leminhquan
Reputation: 1
ModSecurity default action when no rule is match?
I'm lab with modSecurity using nginx, I have a question
How can you set default action for actione doesn't match anyrule
For example I have set of rule allow people do stuff form 1 set of IP, I want to block all other request? How caN I do that ?
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:10,allow,log,msg:'Blocking Country IP Address'"
SecRule GEO:COUNTRY_CODE "@pm CN"
SecDefaultAction "phase:1,log,auditlog,drop,status:403,tag:'SLA 24/7'"
Upvotes: 0
Views: 607
Answers (1)
airween
Reputation: 6193
If you want to deny all requests which didn't matched with any rules before, you have to create an explicit unconditional rule (SecAction) at the end of set of your rules, something like this:
SecAction "id:10001,phase:1,deny,status:403,log"
Please note, that with this solution (rule in phase:1) you can't use any other phase. Of course, you should put this rule into phase:2, but without any rule in that phase, it's enough.
More notes for your example:
- your action is
allowbut the message is Blocking Country IP Address, this is a bit confusing - if you want to control only the access/not access by country, there is a standalone Nginx module, you don't need any WAF
Upvotes: 0
Related Questions
- Correct syntax for modsecurity rules for Wordpress / Elementor false positives
- Debugging triggered modsecurity rule hits
- Default phase in modsecurity rules?
- ModSecurity rule 214940 warning
- ModSecurity - Is there a way to configure DetectionOnly per Rule
- ModSecurity: No action id present within the rule
- Disaabe rule by ID in modsecurity on apache
- Set mod_security to detectionOnly for a specific page?
- ModSecurity not blocking attacks
- Mod Security2 deactivation rule only from a specified IP address