Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2012
    Location
    Cape Town
    Posts
    678

    Mod Security rules not working - any ideas?

    Hi,

    Please can someone assist with any advice or idea to solve this.

    I'm noticing alot of hits on wp-login.php and administrator/index.php websites that are wordpress and joomla.


    91.200.12.21 - - [28/Sep/2014:21:57:20 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:21 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:21 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:22 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:22 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:23 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:23 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:24 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:25 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:32 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:32 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:33 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
    91.200.12.21 - - [28/Sep/2014:21:57:33 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"



    How would one block these properly as we use Config Server Firewall which never blocks the above with LF_MODSEC at 3 or LF_CXS at 2. Comodo's WAF brute force rules don't seem to work and neither does the following rules I implemented in the comodo waf userdata section, maybe my rules just don't work?

    # Put your custom ModSecurity directives here
    # Please don't remove this file

    # ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
    # cxs web script scanning

    SecRequestBodyAccess On
    SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
    "log,auditlog,deny,severity:2,id:'1010101'
    SecTmpDir /tmp


    # WordPress Brute Force and Comment Spam Protection

    <LocationMatch "/(wp-login.php|wp-comments-post.php)">
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00110
    SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00111,msg:'IP address blocked for 5 minutes. More than 3 POST requests to wp-login.php or wp-comments-post.php within 10 seconds.'"
    SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00112"
    SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </LocationMatch>

    # Joomla Brute Force Protection

    <LocationMatch "/administrator/index.php">
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
    SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 30 Joomla POST requests within 10 seconds.'"
    SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
    SecRule ip:bf_counter "@gt 30" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </LocationMatch>
    Include /usr/local/apache/conf/modsec2.whitelist.conf
    Hostking| Since 2013 | Web Hosting | WordPress Web Hosting
    Domains • Shared • Reseller • VPS • Backups • cPanel

  2. #2
    Join Date
    Apr 2005
    Location
    Cochin
    Posts
    2,452
    Hi,

    Its not necessarily that the CSF or any brute force attack should prevent this. Confirm that you are using the latest CSF or WAF rules. OWASP has better rule out there:

    https://www.owasp.org/index.php/Cate...le_Set_Project

    Are you using the latest CMS version there ? How about including the common iThemes Security (formerly Better WP Security) or All In One WP Security & Firewall plugin(s) in your WordPress CMS.

  3. #3
    Join Date
    Mar 2012
    Location
    Cape Town
    Posts
    678
    Was incorrect setup in CSF - thanks
    Hostking| Since 2013 | Web Hosting | WordPress Web Hosting
    Domains • Shared • Reseller • VPS • Backups • cPanel

  4. #4
    Hi,

    This looks like to be a ddos.

    You may block this attack like this, by adding such lines in /etc/httpd/conf/includes/pre_virtualhost_global.conf


    Code:
    <IfModule mod_security2.c>
    SecDataDir /tmp
            # This has to be global, cannot exist within a directory or location clause . . .
            SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10000502
            <Location  /administrator/index.php>
                    # Setup brute force detection.
     
                    # React if block flag has been set.
                    SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'Your ip is now blocked in the firewall.',id:10000503"
     
                    # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10000504"
                    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10000505"
                    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=30000,setvar:ip.bf_counter=0"
           </location>
    
    
    #Restrict Allowed IP Addresses
    #If you do not change your administrator account name, you can still add in an extra layer of security by only allowing admin login access to your IP address.  Here is an example ruleset:
    
    SecRule REQUEST_METHOD "@streq POST" "chain,id:'2',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer'"
      SecRule REQUEST_FILENAME "@pm /administrator/index.php /administrator/" "chain"
        SecRule &REQUEST_HEADERS:Referer "@eq 0"
    
    SecRule REQUEST_FILENAME "@streq /administrator/index.php" "chain, phase:4,id:10000506,t:none,block,msg:'Authentication Failure Violation .',logdata:'Number of Authentication Failures: %{ip.failed_auth_ attempt}'"
      SecRule REQUEST_METHOD "@streq POST" "chain" 
        SecRule ARGS:log "@streq admin" "chain"
          SecRule RESPONSE_STATUS "200" "chain" 
            SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60"
              SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5"
    
    </IfModule>


    Don't forget to restart apache right after :

    Code:
    service httpd restart
    On our side, this is working fine It will block repetitive access attempts to your administrator page.
    Last edited by carlg; 09-30-2014 at 07:02 AM. Reason: modified the id's in the rules to avoid conflicts with other rules

Similar Threads

  1. Mod security WP login brute force protection not working on Litespeed
    By AdroitSSD LLC in forum Hosting Security and Technology
    Replies: 15
    Last Post: 09-16-2014, 09:59 AM
  2. Help with mod security rules, please
    By ThatScriptGuy in forum Hosting Security and Technology
    Replies: 2
    Last Post: 11-07-2008, 04:31 PM
  3. Mod Security Rules
    By Serverplan in forum Hosting Security and Technology
    Replies: 15
    Last Post: 08-13-2007, 10:46 PM
  4. Mod security Rules
    By cannibal in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-04-2007, 12:05 AM
  5. Help With Mod Security Rules
    By BaddaBing in forum Hosting Security and Technology
    Replies: 1
    Last Post: 05-17-2004, 03:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •