and i want to use a local database, like i used with modsecurity 2.9, downloaded from maxmind. With modsec v3 i couldn't load the database.

Output from nginx -t comamnd:
Error reading file ???????????????/GeoIP.dat
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: ????????/setup.conf. Line: 406. Column: 83. Failed to load the GeoDB from: ???????????????????/GeoIP.dat. Can't open: ?????????????????/GeoIP.dat. Support enabled for: GeoIP. GeoIP: Can't open: ?????????????/GeoIP.dat. in ???????????/default.conf

I replaced the path with "??"

I know that is possible that this not the place to ask this type of questions, but i don't where i should ask. Sorry about that.

Thank guys.

3.x

All 8 comments

Hi @AndreMTrindade,

As of ModSecurity version 3, the maxmind package was made optional. It is very likely that your ModSecurity was compiled without such support. Did you have manually compiled it?

Hey @zimmerle,
Thank you very much for your response. Yes, i compiled manually and based on "./configure" output i think the GeoIP support is enable.
temp

I downloaded GeoIp db from: https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country.tar.gz and i use SecGeoLookupDb to import the db.

Right, it seems that ModSecurity was compiled to use GeoIP (version 1) and the database is MaxMind (version 2). In that case, you can compile ModSecurity to support MaxMind, by installing the geoip2 dev packages on your distro. Or download the GeoIP database in the v1 format.

@zimmerle any instruction on how to do that ??

@AndreMTrindade I see that you had libGeoIP 1.5.0 back then - may I ask you what OS were you using? Was it RHEL/CentOS 7.x?

@zimmerle we've just got a report for the very similar issue, and it seems like the root cause wasn't in the wrong database - I'll submit a PR shortly.

@AndreMTrindade I see that you had libGeoIP 1.5.0 back then - may I ask you what OS were you using? Was it RHEL/CentOS 7.x?

@zimmerle we've just got a report for the very similar issue, and it seems like the root cause wasn't in the wrong database - I'll submit a PR shortly.

ModSec is confused about the database version? e.g. trying to open version 2 as 1 and/or vice-versa? Looking forward to the PR.

@zimmerle no, it's not about confusion; perhaps there were some changes within libGeoIP API between 1.5.0 and latest versions (e.g. 1.6.9). I've just submitted #2378 with more info.

(We've been running nginx+modsec+geoip on a number of Ubuntu systems without any issues, but all those systems were with newer libGeoIP.)

Why even allow v3 to compile with libGeoIP 1.5.0 is it's broken?

Was this page helpful?
0 / 5 - 0 ratings