Plesk Question posted in
The official documentation for Plesk Obsidian can be found here.

ModSecurity and GeoIP geoLookup rule not doing anything – Plesk

I’m trying to get the following rule to work but it seems to be doing nothing:

# Test IP address and block by country code
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block China IP address'"
SecRule GEO:COUNTRY_CODE "@streq CN HK"

​I have had the GeoIP database installed for a while and used it successfully for other purposes, so this isn’t the problem.

As it stands the above rule does nothing – no error, and no blocking.
Given the huge amount of China based traffic I’ve been receiving the logs should be absolutely full…

The version of Modsecurity I’m running is 2.9.2-ubuntu18.04.19091318 and the server is running Plesk.
I’m wondering if there is anything else that I need to set up to get this working, or if there is at least any way of testing the various layers…

Edit: I set up Modsecurity debugging and there are lots of entries showing: 

No geo data for "IP_ADDRESS_HERE" (country 0).

Not sure why it wouldn’t be finding any of these as the GeoIP.dat file is there and I can successfully run geoiplookup from the command line.

Tags:

2

Answers


  1. 0

    You have the following:

    SecRule GEO:COUNTRY_CODE "@streq CN HK"

    Meaning the country code has to exactly match CN HK when in reality it will be CN or HK.

    I think you want the following to match any one of the listed countries.

    SecRule GEO:COUNTRY_CODE "@pm CN HK"
    Login or Signup to reply.
  2. 0

    What is the output when you configure libModSecurity for compilation?

    You should have some output such as

    ModSecurity – v3.x.x for Linux

    Optional dependencies + GeoIP/MaxMind ….found

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search