Mod_security 不会阻止以下国家/地区

Question

我为 Apache 配置了 mod_security 和 GeoIP2。 GeoLite2-Country.mmdb 由 cron 每周触发的geoipupdate 下载。我的/etc/modsecurity/modsecurity.conf 配置如下：

SecRuleEngine On
SecRule ARGS:modsecparam "@contains test" "id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"

SecRule REMOTE_ADDR "@geoLookup" "chain,id:20000,deny,status:403,msg:'NON PL IP addresses'"
SecRule GEO:COUNTRY_CODE "!@streq PL"
...

我的/etc/modsecurity/crs-setup.conf 指向 GeoIP 数据库：

SecGeoLookupDB /etc/modsecurity/GeoLite2-Country.mmdb

从我的本地机器运行 curl：curl 'https://host/login/index.html?modsecparam=test' 在日志中留下痕迹：

...
SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION"

SecRule "ARGS:modsecparam" "@contains test" "phase:2,log,auditlog,id:4321,deny,status:403,msg:'ModSecurity test rule has triggered'"

SecRule "&TX:dos_burst_time_slice" "@eq 0" "phase:5,auditlog,id:912110,t:none,nolog,ver:OWASP_CRS/3.2.0,chain,skipAfter:END-DOS-PROTECTION-CHECKS"
SecRule "&TX:dos_counter_threshold" "@eq 0" "chain"
SecRule "&TX:dos_block_timeout" "@eq 0"
...

但由于某种原因，它不会阻止 PL 以外的国家/地区。我做错了什么？

Answer 1

请查看crs-setup.conf 示例，我们会根据您使用的版本解释您应该为 geodb 使用的文件类型。

大概核心是：

# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files),
# and ModSecurity v3 uses GeoLite2 (.mmdb files).
...
# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files
# from CSV files first.
#
# You can achieve this using https://github.com/sherpya/geolite2legacy
# Pick the zip files from maxmind site:
# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip
#
# Follow the guidelines for installing the tool and run:
# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \
#                     -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat

正如您提到的 apache，您可能需要 .dat 文件。

费利佩。 ModSecurity Dev-on-duty 项目