Modsecurity 找不到 IP 的地理数据
Modsecurity finds no geo data for IP
我想屏蔽除我以外的所有国家,所以我下载了 GeoLite2 数据库并将其添加到 crs-setup.conf 文件中。在 -=[ Block Countries ]=- 下,我还添加了每个国家代码以进行测试。
这没有用,在尝试了多个替代的“国家/地区阻止”规则后,我查看了调试日志,发现规则本身有效,但没有找到 IP 的任何地理数据:
Recipe: Invoking rule 72bef6b0; [file "/etc/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf"] [line "75"] [id "910100"].
Rule 72bef6b0: SecRule "TX:HIGH_RISK_COUNTRY_CODES" "!@rx ^$" "phase:2,log,auditlog,id:910100,drop,t:none,msg:'Client IP is from a HIGH Risk Country Location',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-reputation-ip,tag:paranoia-level/1,tag:OWASP_CRS,ver:OWASP_CRS/3.3.2,severity:CRITICAL,chain"
Transformation completed in 8 usec.
Executing operator "!rx" with param "^$" against TX:high_risk_country_codes.
Target value: "AD AE AF AG AI AL AM AO AQ AR AS AT AU AW AX AZ BA BB BD BE BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CA CC CD CF CG CH CI CK CL CM CN CO CR CU CV CW CX CY CZ DE DJ DK DM DO DZ EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GB GD GE GF GG GH GI GL GM GN GP GQ GR GS GT GU GW GY HK HM HN HR HT HU ID IE IL IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM US UY UZ VA VC VE VG VI VN VU WF WS YE YT ZA ZM ZW"
Operator completed in 20 usec.
Rule returned 1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 72eb4298; [file "/etc/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf"] [line "77"].
Rule 72eb4298: SecRule "TX:REAL_IP" "@geoLookup " "chain"
Transformation completed in 2 usec.
Executing operator "geoLookup" with param "" against TX:real_ip.
Target value: "###.##.#.###"
GEO: Looking up "###.##.#.###".
GEO: Using address "###.##.#.###" (0x########). ##########
No geo data for "###.##.#.###" (country -4431872).
Operator completed in 10205 usec.
Rule returned 0.
但是 IP 在数据库中,因为我在 Python 中用 geoip2 检查了它,它返回了所述 IP 的正确国家。
我错过了什么明显的东西吗?
ModSecurity 不支持 GeoIP 数据库的新 GeoIP2 格式,因此需要使用旧的、旧的格式。
我想屏蔽除我以外的所有国家,所以我下载了 GeoLite2 数据库并将其添加到 crs-setup.conf 文件中。在 -=[ Block Countries ]=- 下,我还添加了每个国家代码以进行测试。
这没有用,在尝试了多个替代的“国家/地区阻止”规则后,我查看了调试日志,发现规则本身有效,但没有找到 IP 的任何地理数据:
Recipe: Invoking rule 72bef6b0; [file "/etc/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf"] [line "75"] [id "910100"].
Rule 72bef6b0: SecRule "TX:HIGH_RISK_COUNTRY_CODES" "!@rx ^$" "phase:2,log,auditlog,id:910100,drop,t:none,msg:'Client IP is from a HIGH Risk Country Location',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-reputation-ip,tag:paranoia-level/1,tag:OWASP_CRS,ver:OWASP_CRS/3.3.2,severity:CRITICAL,chain"
Transformation completed in 8 usec.
Executing operator "!rx" with param "^$" against TX:high_risk_country_codes.
Target value: "AD AE AF AG AI AL AM AO AQ AR AS AT AU AW AX AZ BA BB BD BE BF BG BH BI BJ BL BM BN BO BQ BR BS BT BV BW BY BZ CA CC CD CF CG CH CI CK CL CM CN CO CR CU CV CW CX CY CZ DE DJ DK DM DO DZ EC EE EG EH ER ES ET FI FJ FK FM FO FR GA GB GD GE GF GG GH GI GL GM GN GP GQ GR GS GT GU GW GY HK HM HN HR HT HU ID IE IL IM IN IO IQ IR IS IT JE JM JO JP KE KG KH KI KM KN KP KR KW KY KZ LA LB LC LI LK LR LS LT LU LV LY MA MC MD ME MF MG MH MK ML MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ NA NC NE NF NG NI NL NO NP NR NU NZ OM PA PE PF PG PH PK PL PM PN PR PS PT PW PY QA RE RO RS RU RW SA SB SC SD SE SG SH SI SJ SK SL SM SN SO SR SS ST SV SX SY SZ TC TD TF TG TH TJ TK TL TM TN TO TR TT TV TW TZ UA UG UM US UY UZ VA VC VE VG VI VN VU WF WS YE YT ZA ZM ZW"
Operator completed in 20 usec.
Rule returned 1.
Match -> mode NEXT_RULE.
Recipe: Invoking rule 72eb4298; [file "/etc/modsecurity/rules/REQUEST-910-IP-REPUTATION.conf"] [line "77"].
Rule 72eb4298: SecRule "TX:REAL_IP" "@geoLookup " "chain"
Transformation completed in 2 usec.
Executing operator "geoLookup" with param "" against TX:real_ip.
Target value: "###.##.#.###"
GEO: Looking up "###.##.#.###".
GEO: Using address "###.##.#.###" (0x########). ##########
No geo data for "###.##.#.###" (country -4431872).
Operator completed in 10205 usec.
Rule returned 0.
但是 IP 在数据库中,因为我在 Python 中用 geoip2 检查了它,它返回了所述 IP 的正确国家。
我错过了什么明显的东西吗?
ModSecurity 不支持 GeoIP 数据库的新 GeoIP2 格式,因此需要使用旧的、旧的格式。