Modsecurity rules to protect WP login?
Are there any modsecurity rules which are fully compatible with Litespeed and can block users trying to brute force into wordpress and other script installs?
do you have these modsecurity rules which works for apahce ?
we can test and provide the compatibility info of these rules with litespeed.
Actually I haven't tried it yet. The other day an IP was pounding one of my blog's login page so much, that it caused significant enough CPU usage for me to check the logs. While I banned that ip and since I use passwords which should be able to withstand most if not all dictionary attack, I guess I should be alright.
However the fact remains, such bots waste server resources and hence I searched for ways to prevent such things from happening again. Now I have the options of installing a wordpress plugin to do that (which I do not wish to do) or enable a way for server to detect ongoing brute force attempt and block the ip.
Here are the rules I could find on the web, I am a total noob and will likely ask my host to enable these for me, but I wanted to check beforehand, whether or not these are compatible with Litespeed.
I set up an env to test this rule on apache and litespeed.
initially work on apache but not on litespeed.
now it works on latest 4.2.2 build as well.
Thanks for giving the specific rule, so we can investigate it effectively. to catch up with the upstream of mod_security as short as possible, detailed and specific rules are needed.
Thank you very much, will upgrade to latest build this weekend and try this out.
How do you see it works?
Actually what I did is created test rule following
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'D rive Access'"
In Action field I put
Enabled - yes
and checked the site
and nothing happens! I even updated litespeed to latest 4.2.3
my local tests succeeded on native virtual host. set the rule at vhost->Request Fillter.
"Security Audit Log" is set at server level, to "/tmp/sec.log"
[18/Jun/2013:20:42:55 +0800] - 192.168.2.125 49362 *:80 80
GET /phpinfo.php??abc=../../ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept-Encoding: gzip, deflate
HTTP/1.1 403 Forbidden
Message: [client 192.168.2.125] mod_security: Access denied with code 403, [Rule: 'ARGS' '\.\./'] [ID "99999"] [Msg "D rive Access"] [severity "WARNING"] [MatchedString "../../"]
I want to confirm that the rule works correctly for me.
If Litespeed could take any steps towards securing brute force attacks on Wordpress wp-login.php, it would be great!
as I posted, I did tests and it worked.
please try yourself and tell us the result.
|All times are GMT -7. The time now is 12:05 PM.|