ModSecurity Rule to Block Country for One Domain Only?

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I've got geolocation set up and a ModSecurity rule that works to block a country, but what I need is to block the country only for a few domains. The security rules below are working, but block the country (I substituted "XX" for the correct country code for the country in question) on all domains instead of just the one I specified:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX"
SecRule SERVER_NAME "thedomain.com"

How do I limit the domains that the rules apply to?
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I think I may have figured this out. I didn't chain the second rule, so the third wasn't being connected to the first two. I am currently trying:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX" chain
SecRule SERVER_NAME "thedomain.com"

It looks like it might be working now.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
I think I may have figured this out. I didn't chain the second rule, so the third wasn't being connected to the first two. I am currently trying:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@streq XX" chain
SecRule SERVER_NAME "thedomain.com"

It looks like it might be working now.
Hello,

Feel free to update this thread with the outcome after testing the updated rule.

Thanks!
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
Hi Michael,

The updated rule worked, but after reading some more about ModSecurity rules, I started using "@pm" instead of "@streq":

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm XX" chain
SecRule SERVER_NAME "thedomain.com"

If you want to block more than one country, e.g., C1, C2, and C3 where Cx is the applicable two-character country code for a country you want to block, you can use:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3" chain
SecRule SERVER_NAME "thedomain.com"

I've tested both, and they seem to work well. Note that these only work if you have geolocation set up in WHM.
 
  • Like
Reactions: quizknows

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,216
463
I'm happy to see you found a suitable solution. Thanks for updating the thread with the outcome.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Rule logic looks good to me. You may consider for efficiency sake re-ordering the rule to have the SERVER_NAME on the first line with all your actions. This way it should only perform country code checking for that one domain rather than checking the domain on the last step. It should reduce processing overhead for your other sites.

Code:
SecRule SERVER_NAME "thedomain.com" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule REMOTE_ADDR "@geoLookup" chain
SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3"
I tested this, by re-ordering the rules, it avoids geoip lookups for traffic to other domains. If you do the lookup first and the domain check last, all your traffic is being inspected by the rule instead of just the traffic for the target domain.
 
Last edited:

menstyle

Registered
Sep 17, 2016
1
0
1
Romania
cPanel Access Level
Root Administrator
I added these rules on my server and all working fine:

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm XX" chain
SecRule SERVER_NAME "thedomain.com"

Now I have one little question on your:

On this case, can I add one SecRule to unblock one IP from XX country? I want to present to one client of mine from XX "thedomain.com" site and I need un take access on it.

Thanks,
Stefan