ModSecurity Rule to Block Country for One Domain Only?

[linux4me2]

I've got geolocation set up and a ModSecurity rule that works to block a country, but what I need is to block the country only for a few domains. The security rules below are working, but block the country (I substituted "XX" for the correct country code for the country in question) on all domains instead of just the one I specified:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX"
SecRule SERVER_NAME "thedomain.com"

How do I limit the domains that the rules apply to?

 

[linux4me2]

I think I may have figured this out. I didn't chain the second rule, so the third wasn't being connected to the first two. I am currently trying:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX" chain
SecRule SERVER_NAME "thedomain.com"

It looks like it might be working now.

 

[cPanelMichael]

I think I may have figured this out. I didn't chain the second rule, so the third wasn't being connected to the first two. I am currently trying:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX" chain
SecRule SERVER_NAME "thedomain.com"

It looks like it might be working now.

Hello,

Feel free to update this thread with the outcome after testing the updated rule.

Thanks!

 

[linux4me2]

Hi Michael,

The updated rule worked, but after reading some more about ModSecurity rules, I started using "@pm" instead of "@streq":

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm XX" chain
SecRule SERVER_NAME "thedomain.com"

If you want to block more than one country, e.g., C1, C2, and C3 where Cx is the applicable two-character country code for a country you want to block, you can use:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3" chain
SecRule SERVER_NAME "thedomain.com"

I've tested both, and they seem to work well. Note that these only work if you have geolocation set up in WHM.

 

[cPanelMichael]

I'm happy to see you found a suitable solution. Thanks for updating the thread with the outcome.

 

[quizknows]

Rule logic looks good to me. You may consider for efficiency sake re-ordering the rule to have the SERVER_NAME on the first line with all your actions. This way it should only perform country code checking for that one domain rather than checking the domain on the last step. It should reduce processing overhead for your other sites.

SecRule SERVER_NAME "thedomain.com" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule REMOTE_ADDR "@geoLookup" chain
SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3"

I tested this, by re-ordering the rules, it avoids geoip lookups for traffic to other domains. If you do the lookup first and the domain check last, all your traffic is being inspected by the rule instead of just the traffic for the target domain.

 

[menstyle]

I added these rules on my server and all working fine:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm XX" chain
SecRule SERVER_NAME "thedomain.com"

Now I have one little question on your:

On this case, can I add one SecRule to unblock one IP from XX country? I want to present to one client of mine from XX "thedomain.com" site and I need un take access on it.

Thanks,
Stefan