airween
commented
3 years ago You can use the REQUEST_HEADERS:X-Forwarded-For variable instead of REMOTE_ADDR.
Closed Hello-Linux closed 3 years ago
airween
commented
3 years ago You can use the REQUEST_HEADERS:X-Forwarded-For variable instead of REMOTE_ADDR.
Hello-Linux
commented
3 years ago @airween Thank you very much, I will try it
Dark-Schnitzel
commented
3 years ago This is also working for me, but if i you are using apache with mod_remoteip you should turn these off, otherwise this is empty. you can log this also via apache and logformat: LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" https://www.techstacks.com/howto/log-client-ip-and-xforwardedfor-ip-in-apache.html
Hello-Linux
commented
3 years ago @Dark-Schnitzel I use Nginx
Hello-Linux
commented
3 years ago @airween @Dark-Schnitzel This seems to have no effect, my nginx logs show the realip(x_forwarded)
{ "@timestamp": "2020-11-12T14:26:06+08:00", "remote_addr": "100.97.166.33","request_time": "0.000","upstream_response_time": "","status": 200,"x_forwarded": "36.110.73.230","http_referer": "","request": "GET /status HTTP/1.1","upstream_addr": "","body_bytes_sent":637,"request_body":,"http_user_agent": "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" }
the nginx.conf logformat is
log_format main escape=json '{ "@timestamp": "$time_iso8601", '
'"remote_addr": "$remote_addr",'
'"request_time": "$request_time",'
'"upstream_response_time": "$upstream_response_time",'
'"status": $status,'
'"x_forwarded": "$http_x_forwarded_for",'
'"http_referer": "$http_referer",'
'"request": "$request",'
'"upstream_addr": "$upstream_addr",'
'"body_bytes_sent":$body_bytes_sent,'
'"request_body":$request_body,'
'"http_user_agent": "$http_user_agent" }';and my rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf is
SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" \
"id:22,\
deny,\
phase:1,\
log,\
msg:'Non-China IP address',\
chain"
SecRule GEO:COUNTRY_CODE "!@rx US" "log"After adding REQUEST_HEADERS:X-Forwarded-For, my access to the website was not denied. Why?
airween
commented
3 years ago my access to the website was not denied. Why?
What's your goal?
I tried with your examples (X-Forwarded-For is 36.110.73.230 and your SecRule), and I got this in debug.log:
[1605174515] [/] [4] (Rule: 22) Executing operator "GeoLookup against REQUEST_HEADERS:X-Forwarded-For.
[1605174515] [/] [9] Target value: "36.110.73.230" (Variable: REQUEST_HEADERS:X-Forwarded-For)
[1605174515] [/] [9] Matched vars updated.
[1605174515] [/] [9] Saving msg: Non-China IP address
[1605174515] [/] [4] Rule returned 1.
[1605174515] [/] [4] Executing chained rule.
[1605174515] [/] [4] (Rule: 0) Executing operator "Rx" with param "US" against GEO:COUNTRY_CODE.
[1605174515] [/] [9] Target value: "CN" (Variable: GEO:COUNTRY_CODE)
[1605174515] [/] [9] Matched vars updated.
[1605174515] [/] [4] Rule returned 1.in the error.log:
ModSecurity: Access denied with code 403 (phase 1). Matched "Operator `Rx' with parameter `US' against variable `GEO:COUNTRY_CODE' (Value: `CN' ) So, I think the IP address above is from CN, but you deny the request if the COUNTRY_CODE is not US. If you want to allow the request only from CN, you should replace the US by CN.
Hello-Linux
commented
3 years ago My problem now is that the configuration does not take effect. My ip address is China and only the United States is allowed in the configuration. However, my website from China is not denied and can be accessed normally, so why does my configuration not take effect?
Hello-Linux
commented
3 years ago @airween I should be denied access to this website from China, but in reality, I can access it normally. Why is that?
airween
commented
3 years ago What is your SecRuleEngine setting?
Could you turn on the debug log, and see what happens?
