The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ModSecurity Rule to Block Country for One Domain Only?

Discussion in 'Security' started by linux4me2, Jul 29, 2016.

Tags:
  1. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I've got geolocation set up and a ModSecurity rule that works to block a country, but what I need is to block the country only for a few domains. The security rules below are working, but block the country (I substituted "XX" for the correct country code for the country in question) on all domains instead of just the one I specified:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule GEO:COUNTRY_CODE "@streq XX"
    SecRule SERVER_NAME "thedomain.com"

    How do I limit the domains that the rules apply to?
     
  2. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    I think I may have figured this out. I didn't chain the second rule, so the third wasn't being connected to the first two. I am currently trying:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule GEO:COUNTRY_CODE "@streq XX" chain
    SecRule SERVER_NAME "thedomain.com"

    It looks like it might be working now.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Feel free to update this thread with the outcome after testing the updated rule.

    Thanks!
     
  4. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    The updated rule worked, but after reading some more about ModSecurity rules, I started using "@pm" instead of "@streq":

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule GEO:COUNTRY_CODE "@pm XX" chain
    SecRule SERVER_NAME "thedomain.com"

    If you want to block more than one country, e.g., C1, C2, and C3 where Cx is the applicable two-character country code for a country you want to block, you can use:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3" chain
    SecRule SERVER_NAME "thedomain.com"

    I've tested both, and they seem to work well. Note that these only work if you have geolocation set up in WHM.
     
    quizknows likes this.
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Rule logic looks good to me. You may consider for efficiency sake re-ordering the rule to have the SERVER_NAME on the first line with all your actions. This way it should only perform country code checking for that one domain rather than checking the domain on the last step. It should reduce processing overhead for your other sites.

    Code:
    SecRule SERVER_NAME "thedomain.com" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule REMOTE_ADDR "@geoLookup" chain
    SecRule GEO:COUNTRY_CODE "@pm C1 C2 C3"
    
    I tested this, by re-ordering the rules, it avoids geoip lookups for traffic to other domains. If you do the lookup first and the domain check last, all your traffic is being inspected by the rule instead of just the traffic for the target domain.
     
    #6 quizknows, Aug 1, 2016
    Last edited: Aug 1, 2016
  7. menstyle

    menstyle Registered

    Joined:
    Sep 17, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    I added these rules on my server and all working fine:

    SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
    SecRule GEO:COUNTRY_CODE "@pm XX" chain
    SecRule SERVER_NAME "thedomain.com"

    Now I have one little question on your:

    On this case, can I add one SecRule to unblock one IP from XX country? I want to present to one client of mine from XX "thedomain.com" site and I need un take access on it.

    Thanks,
    Stefan
     
Loading...

Share This Page