wp-login.php and mod security

sahostking

September 29, 2014 01:00

Hi guys, We moved from paid Atomic Rules to Comodo WAF rules and all works well. Just one thing we cannot get working is that wp-login.php and administrator/index.php for Joomla and Wordpress websites get hit a lot as per below. Clients are in CloudLinux LVE so only affects the one customer but still it happens to random ones each day. Already posted on Comodo Forums aswell as webhostingtalk.com but still waiting on response. I get quicker response here :)


96.30.62.175 - - [29/Sep/2014:07:56:33 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:34 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:35 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:35 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:36 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:37 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:37 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:38 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:38 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:39 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:40 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:41 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:42 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:43 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:43 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:44 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:44 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:45 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:46 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:46 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:47 +0200] "POST /wp-login.php HTTP/1.0" 508 7287 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:47 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:48 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:49 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:49 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:50 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:51 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"
96.30.62.175 - - [29/Sep/2014:07:56:52 +0200] "POST /wp-login.php HTTP/1.0" 200 3810 "-" "-"

I currently use this but does not seem to work:

# WordPress Brute Force and Comment Spam Protection


SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00110
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00111,msg:'IP address blocked for 5 minutes. More than 3 POST requests to wp-login.php or wp-comments-post.php within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00112"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"


# Joomla Brute Force Protection

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 3 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"

Comments

45 comments

quizknows

August 12, 2015 17:55
Can you humor me and check the ownership of the ip.dir and ip.pag files? That could help indicate if RUID2 is causing an issue. Also have you tried tailing the apache error log while you attempt to get blocked?
0
rregister

August 12, 2015 19:44
Can you humor me and check the ownership of the ip.dir and ip.pag files? That could help indicate if RUID2 is causing an issue. Also have you tried tailing the apache error log while you attempt to get blocked?

On the main server I've been testing this on (as well as the other 3 like it from the same provider) it's showing the owner and group as 'nobody' with 640 permissions. On a set of VPS servers from another hosting company that I also tried this on, I'm not seeing any ip.dir and ip.pg files at all. The secdatadir directory appears to be empty. o_O I've been monitoring the apache error log pretty closely but it logs nothing using that rule ID.
0
GrandAdmiral

September 16, 2015 02:04
RUID2 and bruteforce rules (using the ip.dir and ip.pag) files is notoriously unreliable due to ownership conflicts. Apparently the most reliable way you can get around this is by using CageFS and a per-user virtual mount point containing the ip.dir and ip.pag files although I have not tried it myself. For a fully supported high-performance solution I recommend trying FCGI as your PHP handler. The configuration is not as scary as you'd think and I ended up spending far less time on it than I ever did trying to fix the RUID2 conflict.
0
WorkinOnIt

May 29, 2017 13:29
Referring to this thread, wp-login.php and mod security And using the mod sec rules suggested by the very helpful @quizknows I have a similar issue to @rregister - all rules work fine - but not the brute force detection. Just wondering if you managed to solve this ? Here are my rules in modsec/modsec2.user.conf - using EA4 / CENTOS 6.9 x86_64 cPanel & WHM build 64 SecUploadDir /tmp SecTmpDir /tmp SecDataDir /tmp SecRequestBodyAccess On #Block WP logins with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" #Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=900,setvar:ip.bf_counter=0" #900 = block for 15 minutes # check bots by user agent and match to included file # block bad bots SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'" #XMLRPC block SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201" SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Thanks for any advice!
0
joaosavioli

March 27, 2019 01:00
Hi, I"m having a lot of attack in wp-login.php file of many site. I have this protection in modsecurity WordPress ModSecurity Rules | Liquid Web Knowledge Base, but ins"t working because the attack is too large. Is it possible to block in all server (httpd.conf) access on wp-login.php? I"ve tryed this, but didn"t work. Order allow, deny Deny from all Do you have any other sugestion to help me? Thank you! Cheers, Joao
0
akust0m

March 27, 2019 10:43
Hi there! Do you use CSF? You could try this custom solution I did a few years ago: How to set up protection on Wordpress
0
joaosavioli