Hello-Linux
commented
3 years ago @airween Okay, I'll go home and open the debug mode to observe
Hello-Linux
commented
3 years ago @airween
My SecRuleEngine is set to On,and I see the debug log is show below
and my crs-setup.conf is
the rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf is
airween
commented
3 years ago If you only see these lines in your debug.log:
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [4] (Rule: 12345) Executing operator "GeoLookup against REQUEST_HEADERS:X-Forwarded-For.
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [4] Rule returned 0.then it means that header isn't presented.
You must see these lines too:
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [4] (Rule: 12345) Executing operator "GeoLookup against REQUEST_HEADERS:X-Forwarded-For.
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [9] Target value: "36.110.73.230" (Variable: REQUEST_HEADERS:X-Forwarded-For)
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [9] Matched vars updated.
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [9] Saving msg: Non-China IP address
[1605187401] [/test/zyib/h5/youbaohui/favicon.ico] [4] Rule returned 1.from 2nd to 4th.
Btw, what is the value of the SecDebugLogLevel in your conf? Set it to 9 and check again.
Hello-Linux
commented
3 years ago @airween
I have set SecDebugLogLevel to 9,the logs is below,and there is no "Matched vars updated" phrase in my debug.log Is it because the ip address does not match? I changed several public IP addresses and it seems that it doesn’t work.
and the maxmind website show my ip is CN,why modsecurity can't match it?
Hello-Linux
commented
3 years ago The I change the rule is
SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" \
"id:12345,\
deny,\
phase:1,\
log,\
msg:'Non-China IP address',\
chain"
SecRule GEO:COUNTRY_CODE "!@rx CN" "nolog"I can also visit the website normally using a foreign IP address,not deny!
Hello-Linux
commented
3 years ago @airween
Sometimes the log show Database is not open. Use: SecGeoLookupDb directive,but the SecGeoLookupDB I have set
Hello-Linux
commented
3 years ago @airween I use wireshark to grab the data packet of the proxy server, and you can also find the header in the request header-X-Forwarded-For: 52.29.177.64,so I think the modsecurity can get the header-X-Forwarded-For?
GET /dev/website2018/bImsFront/manage/index.html HTTP/1.1
RemoteIp: 52.29.177.64
Host: ceshiweb.xxxxx.com
X-Forwarded-For: 52.29.177.64
Connection: close
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/61.0.3163.100 Chrome/61.0.3163.100 Safari/537.36 PingdomPageSpeed/1.0 (pingbot/2.0; +http://www.pingdom.com/)
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.8
X-Forwarded-Proto: https@Hello-Linux,
could you show me the final part of the output of the ./configure ... script?
I mean:
configure: creating ./config.status
ModSecurity - v3.0.4-92-gd72be1c4 for Linux
Mandatory dependencies
...
...And what did you get for this command?
ls -l /usr/local/openresty/nginx/conf/modsecurity/geoip/geoLite2-Country.mdbPlease don't insert screenshot, just copy the text and insert here. Use the "Insert code" item at the menu bar.
Hello-Linux
commented
3 years ago @airween the status is
[root@devtestjenkins ModSecurity]# ./config.status
config.status: creating modsecurity.pc
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating others/Makefile
config.status: creating tools/Makefile
config.status: creating tools/rules-check/Makefile
config.status: creating test/Makefile
config.status: creating test/benchmark/Makefile
config.status: creating examples/Makefile
config.status: creating examples/simple_example_using_c/Makefile
config.status: creating examples/multiprocess_c/Makefile
config.status: creating examples/reading_logs_with_offset/Makefile
config.status: creating examples/reading_logs_via_rule_message/Makefile
config.status: creating examples/using_bodies_in_chunks/Makefile
config.status: creating src/config.h
config.status: src/config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commandsand the geoLite2-Country.mdb is GeoLite2-Country.mmdb
[root@devtestjenkins modsecurity]# ls -alh /usr/local/openresty/nginx/conf/modsecurity/geoip/GeoLite2-Country.mmdb
-rw-r--r-- 1 root root 3.8M Nov 11 10:06 /usr/local/openresty/nginx/conf/modsecurity/geoip/GeoLite2-Country.mmdbPlease run the configure script as you use it (with your options), and show me the last part of the output, from the line configure: creating...
