Brute force wp-login.php modsecurity

joaosavioli

• September 04, 2018 15:05

Hi! Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load. A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time. Do you have any way to block this using modsecurity rules? I could found it in some threads about it, but some are to old. I"m using the last cpanel version, with easyapache4 and the new modsecurity tools. Very thank you Best Joao

• 

  cPanelLauren

  • September 05, 2018 13:07

  Hi @joaosavioli The OWASP rulesets and what they're for are listed here OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation I would suggest reading wordpress's own tutorial for resolving these issues Brute Force Attacks " WordPress Codex they also include a link to some ModSecurity rules that can be helpful to mitigate these. Thanks!

  0
• 

  joaosavioli

  • September 05, 2018 13:48

  Hello guys, thank you for replying. I've fixed the problem with this solution on modsecurity level. It"s working fine! WordPress ModSecurity Rules | Liquid Web Knowledge Base Cheers! Joao

  0
• 

  cPanelLauren

  • September 05, 2018 14:43

  Hi @joaosavioli I'm glad to hear you were able to resolve the issue, thanks for letting us know what helped you!

  0
• 

  Bidi

  • March 25, 2022 10:22

  Hello guys, dose anyone have new rules for mod_sec ? The one from here # Setup brute force detection. # React if block flag has been set. SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 1 h, more than 5 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3600,setvar:ip.bf_counter=0" On csf it show 2 min ban not even 5 min, i even changed bf_counter=1/180 to bf_counter=1/3600, still the same. I changed on CSF this values.

  Enable failure detection of repeated Apache mod_security rule triggers LF_MODSEC = 5 LF_MODSEC_PERM = 3600 And it works but it dose not takes value from the mod sec rules and i whant those.

  0

Please sign in to leave a comment.