Allow Listing Lets Encrypt in regards to ModSecurity Rules

Hi,

On ModSecurity, Given some list of cities or countries is blocked (as at the bottom), however wanting to White List Lets Encrypt (that checks the .well-known directory) on such manually configured rule, would adding the below lines, within such rule, properly white list LE:

SecRule REQUEST_URI "!@streq .*/\.well\-known/acme\-challenge.*$" "chain,t:lowercase"
SecRule REQUEST_HEADERS:User-Agent "!@streq .*letsencrypt.*$" "chain,t:lowercase"

Any suggestions?

SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:99999932396,drop,log,msg:'Blocking %{geo.city}, %{geo.country_name}',logdata:'{country_code=%{geo.country_code}, country_code3=%{geo.country_code3}, country_name=%{geo.country_name}, country_continent=%{geo.country_continent}, city=%{geo.city}'"

SecRule REQUEST_URI "!@streq .*/\.well\-known/acme\-challenge.*$" "chain,t:lowercase"

SecRule REQUEST_HEADERS:User-Agent "!@streq .*letsencrypt.*$" "chain,t:lowercase"

SecRule GEO:CITY "@pm city1 city2 city3"

Allow requests for /.well-known/acme-challenge/ from anywhere indeed. LE does not publish the IP addresses used for validation (that would help attackers greatly) and validations are done from up to 4 different vantage points.

However, you already seem to be doing the correct thing, right? What exactly do you require help with? Isn't it working properly?

3 Likes

I'm confused (easily); As I'm trying to determine WHY you would go through all this trouble (with HTTP).

Do you even serve any HTTP content (other than challenge files)?

2 Likes

I know the cities from where LE connects. Those are some of AWS main locations In the USA and Western Europe.

However, those AWS locations, are also source for attacks on my site.

I would like to block those cities.. and, not according to IP, but according to 'REQUEST_HEADERS:User-Agent' and 'REQUEST_URI' white list LE.

Any thoughts?

1 Like

First, I personally would not bother with such an approach.

But, if you must, I would not check user-agent and just use URI and city. As to the syntax for that product I have no idea. These are just general comments:

You know the LE server IP's may change per their FAQ. My personal experience is that geo databases change too so checking city names is unreliable.

To be sure that Let's Encrypt http challenges are white listed you should pass through any requests for the .well-known/acme-challenge URI. Or use the DNS challenge

Blocking "AWS Cities" seems problematic but it's your call. For example, I use test servers on AWS when inspecting people's sites when helping on this forum. A block such as this might lead me to wrong conclusions and bad advice. And, other helpful sites that are hosted on AWS might have problems too (like html, ssl or server testers ... things like that).

If you have traffic stress from such attacks maybe a CDN like Cloudflare is a better solution.

4 Likes

Never did get an answer to my question:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.