Blocking Japan with ModSecurity and Maxmind Lite

Blocking Japan with ModSecurity and Maxmind Lite

Security Updated on 2 mins

Accessibility is the magic word for todays blog. If you’re lucky enough to run a website, then the whole world has access to it by default!

Now lets imagine that the website you’re running is targeted for a geographically specific customer base such as the USA. You get up one morning and decide to take a look at your web analytic reports, and find that Japan is where the second largest volume of traffic is coming from. At which point, you might start thinking about restricting traffic from specific countries that would only waste bandwidth on your server.

This is where our WAF comes in. The Web Application Firewall is based on ModSecurity which is an open source WAF for Apache, IIS, and Nginx for protecting against a many variety of attacks and allows for HTTP traffic monitoring and logging.

Update: A newer article on this topic is available here

A prerequisite for this guide is that you would already have the WAF configured with “Rule Engine traffic blocking” enabled on the appliance.

Edit WAF Gateway

You can follow page 161 of our Admin guide on how to do so.

You will also require the Maxmind database. Maxmind provide a free IP lookup database.

Maxmind normally update their database monthly, so it is a good idea to download their updates regularly.

On that note, let's get started by creating the a directory for the maxmind database via the Loadbalancer’s CLI:

mkdir /usr/share/geoip/
cd /usr/share/geoip/

Next download the Maxmind database with this command to download the file.

wget -N

Once the download is complete, extract the file with this command (please ensure that you are in the “/usr/share/geoip/” path):

gzip -df GeoIP.dat.gz

The “-df” tells it to “deflate” and overwrite the existing file.
Once this is done you will need to navigate via the WUI to:

Cluster Configuration -> WAF - Manual Configuration

WAF Manual Configuration

Select your WAF and apply the sample rule for ModSecurity to block traffic from Japan:

SecGeoLookupDb /usr/share/geoip/GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block Japan IP address'"
SecRule GEO:COUNTRY_CODE "@streq JP"

Update and reload the WAF.

In this example we used Japan, but you can find the full set of country codes on the Maxmind website.