Blocking Traffic Using GeoIP Data

Justin Montgomery
Written by Justin Montgomery, February 3rd, 2023
Updated February 17th, 2023

Without the proper use of GeoIP data, bad actors from a specific country can interfere with your website. We can block traffic with server configurations or a third-party tool (AWS WAF, Cloudfront geo restrictions, etc). The server configuration solution is the cheapest and fastest way to complete this task but it does add to the maintenance of the server since the GeoIP.dat file does not get automatically updated.

 

Server configuration option

First, we are working with apache 2.4.53 on Amazon Linux 1 and it needs the mod24_security module installed to be able to use the SecRule instruction. 

 

SSH into the web server and type: sudo yum install mod24_security

 

Modsecurity logo

 

Now before restarting apache, you will need to get a .dat file with all geo ip info in it. You can purchase them on maxmind with a subscription or find them for free (not as updated) here: https://mailfud.org/geoip-legacy/

Now we can transfer the GeoIP.dat file over to the modules folder under /etc/httpd/modules

 

Editing the Module

Edit the mod_security.conf file located /etc/httpd/conf.d:

Sudo nano /etc/httpd/conf.d/mod_security.conf

Press Ctrl-W and search for SecRuleEngine ON

 

Under SecRuleEngine ON add the following lines:

SecGeoLookupDb /etc/httpd/modules/GeoIP.dat SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block New Zealand IP address'" SecRule GEO:COUNTRY_CODE "@streq NZ"

Press Ctrl+W, search for SecDebugLog, and comment out or change the line below:

SecDebugLog /var/log/httpd/modsec_debug.log or direct it to a path that it has permission to.

 

SecGeo Code to block certain countries from accessing data

 

Testing the Configuration

 

To test the new configuration before restarting apache type: apachectl configtest

If we get a “syntax OK” back then we can restart apache by typing: sudo service httpd restart

 

Root file with modified syntax

 

After Apache restarts the server will no longer respond to traffic from IP’s that are associated with NZ in the .dat file.

 

Source for GeoIP.dat: https://mailfud.org/geoip-legacy/



Apache mod_security blocking traffic from multiple sources to protect the web server


By partnering with GoodJava, you can take your information to the next level. For articles like this, read our other wonderful blogs or visit our Contact Us Page and Get Started.

Address

2109 S. Main St.
Morton 61550

Give Us a Call

(309) 431-2451

Send Us An Email

Get Started

Follow Us

Terms of Service
Get Started

Privacy Policy
Learn More
© GoodJava, Inc. 2024

We use cookies to ensure that you get the best experience on our website, although the cookies we use do not contain personally identifiable information. By continuing on this website or by clicking “I Accept Cookies”, you agree to the storing of cookies on your device. Learn More

I Accept Cookies