SOLVED ModSecurity rule not working as I expected

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
Hi all,

I have added the rule below to ModSecurity Tools. I have cobbled it together from documentation and online forums as I couldn't find an existing rule that would do what I wanted. I'm no guru so any help is much appreciated!

It's meant to restrict access to the Wordpress login page (wp-login.php) for IP addresses outside of the UK. I wanted to ignore one domain (e.g. mydomain.co.uk) which needs to be accessed from abroad.

Code:
# Test IP address on Wordpress login by country code
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'"
SecRule SERVER_NAME "[email protected] mydomain\.co\.uk$" "chain"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "[email protected] GB" "t:none"
The rule seems to work great however it's still blocking mydomain.co.uk

Any ideas?

Cheers,

Tom
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
Thanks cPanelMichael,

I'd rather avoid installing any other software if I can avoid it, I was hoping that I'd just made a simple mistake in the rule... can anyone spot the mistake?

Tom
 
  • Like
Reactions: quizknows

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
Have you tried:
Code:
# Test IP address on Wordpress login by country code
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'"
SecRule SERVER_NAME "[email protected] mydomain.co.uk" "chain,t:lowercase"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "[email protected] GB" "t:none"
 
  • Like
Reactions: tdsm and quizknows

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I don't see any obvious mistakes in the rule, I agree with the above post to try a string rather than regex match for the domain. Honestly though the way you have it "should" work.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
Thanks linux4me2 and quizknows

I have deployed your suggested amendments to see what happens. Fingers crossed :)
I'm outside the UK, and I will test it for you if you're comfortable posting a link to the site that allows outside-the-UK login and one that doesn't. If your server allows the connection on the former and drops it on the latter we'll know right now if you've got it working.
 

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
I'm outside the UK, and I will test it for you if you're comfortable posting a link to the site that allows outside-the-UK login and one that doesn't. If your server allows the connection on the former and drops it on the latter we'll know right now if you've got it working.
Thanks so much! Of course, the address is Let's Think once on the site, there's a login button top right. This should take you to the login page (and not block you), if not then it's still not working.
 
Last edited by a moderator:

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I'm getting the following when I click the login link:
Error 503 Service Unavailable

Service Unavailable
Guru Meditation:

XID: 1325643687

Varnish cache server
At first, I thought the problem might be because the Login or Register link on the site has a redirect in the URL, but I tried the regular wp-login link, and I still got a 503. I'm not sure that's ModSecurity blocking my access. You might try setting the status code in the rule explicitly like this:
Code:
# Test IP address on Wordpress login by country code
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK'"
SecRule SERVER_NAME "[email protected] mydomain.co.uk" "chain,t:lowercase"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "[email protected] GB" "t:none"
I can try it again, and if I get a 403, it will be more likely that it's ModSecurity blocking me.
 

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
Thanks again for your perseverance! Have updated the rule however I've been getting these

Code:
2017-01-30 22:04:50 www.example.org.uk 24.113.XXX.XXX  302
Request:
GET /wp-login.php
Action Description:
Access denied with connection close (phase 1).
Justification:
Match of "streq GB" against "GEO:COUNTRY_CODE" required.
I've just thought... might it be that SERVER_NAME is wrong - should I be testing against
Code:
REQUEST_HEADERS:Host
I have multiple domain names running on the same server.
 
Last edited by a moderator:

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
Ahhhh! Interesting. I included the SERVER_NAME variable in the msg action and it was not returning the domain name as I expected, rather it was returning it as a subdomain of the server that the sites are hosted on. I'm sure I could configure the server to correct this but for the time being, I'll just change the rule to reflect the value of SERVER_NAME. I'm not sure why I didn't test this before.
 

tdsm

Member
Mar 18, 2014
10
2
3
cPanel Access Level
Root Administrator
Just in case anyone else finds this useful, here's the rule I used in the end;

Code:
# Test IP address on Wordpress login by country code
SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK, %{SERVER_NAME}'"
SecRule SERVER_NAME "[email protected] subdomain.serverdomain.co.uk" "chain,t:lowercase"
SecRule REMOTE_ADDR "@geoLookup" "chain"
SecRule GEO:COUNTRY_CODE "[email protected] GB" "t:none"
I didn't realise but you can output variables in the msg action for debugging - this was the key to working out my problem.

This seems to be working beautifully now. Thanks to linux4me2 for their patience!
 
  • Like
Reactions: quizknows

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

I'm happy to see you were able to get it working. Thank you for taking the time to update this thread with the outcome.