Hello-Linux
commented
3 years ago @airween the out put is
[root@devtestjenkins ModSecurity]# ./configure
checking for a BSD-compatible install... /bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for style of include used by make... GNU
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for ar... ar
checking the archiver (ar) interface... ar
checking whether make sets $(MAKE)... (cached) yes
checking for pkg-config... /bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
configure: Nothing about YAJL was informed during the configure phase. Trying to detect it on the platform...
configure: using YAJL v2.0.4
configure: Nothing about GeoIP was informed during the configure phase. Trying to detect it on the platform...
configure: using GeoIP v1.5.0
configure: Nothing about MaxMind was informed during the configure phase. Trying to detect it on the platform...
configure: MaxMind library was not found
configure: Nothing about LMDB was informed during the configure phase. Trying to detect it on the platform...
configure: LMDB is disabled by default.
*** LOOKING AT PATH: /usr/lib
*** LOOKING AT PATH: /usr/local/lib
*** LOOKING AT PATH: /usr/local/fuzzy
*** LOOKING AT PATH: /usr/local/libfuzzy
*** LOOKING AT PATH: /usr/local
*** LOOKING AT PATH: /opt
*** LOOKING AT PATH: /usr
configure: SSDEEP headers found at: /usr/include
*** LOOKING AT PATH: /usr/lib64
configure: SSDEEP library found at: /usr/lib64//libfuzzy.so
configure: SSDEEP headers found at: /usr/include
configure: using SSDEEP v
*** LOOKING AT PATH: /usr/lib
*** LOOKING AT PATH: /usr/local/lib
*** LOOKING AT PATH: /usr/local/lib64
*** LOOKING AT PATH: /usr/local/lua
*** LOOKING AT PATH: /usr/local/liblua
*** LOOKING AT PATH: /usr/local
*** LOOKING AT PATH: /opt
*** LOOKING AT PATH: /usr
configure: LUA headers found at: /usr/include
*** LOOKING AT PATH: /usr/lib64
configure: LUA library found at: /usr/lib64//liblua-5.1.so
configure: LUA headers found at: /usr/include
configure: LUA version from includes: 501
configure: using LUA -llua-5.1
checking for libcurl config script... /usr/bin/curl-config
configure: curl VERSION: 7.29.0
configure: curl LDADD:
checking if libcurl is at least v... yes, 7.29.0
checking if libcurl is linked with gnutls... no
configure: using curl v7.29.0
checking for libxml2 config script... /usr/bin/xml2-config
configure: xml VERSION: 2.9.1
configure: xml CFLAGS: -I/usr/include/libxml2 -DWITH_LIBXML2
configure: xml LDADD: -lxml2 -lz -lm -ldl
checking if libxml2 is at least v2.6.29... yes, 2.9.1
configure: using libxml2 v2.9.1
checking for libpcre config script... /usr/bin/pcre-config
configure: pcre VERSION: 8.32
configure: pcre LDADD: -lpcre
configure: pcre PCRE_LD_PATH: /-lpcre
checking for PCRE JIT... yes
configure: using pcre v8.32
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking string usability... no
checking string presence... no
checking for string... no
checking iostream usability... no
checking iostream presence... no
checking for iostream... no
checking sys/utsname.h usability... yes
checking sys/utsname.h presence... yes
checking for sys/utsname.h... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /bin/ld
checking if the linker (/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /bin/nm -B
checking the name lister (/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for shl_load... no
checking for shl_load in -ldld... no
checking for dlopen... no
checking for dlopen in -ldl... yes
checking whether a program can dlopen itself... yes
checking whether a statically linked program can dlopen itself... yes
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /bin/ld -m elf_x86_64
checking if the linker (/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... no
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
Checking platform... Identified as Linux
checking for doxygen... /bin/doxygen
checking for perl... /bin/perl
checking for valgrind... no
