0

Problem

We've had someone that has been trying to crawl our site with random, malicious urls (for about 12 hours now).

Here is the log file

2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/url - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/urlrewriter - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 15 212.83.40.238
2016-06-29 08:17:02 10.X.X.X GET /assets/plugins/lightbox/Images/urls - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/US - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/usa - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:03 10.X.X.X GET /assets/plugins/lightbox/Images/us - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/user - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/usage - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 15 212.83.40.238
2016-06-29 08:17:04 10.X.X.X GET /assets/plugins/lightbox/Images/user_upload - 443 - 10.X.X.X Mozilla/5.0+(X11;+Ubuntu;+Linux+x86_64;+rv:47.0)+Gecko/20100101+Firefox/47.0 - 302 0 2 0 212.83.40.238

So I installed ModSecurity, and started going off of the experimental_rules\modsecurity_crs_11_proxy_abuse.conf file, as it seemed to get me the closest to what I need.

The problem is that the lookup using "@geoLookup" is using the REMOTE_ADDR which is always the same as my AWS Elastic Load Balancer (an Internal 10.x.x.x). How can I do a "@geoLookup" based on the X-Forwarded-For IP (this is always present with AWS Elastic Load Balancer)?

Here is what I have so far

SecGeoLookupDb GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" "chain,phase:1,id:'992210',t:none,capture,block,rev:'2.2.9',msg:'Potential Open Proxy Abuse - GeoIP Country Code Mismatch of X-Forwarded-For Request Header and Client REMOTE_ADDR',logdata:'IP Country is: %{geo.country_code} and X-Forwarded-For is: %{tx.geo_x-forwarded-for}'"
        SecRule TX:0 "@geoLookup" "chain,setvar:tx.geo_x-forwarded-for=%{geo.country_code},setvar:tx."
                SecRule REMOTE_ADDR "@geoLookup" "chain,t:none"
                        SecRule GEO:COUNTRY_CODE "!@streq %{tx.geo_x-forwarded-for}" "setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/MALICIOUS-%{matched_var_name}=%{matched_var}"
                            SecRule GEO:COUNTRY_CODE3 "!@streq USA" "id:'992211',phase:1,t:none,log,deny,msg:'Client IP not from USA'"

But I don't think I have enough of an understanding of this strange language yet, as I worked on this from 12-4AM last night, my brain is hurting.

Jack
  • 119
  • 4

1 Answers1

0

It's true what they say, nothing good ever happens after midnight.

In case anyone else needs it, here is the solution:

SecGeoLookupDb GeoLiteCity.dat
SecRule REQUEST_HEADERS:X-FORWARDED-FOR "@geoLookup" "id:'992210',phase:1,t:none,pass,nolog"
SecRule GEO:COUNTRY_CODE3 "!@streq USA" "id:'992211',phase:1,t:none,log,deny,msg:'Client IP not from USA'"
Jack
  • 119
  • 4