search

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images
https://coreruleset.org
Apache License 2.0
237 stars 62 forks source link

Block Countries IP with Custom Rules #260

Closed AdriTheSky closed 2 weeks ago

AdriTheSky commented 1 month ago

Hello, i'm trying to block countries IP but i don't understand where i can use my custom rules.

I create a new service (i'm using docker swarm) like this : 

waf:
    image: owasp/modsecurity-crs:4.2.0-nginx-alpine-202405220605
    networks:
      - waf-net
      - traefik-net
    environment:
      # IF MANUAL_MODE ENABLE (1)
      # - MANUAL_MODE=1
      # No one of this following variables will be use in service
      - PARANOIA=1
      - ANOMALY_INBOUND=15
      - ANOMALY_OUTBOUND=5
      - ENFORCE_BODYPROC_URLENCODED=1
      - EXECUTING_PARANOIA=2
      - ALLOWED_METHODS="GET HEAD PUT POST OPTIONS"
      - MODSEC_REQ_BODY_ACCESS=Off
      - MODSEC_RESP_BODY_ACCESS=Off
      - MODSEC_REQ_BODY_LIMIT=134217728
      - MODSEC_RESP_BODY_LIMIT=134217728
      - MODSEC_REQ_BODY_LIMIT_ACTION=ProcessPartial
      - MODSEC_RESP_BODY_LIMIT_ACTION=ProcessPartial
      ###########################################################
      - BACKEND=http://dummy
      - PORT=8080
      - SSL_PORT=8443
    configs:
      - source: rules-before-crs
        target: /etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
      - source: rules-after-crs
        target: /etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
      - source: modsecurity-override
        target: /etc/modsecurity.d/modesecurity-override.conf
      - source: geolite
        target: /usr/share/GeoIP/GeoLite2-Country.mmdb
      deploy:
      mode: replicated
      replicas: 1
      update_config:
        parallelism: 1
        delay: 5s
        failure_action: rollback
        order: start-first
      labels:
        - traefik.enable=false

configs:
  rules-before-crs:
    file: ./modsec/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
  rules-after-crs:
    file: ./modsec/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
  modsecurity-override:
    file: ./modsec/modsecurity-override.conf
  geolite:
    file: ./modsec/GeoLite2-Country.mmdb
  nginx-custom-template:
    file: ./modsec/default.conf

I use to read this to download database GeoLite : https://latebits.com/2022/11/21/using-waf-and-geoip-data-to-block-specific-countries/

I create a file name 'modsecurity-override.conf' and i put my rules in : 

#GeoIP
SecGeoLookupDb /usr/share/GeoIP/GeoLite2-Country.mmdb

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,drop,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm IN CN KP RU PS IL PK AF BY UA HK" chain
SecRule SERVER_NAME "*.MYDOMAIN"

When i try on a VPN nothing is block and i don't have any warn or something to help me.

Someone can maybe explain me if i miss something ?

Sorry for my English i'm not a native speaker :).

Thanks !

theseion commented 1 month ago

I suggest you turn on the debug log and try to figure out what ModSecurity is doing with your rule. You can run nginx in debug mode by replacing the container command with "nginx-debug" "-g" "daemon off;". Then you also need to set the log level using LOGLEVEL environment variable documented here: https://github.com/coreruleset/modsecurity-crs-docker. Your debug output will end up in the nginx error log.

AdriTheSky commented 1 month ago

Hello, ok i see my error : 

- source: modsecurity-override
        target: /etc/modsecurity.d/modesecurity-override.conf

to

- source: modsecurity-override
        target: /etc/modsecurity.d/modsecurity-override.conf

but after that i'm redeploying stack and i have a error with the custom entrypoint : nginx/docker-entrypoint.d/90-copy-modsecurity-config.sh : error: can not modify /etc/modsecurity.d/modsecurity-override.conf (read-only file system?)

so i try other solution to copy in /etc/nginx/modsecurity.d/ but i got this : error: cannot copy config files to /etc/modsecurity.d

I try to do a Dockerfile with my config but same error.

theseion commented 1 month ago

Looks like you're running your container with read_only. There's nothing in the image that defines the file system to be read-only.

fzipi commented 2 weeks ago

@AdriTheSky What's next here?

fzipi commented 2 weeks ago

@AdriTheSky Please try the following: mount your file below the /etc/nginx/templates/modsecurity.d directory. This is because it will be used by the nginx templating to generate the file in the container.

AdriTheSky commented 2 weeks ago

Hello,

Sorry for the time to give you an answer, @fzipi this solution seem to work.

To resume what i do :

  1. I do a dockerfile to add GeoLite liste in the container and i copy modsecurity-override.conf.template. (you can add some args if you want to build it in more generic way. Maybe can be a good idea to have GeoLite directly in base image ? 
    
ARG VERSION=nginx-alpine
FROM owasp/modsecurity-crs:${VERSION}

COPY ./modsec/GeoLite2-Country.mmdb /usr/share/GeoIP/ COPY ./modsec/modsecurity-override.conf /etc/nginx/templates/modsecurity.d/modsecurity-override.conf.template


3. Building the container in local : `docker image build -f [MY_DOCKERFILE] -t [MY_SUPER_TAG_NAME] .`
4. Running my stack
5. Testing with Opera proxy on an apps of my organisation seem to work fine.

Best regard,

Adrien.
theseion commented 2 weeks ago

Thanks.