I've installed mod_security2 and read the cPanel docs:
How to Install and Configure ModSecurity in cPanel
blog.cpanel.com
but I have a few other questions.
1.
Should I install OWASP? What does it do?
2. I see under "Configuration" that I can provide a link to a MaxMind database under SecGeoLookupDb. What, exactly, does this do? I would LOVE to be able to block non-US IPs for specific domains instead of using CSF to do it server-wide!
Overview
The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache’s ModSecurity® module can use to help protect your server. While these rules do not make your server impervious to attacks, they greatly increase the amount of protection for your web applications.
please read more here:
The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache®'s ModSecurity® module can use to help protect your server.
docs.cpanel.net
Maxmind is also avail in CSF you need to follow the link in CSF to signup Free account and add the API code and change CSF section to 1 to activate Maxmind. it is a IP database. pretty good as far as I can tell cause I have been using it as well in CSF, to block countries by country code. example CN.RU.VN ( China, Russia, Vietnam )
There is an option as well to only allow US and not have to add all the above country codes in CSF see below:
I believe the difference will be that CSF protects the back layer of your server and ModSecurity OWASP protect your websites frontend layer from other attacks.
but CSF is a Huge plus in my opinion when blocking IP's with Maxmind for the server.
if you go to your CSF
Firewall Configuration
Select from the Drop down : Country Code Lists and Settings
Maxmind settings and info:
1. MaxMind
MaxMind GeoLite2 Country/City and ASN databases at:
Develop applications using industry-leading IP intelligence and risk scoring.
dev.MaxMind.com
This feature relies entirely on that service being available
Advantages: This is a one stop shop for all of the databases required for
these features. They provide a consistent dataset for blocking and reporting
purposes
Disadvantages: MaxMind require a license key to download their databases.
This is free of charge, but requires the user to create an account on their
website to generate the required key:
WARNING: As of 2019-12-29, MaxMind REQUIRES you to create an account on their
site and to generate a license key to use their databases. See:
Reasons For Changes MaxMind has always been committed to an individual’s right to privacy on the internet. We welcome the burgeoning privacy regulations, such as GDPR and CCPA, for the benefit they can provide to internet citizens. However, these new legislative measures place restrictions that...
blog.maxmind.com
You MUST set the following to continue using the IP lookup features of csf,
otherwise an error will be generated and the features will not work.
Alternatively set CC_SRC below to a different provider
MaxMind License Key:
MM_LICENSE_KEY = (Enter your Key here)
2. DB-IP, ipdeny.com, iptoasn.com
Advantages: The ipdeny.com databases form CC blocking are better optimised
and so are quicker to process and create fewer iptables entries. All of these
databases are free to download without requiring login or key
Disadvantages: Multiple sources mean that any one of the three could
interrupt the provision of these features. It may also mean that there are
inconsistences between them
The free IP geolocation database downloads are updated monthly. They are available in CSV and MMDB format and distributed under the Creative Commons Attribution License. Learn more about these database downloads here along with our other databases and Lite editions.
db-ip.com
Free IP address to ASN database
iptoasn.com
Set the following to your preferred source:
"1" - MaxMind
"2" - db-ip, ipdeny, iptoasn
The default is "2" on new installations of csf, or set to "1" to use the
MaxMind databases after obtaining a license key
CC_SRC = (Enter 1 here)
Just further down same section you can select CC_ALLOW_FILTER = US
this will allow only US IPs to your serverwide
An alternative to CC_ALLOW is to only allow access from the following
countries but still filter based on the port and packets rules. All other
connections are dropped
CC_ALLOW_FILTER = (enter US here)
hope that helps
Spiro
