Website administrators are constantly looking out for patterns that allow them to more efficiently weed out bad requests that constantly hit their servers. The more quickly they can deal with malicious visitors and ban them permanently, the more resources will be available for everyone else to use and the safer the server becomes. Geolocation is one example of a pattern that website administrators use frequently to stem potentially malicious threats. Certain countries or certain cities might have a particular affinity for specific types of websites and webmasters might decide to use that as a risk factor for calculating the score of a visit.
It might seem a bit heavy-handed to take into consideration something like a visitor’s location because of the danger of false positives, but when combined with other parameters, geolocation can prove to be a powerful flag for malicious attacks. But how do we go about determining the location of an IP address? It’s not as easy as it may sound. We all know that tracking services like Google Analytics for example are able to accurately pinpoint a visitor’s location. But this is because these are scripts being executed in the user’s browser.
Getting the Database from MaxMind
MaxMind is a service that I’ve mentioned before with reference to Clientexec installations. They provide comprehensive IP address analytics based on a variety of parameters. As a free service, they also maintain databases of IP addresses linked to cities and countries both with IPv4 and IPv6 functionality.
You can obtain the free databases at this URL. As you can see in the screenshot below, they offer each of them as a free download. These take the form of zip files all of which contain a database in a “.dat” format.
MaxMind also offers them in a variety of formats ranging from CSV files to binary. Within WHM, we can use the latest mod_security configuration feature to easily utilize this free resource for geolocation determination. Keep in mind that this is only an information providing service. What you actually do with the knowledge that a particular request emanates from a specific country or city is up to you.
Extracting and Uploading the “.dat” File
As you can see in the screenshot below, the compressed file contains a “.dat” database.
This is an extremely compact resource. The zipped file is under half a megabyte! The databases are updated on the first Tuesday of every month. So it’s up to us to set a schedule, download the updated databases periodically and put them onto our server.
You can use any WHM file manager including the default “vi” editor to place the “GeoIP.dat” file onto your server. For test purposes, I’ve simply placed it in the root directory. In an actual real-life scenario, you’ll want to place it in a more appropriate location.
With the introduction of the new “ModSecurity Configuration” facility in the latest release of WHM, utilizing this geolocation database requires nothing more than typing in the path address into the appropriate space. No more messing around with configuration files and coding directives. In the WHM dashboard, search for “ModSecurity Configuration” under the “Security” section. Here, scroll down to the Geolocation Database text field.
In the space provided, simply type in the path to your database file. Once you show that it’s been properly configured, save your settings and you’re done! Using the free resources from MaxMind, combined with proper risk profiling taking a variety of factors into consideration, you should be able to dramatically cut down on a large number of malicious requests even before the have a chance to consume resources on your server.