Results 1 to 4 of 4
-
09-28-2014, 04:02 PM #1Web Hosting Master
- Join Date
- Mar 2012
- Location
- Cape Town
- Posts
- 678
Mod Security rules not working - any ideas?
Hi,
Please can someone assist with any advice or idea to solve this.
I'm noticing alot of hits on wp-login.php and administrator/index.php websites that are wordpress and joomla.
91.200.12.21 - - [28/Sep/2014:21:57:20 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:21 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:21 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:22 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:22 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:23 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:23 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:24 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:25 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:25 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:32 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:32 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:33 +0200] "POST /administrator/index.php HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
91.200.12.21 - - [28/Sep/2014:21:57:33 +0200] "GET /administrator/index.php HTTP/1.1" 200 6020 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
How would one block these properly as we use Config Server Firewall which never blocks the above with LF_MODSEC at 3 or LF_CXS at 2. Comodo's WAF brute force rules don't seem to work and neither does the following rules I implemented in the comodo waf userdata section, maybe my rules just don't work?
# Put your custom ModSecurity directives here
# Please don't remove this file
# ADD THE FOLLOWING LINE ONLY IF YOU HAVE CXS INSTALLED!
# cxs web script scanning
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "@inspectFile /etc/cxs/cxscgi.sh" \
"log,auditlog,deny,severity:2,id:'1010101'
SecTmpDir /tmp
# WordPress Brute Force and Comment Spam Protection
<LocationMatch "/(wp-login.php|wp-comments-post.php)">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00110
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00111,msg:'IP address blocked for 5 minutes. More than 3 POST requests to wp-login.php or wp-comments-post.php within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00112"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>
# Joomla Brute Force Protection
<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 30 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "@gt 30" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>
Include /usr/local/apache/conf/modsec2.whitelist.confHostking| Since 2013 | Web Hosting | WordPress Web Hosting
Domains • Shared • Reseller • VPS • Backups • cPanel
-
09-29-2014, 02:11 AM #2Disabled
- Join Date
- Apr 2005
- Location
- Cochin
- Posts
- 2,452
Hi,
Its not necessarily that the CSF or any brute force attack should prevent this. Confirm that you are using the latest CSF or WAF rules. OWASP has better rule out there:
https://www.owasp.org/index.php/Cate...le_Set_Project
Are you using the latest CMS version there ? How about including the common iThemes Security (formerly Better WP Security) or All In One WP Security & Firewall plugin(s) in your WordPress CMS.
-
09-29-2014, 01:11 PM #3Web Hosting Master
- Join Date
- Mar 2012
- Location
- Cape Town
- Posts
- 678
Was incorrect setup in CSF - thanks
Hostking| Since 2013 | Web Hosting | WordPress Web Hosting
Domains • Shared • Reseller • VPS • Backups • cPanel
-
09-30-2014, 06:55 AM #4Newbie
- Join Date
- Jul 2013
- Posts
- 17
Hi,
This looks like to be a ddos.
You may block this attack like this, by adding such lines in /etc/httpd/conf/includes/pre_virtualhost_global.conf
Code:<IfModule mod_security2.c> SecDataDir /tmp # This has to be global, cannot exist within a directory or location clause . . . SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10000502 <Location /administrator/index.php> # Setup brute force detection. # React if block flag has been set. SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'Your ip is now blocked in the firewall.',id:10000503" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10000504" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10000505" SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=30000,setvar:ip.bf_counter=0" </location> #Restrict Allowed IP Addresses #If you do not change your administrator account name, you can still add in an extra layer of security by only allowing admin login access to your IP address. Here is an example ruleset: SecRule REQUEST_METHOD "@streq POST" "chain,id:'2',phase:2,t:none,block,log,msg:'Warning: Direct Login Missing Referer'" SecRule REQUEST_FILENAME "@pm /administrator/index.php /administrator/" "chain" SecRule &REQUEST_HEADERS:Referer "@eq 0" SecRule REQUEST_FILENAME "@streq /administrator/index.php" "chain, phase:4,id:10000506,t:none,block,msg:'Authentication Failure Violation .',logdata:'Number of Authentication Failures: %{ip.failed_auth_ attempt}'" SecRule REQUEST_METHOD "@streq POST" "chain" SecRule ARGS:log "@streq admin" "chain" SecRule RESPONSE_STATUS "200" "chain" SecRule RESPONSE_BODY "@contains <strong>Error</strong>:Incorrect password." "chain,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5" </IfModule>
Don't forget to restart apache right after :
Code:service httpd restart
Last edited by carlg; 09-30-2014 at 07:02 AM. Reason: modified the id's in the rules to avoid conflicts with other rules
Similar Threads
-
Mod security WP login brute force protection not working on Litespeed
By AdroitSSD LLC in forum Hosting Security and TechnologyReplies: 15Last Post: 09-16-2014, 09:59 AM -
Help with mod security rules, please
By ThatScriptGuy in forum Hosting Security and TechnologyReplies: 2Last Post: 11-07-2008, 04:31 PM -
Mod Security Rules
By Serverplan in forum Hosting Security and TechnologyReplies: 15Last Post: 08-13-2007, 10:46 PM -
Mod security Rules
By cannibal in forum Hosting Security and TechnologyReplies: 3Last Post: 08-04-2007, 12:05 AM -
Help With Mod Security Rules
By BaddaBing in forum Hosting Security and TechnologyReplies: 1Last Post: 05-17-2004, 03:43 PM