The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED ModSecurity rule not working as I expected

Discussion in 'Security' started by tdsm, Jan 26, 2017.

Tags:
  1. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi all,

    I have added the rule below to ModSecurity Tools. I have cobbled it together from documentation and online forums as I couldn't find an existing rule that would do what I wanted. I'm no guru so any help is much appreciated!

    It's meant to restrict access to the Wordpress login page (wp-login.php) for IP addresses outside of the UK. I wanted to ignore one domain (e.g. mydomain.co.uk) which needs to be accessed from abroad.

    Code:
    # Test IP address on Wordpress login by country code
    SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'"
    SecRule SERVER_NAME "!@rx mydomain\.co\.uk$" "chain"
    SecRule REMOTE_ADDR "@geoLookup" "chain"
    SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
    The rule seems to work great however it's still blocking mydomain.co.uk

    Any ideas?

    Cheers,

    Tom
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,999
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You may want to install a plugin such as:

    ConfigServer ModSecurity Control (cmc)

    Per the website, one of the features is:

    Thank you.
     
  3. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks cPanelMichael,

    I'd rather avoid installing any other software if I can avoid it, I was hoping that I'd just made a simple mistake in the rule... can anyone spot the mistake?

    Tom
     
    quizknows likes this.
  4. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Have you tried:
    Code:
    # Test IP address on Wordpress login by country code
    SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,log,drop,msg:'Client IP not from UK'"
    SecRule SERVER_NAME "!@streq mydomain.co.uk" "chain,t:lowercase"
    SecRule REMOTE_ADDR "@geoLookup" "chain"
    SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
    
     
    tdsm and quizknows like this.
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    I don't see any obvious mistakes in the rule, I agree with the above post to try a string rather than regex match for the domain. Honestly though the way you have it "should" work.
     
  6. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks linux4me2 and quizknows

    I have deployed your suggested amendments to see what happens. Fingers crossed :)
     
  7. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm outside the UK, and I will test it for you if you're comfortable posting a link to the site that allows outside-the-UK login and one that doesn't. If your server allows the connection on the former and drops it on the latter we'll know right now if you've got it working.
     
  8. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks so much! Of course, the address is Let's Think once on the site, there's a login button top right. This should take you to the login page (and not block you), if not then it's still not working.
     
    #8 tdsm, Jan 30, 2017
    Last edited by a moderator: Jan 30, 2017
  9. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I'm getting the following when I click the login link:
    At first, I thought the problem might be because the Login or Register link on the site has a redirect in the URL, but I tried the regular wp-login link, and I still got a 503. I'm not sure that's ModSecurity blocking my access. You might try setting the status code in the rule explicitly like this:
    Code:
    # Test IP address on Wordpress login by country code
    SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK'"
    SecRule SERVER_NAME "!@streq mydomain.co.uk" "chain,t:lowercase"
    SecRule REMOTE_ADDR "@geoLookup" "chain"
    SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
    
    I can try it again, and if I get a 403, it will be more likely that it's ModSecurity blocking me.
     
  10. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks again for your perseverance! Have updated the rule however I've been getting these

    Code:
    2017-01-30 22:04:50 www.example.org.uk 24.113.XXX.XXX  302
    Request:
    GET /wp-login.php
    Action Description:
    Access denied with connection close (phase 1).
    Justification:
    Match of "streq GB" against "GEO:COUNTRY_CODE" required.
    I've just thought... might it be that SERVER_NAME is wrong - should I be testing against
    Code:
    REQUEST_HEADERS:Host
    I have multiple domain names running on the same server.
     
    #10 tdsm, Jan 30, 2017
    Last edited by a moderator: Jan 30, 2017
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    SERVER_NAME should function the same as REQUEST_HEADERS:Host , but it certainly can't hurt to use the latter.
     
    tdsm likes this.
  12. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Ahhhh! Interesting. I included the SERVER_NAME variable in the msg action and it was not returning the domain name as I expected, rather it was returning it as a subdomain of the server that the sites are hosted on. I'm sure I could configure the server to correct this but for the time being, I'll just change the rule to reflect the value of SERVER_NAME. I'm not sure why I didn't test this before.
     
  13. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    148
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I tried it just now, but the connection to the site times out. I don't even get the home page now.
     
  14. tdsm

    tdsm Member

    Joined:
    Mar 18, 2014
    Messages:
    10
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Just in case anyone else finds this useful, here's the rule I used in the end;

    Code:
    # Test IP address on Wordpress login by country code
    SecRule REQUEST_FILENAME "@streq /wp-login.php" "chain,id:1,phase:1,t:none,status:403,log,drop,msg:'Client IP not from UK, %{SERVER_NAME}'"
    SecRule SERVER_NAME "!@streq subdomain.serverdomain.co.uk" "chain,t:lowercase"
    SecRule REMOTE_ADDR "@geoLookup" "chain"
    SecRule GEO:COUNTRY_CODE "!@streq GB" "t:none"
    I didn't realise but you can output variables in the msg action for debugging - this was the key to working out my problem.

    This seems to be working beautifully now. Thanks to linux4me2 for their patience!
     
    quizknows likes this.
  15. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,999
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see you were able to get it working. Thank you for taking the time to update this thread with the outcome.
     
Loading...

Share This Page