GeoLookup does not work

[everping]

I tried to block IPs from a specific country but GeoLookup does not work.

• OS: Ubuntu 16.04.5 LTS
• modsecurity v3.0.3
• modSecurity-nginx v1.0.0
• nginx v1.14.0
• libgeoip1, libgeoip-dev, geoip-bin was installed

nginx virtual host

    modsecurity on;
    modsecurity_rules '
        # Include the recommended configuration
        Include /etc/nginx/modsec/modsecurity.conf

        # OWASP CRS v3 rules
        Include /usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf
        Include /usr/local/owasp-modsecurity-crs-3.0.0/rules/*.conf

        # Audit log
        SecAuditLog /var/log/modsec/mysite.com/audit.log

        # Custom rules
        Include /etc/nginx/modsec/mysite.com/*.conf
    ';

/usr/local/owasp-modsecurity-crs-3.0.0/crs-setup.conf

...
SecGeoLookupDB util/geo-location/GeoIP.dat
...

/etc/nginx/modsec/mysite.com/main.conf

SecRule REMOTE_ADDR "@geoLookup" "chain,id:1,drop,msg:'Non-VN IP address'"
SecRule GEO:COUNTRY_CODE "!@streq VN"

And the debug log I got

[4] (Rule: 1) Executing operator "GeoLookup against REMOTE_ADDR.
[9] Target value: "x.x.x.x" (Variable: REMOTE_ADDR)
[4] Rule returned 0.

This means the remote address could not be looked up. Is there anyone can tell me what is wrong here?

[victorhora]

@everping

Can you tell us what is the output of your configure script when setting up libModSecurity? It should be something like this:

ModSecurity - v3.0.2-78-g90197bd for Linux

 Mandatory dependencies
   + libInjection                                  ....v3.0.2-78-g90197bd
   + SecLang tests                                 ....90197bd

 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (GeoIP) v1.6.9
         -lGeoIP  , -I/usr/include/
   + LibCURL                                       ....found v7.47.0
      -L/usr/lib/x86_64-linux-gnu -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl  , -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.3
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found

You should ensure that GeoIP support is enabled...

I would also suggest maybe removing the GeoIP packages and trying with the new GeoIP format called MaxMind by installing libmaxminddb as I'm not sure what's the current state with the old GeoIP format.

[everping]

@victorhora Here is what I got

ModSecurity - v3.0.2-72-g156527a for Linux

 Mandatory dependencies
   + libInjection                                  ....v3.0.2-72-g156527a
   + SecLang tests                                 ....156527a

 Optional dependencies
   + GeoIP/MaxMind                                 ....found
      * (GeoIP) v1.6.9
         -lGeoIP  , -I/usr/include/
   + LibCURL                                       ....found v7.47.0
      -L/usr/lib/x86_64-linux-gnu -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl  , -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.3
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

[everping]

I have installed libmaxminddb from this repository and I got the MaxMind lib is not found

ModSecurity -  for Linux

 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....90197bd

 Optional dependencies
   + GeoIP/MaxMind                                 ....not found
   + LibCURL                                       ....found v7.47.0
      -L/usr/lib/x86_64-linux-gnu -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl  , -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....disabled
   + LibXML2                                       ....found v2.9.3
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found

 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

[victorhora]

For some reason these Ubuntu packages (unlike Debian) is lacking entries on the pkg-config database which is leading the configure script to fail finding all the needed files...

This should be fixed with 9173738.

Also you may want to apply patch b7cb505 to work with MaxMind. PR #1895 should be merged to master prior to 3.0.3 release, but you are welcome to use it before to fulfill your needs.

Thanks for the report.