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating modsecurity.pc
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating src/Makefile
config.status: creating others/Makefile
config.status: creating tools/Makefile
config.status: creating tools/rules-check/Makefile
config.status: creating test/Makefile
config.status: creating test/benchmark/Makefile
config.status: creating examples/Makefile
config.status: creating examples/simple_example_using_c/Makefile
config.status: creating examples/multiprocess_c/Makefile
config.status: creating examples/reading_logs_with_offset/Makefile
config.status: creating examples/reading_logs_via_rule_message/Makefile
config.status: creating examples/using_bodies_in_chunks/Makefile
config.status: creating src/config.h
config.status: src/config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
ModSecurity - v3.0.4-92-gd72be1c for Linux
Mandatory dependencies
+ libInjection ....v3.9.2-30-gbf234eb
+ SecLang tests ....d03f4c1
Optional dependencies
+ GeoIP/MaxMind ....found
* (GeoIP) v1.5.0
-lGeoIP , -I/usr/include/
+ LibCURL ....found v7.29.0
-lcurl , -DWITH_CURL
+ YAJL ....found v2.0.4
-lyajl , -DWITH_YAJL
+ LMDB ....disabled
+ LibXML2 ....found v2.9.1
-lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....found
-lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
+ LUA ....found v501
-llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
Other Options
+ Test Utilities ....enabled
+ SecDebugLog ....enabled
+ afl fuzzer ....disabled
+ library examples ....enabled
+ Building parser ....disabled
+ Treating pm operations as critical section ....disabledMaxMind support seems to be missing:
configure: Nothing about MaxMind was informed during the configure phase. Trying to detect it on the platform...
configure: MaxMind library was not found + GeoIP/MaxMind ....found
* (GeoIP) v1.5.0
-lGeoIP , -I/usr/include/Try to install the libmaxmind library and recompile the engine.
Hello-Linux
commented
3 years ago @airween ok, I will install libmaxminddb and libmaxminddb-devel
Hello-Linux
commented
3 years ago @airween When I install libmaxminddb and libmaxminddb-devel
libmaxminddb.x86_64 1.2.0-6.el7 @base
libmaxminddb-devel.x86_64 1.2.0-6.el7 @basethe ./configure show this
ModSecurity - v3.0.4-92-gd72be1c for Linux
Mandatory dependencies
+ libInjection ....v3.9.2-30-gbf234eb
+ SecLang tests ....d03f4c1
Optional dependencies
+ GeoIP/MaxMind ....found
* (MaxMind) v
/usr/lib64//libmaxminddb.so, /usr/include, -DWITH_MAXMIND -I/usr/include
* (GeoIP) v1.5.0
-lGeoIP , -I/usr/include/
+ LibCURL ....found v7.29.0
-lcurl , -DWITH_CURL
+ YAJL ....found v2.0.4
-lyajl , -DWITH_YAJL
+ LMDB ....disabled
+ LibXML2 ....found v2.9.1
-lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....found
-lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
+ LUA ....found v501
-llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/includebut when I run make is show some error blow
utils/geo_lookup.cc:124:78: error: invalid conversion from 'const MMDB_s*' to 'MMDB_s*' [-fpermissive]
r = MMDB_lookup_string(&mmdb, target.c_str(), &gai_error, &mmdb_error);
^
In file included from ../src/utils/geo_lookup.h:22:0,
from utils/geo_lookup.cc:25:
/usr/include/maxminddb.h:195:33: error: initializing argument 1 of 'MMDB_lookup_result_s MMDB_lookup_string(MMDB_s*, const char*, int*, int*)' [-fpermissive]
extern MMDB_lookup_result_s MMDB_lookup_string(MMDB_s *const mmdb,
Hello-Linux
commented
3 years ago @airween Ha Ha....Finally succeeded, thank you very much!
dangdh16
commented
2 years ago Hi, anyone still here. I got some error. I had installed libmaxminddb and libmaxminddb-devel successed. But still same log.
Our nginx server has gone through a layer of proxy, and the real user address cannot be obtained using REMOTE_ADDR,But our proxy server has a variable ($http_x_forwarded_for) to get the user's real IP address,So what is the solution for modsecurity?