New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport libMaxMinddb (new GeoIP) support to 2.9.x #1727

Open
dune73 opened this Issue Apr 2, 2018 · 17 comments

Comments

Projects
None yet
7 participants
@dune73

dune73 commented Apr 2, 2018

Without this being backported to the 2.9 branch, ModSecurity on Apache has no longer any GeoIP support.

@spartantri

This comment has been minimized.

spartantri commented Apr 2, 2018

This will be very welcome. :)

@zimmerle zimmerle added the 2.x label Apr 2, 2018

@zimmerle zimmerle added this to the v2.9.3 milestone Apr 2, 2018

@dune73

This comment has been minimized.

dune73 commented Apr 2, 2018

Thank you @zimmerle.

@dune73

This comment has been minimized.

dune73 commented Apr 3, 2018

Can you give us a timeline for 2.9.3?

@zimmerle

This comment has been minimized.

Member

zimmerle commented Apr 4, 2018

Hi @dune73,

There is a milestone for the version 2.9.3 here:
https://github.com/SpiderLabs/ModSecurity/milestone/10

We don't have an ETA for the release yet.

@zimmerle

This comment has been minimized.

Member

zimmerle commented Apr 4, 2018

Is that anyone from the community that is willing to help with the development of this backport?

The implementation for v3 is here:
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/utils/geo_lookup.cc

The logic is available only and only if ModSecurity was compiled with maxmind support.

MaxMind and GeoIp can co-exist. In that case, the choice [run time] is based on the specified database.

If you need, count with my support during the development.

@zimmerle

This comment has been minimized.

Member

zimmerle commented Apr 4, 2018

@spartantri, @franbuehler, @ossie-git, @dobin, @thhofer, @Cheesman97 can you describe the use case that you have for that specific functionality?

@dune73

This comment has been minimized.

dune73 commented Apr 22, 2018

A standard use case is to protect certain parts of an application (-> path tree, typically the admin interface) via GeoIP and ModSecurity. This reduces your attack surface tremendously.

Other people assign different CRS anomaly thresholds based on GeoIP.

It is also very helpful to display the GeoIP country code next to the IP address in the combined access log. This works without a real format change as the position for 'logname' has been abandoned twenty years ago and it is unused every since. Putting the country code there with the help of an environment variable is very simple if you have GeoIP.

@zimmerle

This comment has been minimized.

Member

zimmerle commented May 3, 2018

While this is not ready yet on 2.x, there are other modules on Apache that may help you to block/process based on GeoIP, including one from maxmind - https://github.com/maxmind/mod_maxminddb

@emphazer

This comment has been minimized.

emphazer commented Aug 2, 2018

any progress here?

@zimmerle

This comment has been minimized.

Member

zimmerle commented Sep 6, 2018

Hi @emphazer,

Yes, there is this user Marc Stern who had a solution:

"

As you know, the geo-localisation databases used by ModSecurity are no 
more updated.
Maxmind, the databases provider, developed a new DB format and provides 
its own module (mod_maxminddb).
mod_maxminddb was lacking a feature to integrate it smoothly with 
ModSecurity: settings the IP address from inside a rule. I introduced 
this feature some time ago and I'm happy to announce that this patch was 
merged in Maxmind's code and is thus officially part of the module.
You can now set an environment variable in a rule - in (real) phase 1 - 
and mod_maxminddb will use this IP address as source.
Note that, for most uses, mod_remote_ip is an easier solution.

*Marc Stern*
Approach Belgium <https://www.approach.be>;
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/>; 
<https://twitter.com/ApproachBe>;
/*Inspiring the cyber-security community*/

"

https://sourceforge.net/p/mod-security/mailman/message/36408909/

@tomsommer

This comment has been minimized.

tomsommer commented Sep 17, 2018

+1 This is certainly needed

@emphazer

This comment has been minimized.

emphazer commented Sep 21, 2018

@zimmerle thanks for this information.

for us this module is no option, because we run over 200 servers with modsecurity and complex proxy rules... there is no way to change the whole infrastructure.

thats why we choosed the way to monthly extract the information from GeoLite2-Country
and to generate our own GeoIP.dat file.
it works very well with modsecurity v2.x.

greetings,
christoph

@tomsommer

This comment has been minimized.

tomsommer commented Sep 21, 2018

Can you elaborate on how you do this?

@emphazer

This comment has been minimized.

emphazer commented Sep 21, 2018

@tomsommer sure, i think i will post it on a blog next 4-6weeks.

@zimmerle zimmerle modified the milestones: v2.9.3, v2.9.4 Nov 2, 2018

@porjo

This comment has been minimized.

porjo commented Dec 6, 2018

@emphazer I too am interested in converting v2 to v1 as a workaround. I see you have a Python script for this: https://github.com/emphazer/mmdb-convert but I note the warning about it being 'alpha'...

@emphazer

This comment has been minimized.

emphazer commented Dec 10, 2018

@porjo this is just a part of a bash script to generate a v1 geoip.dat file
https://github.com/emphazer/GeoIP_convert-v2-v1

@emphazer

This comment has been minimized.

emphazer commented Dec 10, 2018

@tomsommer
here can you find a script for the conversion
https://github.com/emphazer/GeoIP_convert-v2-v1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment