Wednesday, December 3, 2008

Apache Modsecurity with GeoIP blocking country specific traffic

Modsecurity + GeoIP

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy.
It provides protection from a range of attacks against web applications and allows for HTTP
traffic monitoring, logging and real-time analysis.

Requirements:[
To install modsecurity with geop support we need following packages [
1.ModSecurity v2.5 or greater ( Download from http://www.modsecurity.org/)[
2.mod_geoip2 ( Download from http://www.maxmind.com/)[
3.GeoIP-1.4 or greater ( Download from http://www.maxmind.com/) [
Additionaly we need apxs to compile apache modules.
Apache unique_id_module and libxml2 must be installed in the system.
Download GeoLiteCity.dat database file from http://www.maxmind.com/ and place it in
/usr/share/

After installing all these packages, include four files under tour apache configuration directory and include them under main config file (httpd.conf)

1. mod-security.load
LoadFile /usr/local/lib/libxml2.X[[BR]]
LoadModule security2_module /usr/local/lib/apache2/mod_security2.so[[BR]][[BR]]

2. mod_sec.conf[
SecRuleEngine On[
Include //*.conf

3. mod_geoip.load[
LoadModule geoip_module //mod_geoip.so

4. mod_geoip.conf

GeoIPEnable On
GeoIPDBFile /usr//share/GeoLiteCity.dat


Now for modsecurity configuration files visit http://www.gotroot.com/ [[BR]]
A complete set of configuration files can be downloaded from http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-latest.tar.gz
Extract all files and move them to // depending on application security
level and available system resource. Including all rule files may slowdown the apache server

Create a file name geo_ip_rules.conf under //
and put for example
SecGeoLookupDb /usr/share/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,drop,msg:'COUNTRY IP address'
SecRule GEO:COUNTRY_CODE "@streq " "t:none"

This configuration will block all ipaddress from mentioned country.
As per requirement we can change this country code.

After all these installation and configuration we need to restart the apache server to take effect.

We can monitor the apache error.log for mod geoip ip address blocking.
By at
Tags: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)