Modsecurity

**starbolt** · 04-16-2010 10:09 AM

Hello everyone,

I currently run some servers with cPanel, and they have modsecurity active to increase security. The problem i'm facing is that mod_security is blocking some scripts that are usually OK, or in other words, there is too many false-positives.

I came up with an idea to fix that. Since my traffic is 90% from my country, and usually the problems i had with security came from other countries, i decided to create a rule on mod_security to "relax" a bit when the ip is from my country.

Here is what i have on my modsec2.conf:

SecGeoLookupDb /usr/local/geo/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup"
SecRule GEO:COUNTRY_CODE "@streq BR" phase:1,nolog,allow,ctl:ruleEngine=off

What i want it do to is:

- Look the user IP address and check on the database that i downloaded from Maxmind, and confirm if its from my country or not.

- If the ip is from my country, mod_security will skip phase 1, because on this phase all false-positives happened.

In case the ip is from another country, mod_security will work on full power!

Anyways, my question is:

Is this rule above right? Some months ago i wrote it and it was working, but i lost it when i upgraded apache and now i'm not sure if this is right.

Thank you!

**starbolt** · 04-19-2010 10:44 AM

Anyone help?

**Infopro** · 04-19-2010 11:02 AM

You may find this link helpful:

ModSecurity: Open Source Web Application Firewall - ModSecurity: Features: Geographical IP Lookups

**mohit** · 04-20-2010 09:26 AM

newer apache would require newer mod-security and compatible ruleset.

Also you can specifically disable few rules per account using
ConfigServer ModSecurity Control

LinkBack

Thread Tools

Modsecurity

ModSecurity Rules

ModSecurity

modsecurity problem

modsecurity

ModSecurity