[solved] Modsecurity rules to protect WP login?

NiteWave

Administrator
#2
do you have these modsecurity rules which works for apahce ?

we can test and provide the compatibility info of these rules with litespeed.
 
#3
Actually I haven't tried it yet. The other day an IP was pounding one of my blog's login page so much, that it caused significant enough CPU usage for me to check the logs. While I banned that ip and since I use passwords which should be able to withstand most if not all dictionary attack, I guess I should be alright.

However the fact remains, such bots waste server resources and hence I searched for ways to prevent such things from happening again. Now I have the options of installing a wordpress plugin to do that (which I do not wish to do) or enable a way for server to detect ongoing brute force attempt and block the ip.

Here are the rules I could find on the web, I am a total noob and will likely ask my host to enable these for me, but I wanted to check beforehand, whether or not these are compatible with Litespeed.

<IfModule mod_security2.c>
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
</IfModule>

Source: http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/
 

NiteWave

Administrator
#4
I set up an env to test this rule on apache and litespeed.
initially work on apache but not on litespeed.
now it works on latest 4.2.2 build as well.

Thanks for giving the specific rule, so we can investigate it effectively. to catch up with the upstream of mod_security as short as possible, detailed and specific rules are needed.
 

bobykus

Well-Known Member
#6
How do you see it works?

I set

SecDebugLog /var/httpd/logs/modsec_debug.log
SecDebugLogLevel 9


but /var/httpd/logs/modsec_debug.log

still empty.
 

NiteWave

Administrator
#8
my local tests succeeded on native virtual host. set the rule at vhost->Request Fillter.
"Security Audit Log" is set at server level, to "/tmp/sec.log"
/tmp>cat sec.log
--6d4a5c33-A--
[18/Jun/2013:20:42:55 +0800] - 192.168.2.125 49362 *:80 80
--6d4a5c33-B--
GET /phpinfo.php??abc=../../ HTTP/1.1
Host: 192.168.2.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ....
Connection: keep-alive

--6d4a5c33-F--
HTTP/1.1 403 Forbidden

--6d4a5c33-H--
Message: [client 192.168.2.125] mod_security: Access denied with code 403, [Rule: 'ARGS' '\.\./'] [ID "99999"] [Msg "D rive Access"] [severity "WARNING"] [MatchedString "../../"]

--6d4a5c33-Z--
 

stormy

Well-Known Member
#9
I want to confirm that the rule works correctly for me.

If Litespeed could take any steps towards securing brute force attacks on Wordpress wp-login.php, it would be great!
 

stormy

Well-Known Member
#11
Sorry I wasn't more clear in my reply! :)

I tried the rule and yes, it works.

However, it's not an ideal situation, it would be a lot better if it could be targetted higher up the chain instead of with mod_security. I don't know if that's possible though, but it's an idea :)
 
#14
if you use apache configuration file, then it's same way for apache + mod_security, put the rules in a file and include from apache's httpd.conf

if not use apache's httpd.conf, then
lsws web admin -> Server -> Request Filter -> Request Filtering Rule Set: Add
 
#16
Sorry, I re-read this thread again.
I think "Request Filter" for lsws webadmin -> Server doesn't recognize
<Location /wp-login.php>
</Location>

so above file will work with apache's httpd.conf

you can comment out above 2 lines in your configuration, and make sure /var/log/httpd/modsec_debug.log is accessible by nobody.
without <Location /wp-login.php>, this rule will apply for all requests from an single IP --- not meed your goal, but anyway can take a test. not sure can add a modseure rule to work like <Location /wp-login.php>
 
#20
may need enable audit log. add
SecAuditLog /path/to/modsec_audit.log

to trigger the rule, you can run "ab" test, for example
#ab -c 10 -n 20 domain.com/wp-login.php
 
Top