When you are running a web application, it is always advisable that you monitor the incoming requests. Practically speaking if you check the web server logs, you will notice that most of the time your web server is getting hit by random IP address from all around the world. So you might consider to restrict your web application access to a specific geography. In other words I am talking about GeoBlocking or GeoIP Restriction.
In this tutorial I will explain how to set up GeoIP Restriction on a WordPress server using Maxmind GeoIP database and ModSecurity module running on AWS Lightsail. You can also watch the video tutorial on my YouTube channel here.
What is MaxMind GeoIP Database?
MaxMind is an industry-leading provider of IP intelligence and online fraud detection tools. They provide two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files) and ModSecurity v3 uses GeoLite2 (.mmdb files). I am using ModSecurity v2 for my application. So I in this article I will use GeoLite “.dat” file.
GeoLite2 databases are free IP geolocation databases comparable to, but less accurate than, MaxMind’s GeoIP2 databases. The GeoLite2 Country, City, and ASN databases are updated weekly, every Tuesday. GeoLite2 data is also available as a web service in the GeoLite2 Country and GeoLite2 City web services (users are limited to 1000 IP address lookups per service per day).
Few Important Points To Note:
- I am using Apache ModSecurity v2 for my application.
- If you want to know how to install and setup Apache ModSecurity module, then please checkout my other article: How To Setup ModSecurity Web Application Firewall On AWS Lightsail WordPress Server.
- The database file is updated and published every week on Tuesday by MaxMind. Make sure you always use the latest database file.
- Most of the linux commands should be run with “bitnami” user, unless stated otherwise.
Configuring MaxMind GeoBlocking With ModSecurity:
STEP-1: Register and create an account in MaxMind website. The registration is free. To create account, click here.
Step-2: After registration, login to your account & go to “Download Files” section. Then freely download the GeoLite2 database file in CSV format. In my case I used the Country specific database file.
Step-3: As I am using ModSecurity v2, so I have to convert the downloaded CSV ZIP file to the legacy format first. To convert the data format, I used a python program “geolite2legacy”. Download the program from the official Github repo:
git clone https://github.com/sherpya/geolite2legacyAfter cloning the repository, copy the downloaded MaxMind database file inside the repository. In my case the database zip file name is: “GeoLite2-Country-CSV_20201229.zip“. The repository content will be something similar to the below:
Saptadip@MacBook-orion-295 geolite2legacy % ls -ltr
total 11328
-rw-r--r-- 1 Saptadip staff 211 Jan 2 16:31 Dockerfile
-rw-r--r-- 1 Saptadip staff 1114 Jan 2 16:31 LICENSE
-rw-r--r-- 1 Saptadip staff 3255 Jan 2 16:31 README.md
-rwxr-xr-x 1 Saptadip staff 15696 Jan 2 16:31 geolite2legacy.py
-rw-r--r-- 1 Saptadip staff 1672834 Jan 2 16:31 geoname2fips.csv
-rwxr-xr-x 1 Saptadip staff 38987 Jan 2 16:31 geoname2fips.py
-rw-r--r-- 1 Saptadip staff 17371 Jan 2 16:31 pygeoip_const.py
-rw-r--r-- 1 Saptadip staff 7 Jan 2 16:31 requirements.txt
-rw-r--r--@ 1 Saptadip staff 1885714 Jan 2 16:31 GeoLite2-Country-CSV_20201229.zip
-rw-r--r-- 1 Saptadip staff 24519 Jan 2 16:32 pygeoip_const.pycStep-4: Run the below command to convert zip database file “GeoLite2-Country-CSV_20201229.zip” to the legacy format “GeoLite2Country.dat“.
./geolite2legacy.py -i GeoLite2-Country-CSV_20201229.zip -f geoname2fips.csv -o GeoLite2Country.datStep-5: Copy the new database file “GeoLite2Country.dat” to WordPress Amazon Lightsail Server. Make sure that you put the file under Apache home directory. In my case I created a separate folder “maxmind” under Apache home directory. I used the below “scp” command to transfer the file:
scp -i <<YOUR SSH PEM KEY>> GeoLite2Country.dat bitnami@<<SERVER PUBLIC IP>>:/opt/bitnami/apache2/mods-enabled/maxmind/Step-6: SSH to AWS Lightsail server and edit the “modsecurity.conf” file to add the below entry. This will enable GeoIP lookup.
SecGeoLookupDb /opt/bitnami/apache2/mods-enabled/maxmind/GeoLite2Country.datThe parameter SecGeoLookupDb specifies the location of GeoIP database file. This file is used by ModSecurity module to lookup for the IP address. Below this parameter, you can define any Security Rules that will be used by ModSecurity to filter the traffic.
For example, if you want to restrict your web application access to only Germany and India, then you can define the below Security Rules:
SecGeoLookupDb /opt/bitnami/apache2/mods-enabled/maxmind/GeoLite2Country.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Restricted Country IP address'"
SecRule GEO:COUNTRY_CODE "!@pm DE IN"The above rule will make sure that ModSecurity will only ALLOW traffic from Germany(DE) and India(IN). All other traffics from any other country will be BLOCKED.
Let’s take another example. If you want to block traffic from a SPECIFIC country and allow remaining traffic from all other countries, then you may define Security Rules like this:
SecGeoLookupDb /opt/bitnami/apache2/mods-enabled/maxmind/GeoLite2Country.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block India IP address'"
SecRule GEO:COUNTRY_CODE "@streq IN"The above rule will make sure that ModSecurity will ALLOW traffic from all around the world. But it will BLOCK all traffic ONLY from India.
Step-7: Finally restart the Apache Web Service to reload the new configuration:
sudo /opt/bitnami/ctlscript.sh restart apacheFinal Words
Setting up GeoIP Blocking is very helpful. Especially if you want to protect your web application from traffics coming from a specific geography. But please be aware that if a visitor is using VPN or any other similar service to hide his actual country information, then GeoIP Restriction may fail to stop them.