March 27, 2019 13:24
Hi, I'm trying include some instructions in .htaccess, but iy works only without wordpress rules. it works: cat .htaccess RewriteEngine On RewriteCond %{ENV:REDIRECT_STATUS} ^$ RewriteCond %{HTTP_USER_AGENT} ^(python|catexplorador) [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule ^.* - [F,L] it doesn't work: cat .htaccess RewriteEngine On RewriteCond %{ENV:REDIRECT_STATUS} ^$ RewriteCond %{HTTP_USER_AGENT} ^(python|catexplorador) [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule ^.* - [F,L] # BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress Could you help me? Cheers, Joao
0
joaosavioli

March 27, 2019 15:02
Hello @akust0m, thank you for replying. You created a very good way to fix it, but it doesn't work for me, because the attack was too large (more than 1000 ips). I've fixed it with a global .htaccess file, blocking python requests: [root@serv ]# cat /home/.htaccess Options All -Indexes RewriteEngine on SetEnvIfNoCase user-agent bot\[.+\]|.*mj12bot.*|.*baiduspider.*|.*python-requests*. bad_bot=1 Order Allow,Deny Allow from all Deny from env=bad_bot [root@serv ]# ls -la /home/.htaccess -rw-r--r--. 1 root root 187 Mar 27 11:46 /home/.htaccess Cheers! Joao
0
joaosavioli

March 27, 2019 15:03
Hi! I've fixed it with a global (users layer) .htaccess file, blocking python requests: [root@serv ]# cat /home/users/.htaccess Options All -Indexes RewriteEngine on SetEnvIfNoCase user-agent bot\[.+\]|.*mj12bot.*|.*baiduspider.*|.*python-requests*. bad_bot=1 Order Allow,Deny Allow from all Deny from env=bad_bot Cheers! Joao
0
NabiKAZ

May 04, 2019 19:58
Referring to this thread, wp-login.php and mod security And using the mod sec rules suggested by the very helpful @quizknows I have a similar issue to @rregister - all rules work fine - but not the brute force detection. Just wondering if you managed to solve this ? Here are my rules in modsec/modsec2.user.conf - using EA4 / CENTOS 6.9 x86_64 cPanel & WHM build 64 SecUploadDir /tmp SecTmpDir /tmp SecDataDir /tmp SecRequestBodyAccess On #Block WP logins with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" #Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=900,setvar:ip.bf_counter=0" #900 = block for 15 minutes # check bots by user agent and match to included file # block bad bots SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'" #XMLRPC block SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201" SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Thanks for any advice!

On the "CLOUDLINUX 7.6 kvm [server] v74.0.12 Load Averages: 2.79 3.35 4.15" I put your code in the "/usr/local/apache/conf/modsec2.user.conf" file. But didn't resolved the problem. - Removed - Do you can help me?
0
joaosavioli

May 07, 2019 13:41
Hi @NabiKAZ. Please, try to add this rule using WHM. The way is WHM >> Modsecurity Tools >> Rule List >> Add new rule. Cheers! Jo"o
0
NabiKAZ

May 15, 2019 00:45
Hi @NabiKAZ. Please, try to add this rule using WHM. The way is WHM >> Modsecurity Tools >> Rule List >> Add new rule. Cheers! Jo"o

Thanks, It's works for me.
0
dstana

September 10, 2019 16:22
I have a server that's getting hosed with Wordpress related spam (wp-login and xmlrpc). I've tried using these modesc rules: #Block WP logins with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" #Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
However, grepping through the apache log, none of these rules get any hits. I do have a couple rules that are working and show in the modsec hit list: SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000901,chain,msg:'wp-login request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "wp-login.php" SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'" SecRule &HTTP_REFERER "@eq 0" "chain" SecRule REQUEST_URI "xmlrpc.php
I need some relief here and I'm not sure what else to do. Thanks for your help.
0
cPanelMichael

September 11, 2019 18:00
Hello @dstana, I moved your post into the existing thread on this topic. Let us know if the previous posts help. Thank you.
0
dstana

September 16, 2019 20:26
Hello @dstana, I moved your post into the existing thread on this topic. Let us know if the previous posts help. Thank you.

Idk what for, apparently no one monitors or responds to these kind of questions on the forum. I have POST and GET requests to wp-login.php and xmlrpc.php out the wazoo and I haven't had a single hit on any of the modsec rules I posted above. Care to weigh in?
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?