0

我为 Apache 配置了 mod_security 和 GeoIP2。GeoLite2-Country.mmdbgeoipupdate每周都会被 cron 触发下载。我的/etc/modsecurity/modsecurity.conf配置如下:

SecRuleEngine On
SecRule ARGS:modsecparam "@contains test" "id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"

SecRule REMOTE_ADDR "@geoLookup" "chain,id:20000,deny,status:403,msg:'NON PL IP addresses'"
SecRule GEO:COUNTRY_CODE "!@streq PL"
...

/etc/modsecurity/crs-setup.conf对 GeoIP 数据库的看法:

SecGeoLookupDB /etc/modsecurity/GeoLite2-Country.mmdb

从我的本地机器运行 curl:curl 'https://host/login/index.html?modsecparam=test' 在日志中留下跟踪:

...
SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION"

SecRule "ARGS:modsecparam" "@contains test" "phase:2,log,auditlog,id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"

SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.2.0,chain,skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule "&TX:dos_counter_threshold" "@eq 0" "chain"
SecRule "&TX:dos_block_timeout" "@eq 0"
...

但是由于某种原因,它不会阻止除 PL 以外的国家/地区。我做错了什么?

4

1 回答 1

0

请查看crs-setup.conf示例,我们根据您使用的版本解释您应该为 geodb 使用的文件类型。

大概核心是:

# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
# and ModSecurity v3 uses GeoLite2 (.mmdb files).
...
# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
# from CSV files first.
#
# You can achieve this using https://github.com/sherpya/geolite2legacy
# Pick the zip files from maxmind site:
# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
#
# Follow the guidelines for installing the tool and run:
# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \
#                     -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat

正如您提到的 apache,您可能需要 .dat 文件。

费利佩。ModSecurity 开发人员值班项目

于 2021-06-07T21:21:23.573 回答