wordpress brutrforce protection via mod_sec rules with nginx installed - working solution?

mitya4004

• September 27, 2013 02:00

Who try to use this rule set? /http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/ I have apache 2.2.25, mod_se? 2.6.4 with nginx as front-end and mod_realip2 for REMOTE_ADDR issue correction. But that rules determines my server IP as IP of attackers. In mod_sec audit log i find that this info (111.211.111.73 - my server ip, 111.175.7.163 - my real IP ) --b5d14d22-A-- [27/Sep/2013:10:02:01 +0400] UkUfWV-Th4oAABEmtYwAAAAE 111.211.111.73 21108 111.211.111.73 80 --b5d14d22-B-- POST /wp-login.php HTTP/1.0 Host: outmax.ru X-Real-IP: 111.175.7.163 X-Forwarded-For: 111.175.7.163 Connection: close Content-Length: 120 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: [Removed] Cookie: PHPSESSID=630a291c7c01f923d7745817d0b19f45; wordpress_test_cookie=WP+Cookie+check Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded In internal database that this rules creates I have only one entry with server IP CREATE_TIME 1380261568UPDATE_COUNTER1 bf_counter1LAST_UPDATE_TIME 1380261568 111.211.111.73 So I conclude that mod_sec could correctly determine IP, but something goes wrong.. Any ideas abut this?

• 

  cPanelMichael

  • September 30, 2013 15:13

  Hello :) I have not personally used that ruleset. Have you tried temporarily disabling Nginx to determine if you experience the same issue with the standard Apache installation? Thank you.

  0
• 

  quizknows

  • October 01, 2013 02:19

  The question here is what IP does your normal apache log show? See how the modsec data has the "Real" IP under "X-Forwarded-For"? this means Apache is seeing the proxy IP of nginx as the visitor, but that visit carries the original ip in the forwarded for header. I know there is a way to configure around this so that the apache logs use the "X-Forwarded-For" IP as the visitor IP rather than the IP of the host running the nginx reverse proxy. I think it my have to do with mod zeus that was used for load balancers or something similar to that. Basically, it's not a problem with modsec, and there should be a way to fix it but I don't recall the exact way. This might help you: [url=http://stackoverflow.com/questions/9019836/how-to-make-nginx-and-apache-work-together-for-showing-the-real-client-ip]proxy - how to make nginx and apache work together for showing the real client IP? - Stack Overflow

  0
• 

  mitya4004

  • October 01, 2013 14:56

  Apache correclty determines IP of visitor - we use mod_rpaf for it (that already desribed in that article). In mod_sec logs correct IP of visitor is also determined. Bt in fact that rule set block only server IP... If we disable nginx 0 we get correct work of that rules set. I suppose that problem is around "mod_rpaf + mod_security" It would be great if cpanel uodates mod_sec so we cah test ot on latest version - or may be we found another solution of it..

  0
• 

  quizknows

  • October 01, 2013 22:05

  That makes sense, it may have to do with the processing phase of the rule. Good luck.

  0

Please sign in to leave a comment.