Blocking Country with Modsecurity and Litespeed

Support and Discussion Web Server
1

Hi, i already install the geoipupdate and configurations of Maxmind. Maxmind update sucessfully. But mod_security dont appears to work.

File OK !

/usr/share/GeoIP/GeoLite2-Country.mmdb

And change configurations in:

/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master

For Deny:

SecDefaultAction “phase:1,log,auditlog,deny,status:406”
SecDefaultAction “phase:2,log,auditlog,deny,status:406”

Plus (Forbidden file extensions and better for tests like domain.com/xxxx.bak)

SecAction
"id:900240,
phase:1,
nolog,
pass,
t:none,
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .ba> …

Of course

SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb

With the rules of blocking country

SecAction \

"id:900600,\

“id:910100,
phase:1,
nolog,
pass,
t:none,
setvar:‘tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN NL’”

Cyber panel

mod status
mod status759×601 45.1 KB

Any idea ? Thanks !

2

About file extensions. I Fix it !

/usr/local/lsws/logs/error.log

2022-03-02 14:51:20.921491 [ERROR] [64446] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf failed, ret -1, reason: 'Rule id: 99999 is duplicated

Rules error. File: /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/crs-setup.conf. Line: 687. Column: 17. Expecting an action, got: # "id:910100,\ '.

Remove rule id 99999 from rules.conf file. And check crs-setup.conf

Now Working ! (/usr/local/lsws/logs/error.log)

2022-03-02 15:15:34.750819 [INFO] [69298] [X.X.X.X:28350#domain.com] [Module:mod_security]Log Message: [client X.X.X.X] ModSecurity: Access denied with code 406 (phase 2). Matched "Operator Within' with parameter .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)’ against variable TX:EXTENSION' (Value: .backup/’ ) [file “/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “1015”] [id “920440”] [rev “”] [msg “URL file extension is restricted by policy”] [data “.backup”] [severity “2”] [ver “OWASP_CRS/3.3.2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/6.5.10”] [hostname “domain.com.br”] [uri “/testefile.backup”] [unique_id “1646234134”] [ref “o9,7o10,6v5,16o26,8t:urlDecodeUni,t:lowercase”]