[solved] Comodo Waf brute force rules issues

Discussion in 'Bug Reports' started by wanah, Aug 13, 2014.

  1. JulesR

    JulesR New Member

    I did update from the CLI, and our binary matches the same size as yours. Anything else you can do to help?
  2. mistwang

    mistwang LiteSpeed Staff

    For the one request triggered the logging, does it returns 403? please check the audit_log.
    You may need to set SecDebugLogLevel to 9, and check the detailed debug logging. and flood it with "POST" requests to the login URL.

    Remember, the default threshold of triggering the brutal force rule is pretty high, 30 "POST" requests in 60 seconds.

    Better do it on a test server so you wont get too much log messages for all traffic.
  3. JulesR

    JulesR New Member

    There is no 403 or any apparent block occuring when these brute force attacks are detected:

    http://pastebin.com/raw.php?i=nb2diAeG

    The attack was frequent enough (100's per minute) that this definitely should've been logged multiple times. This does seem to be a problem with Litespeed.
  4. mistwang

    mistwang LiteSpeed Staff

    may I got a temp root access to take a look at this, it looks like the earlier build of 4.2.14 is till running.
  5. JulesR

    JulesR New Member

    Strange, you must've changed the build after you told me to update, or there was a delay before it was available. I just force upgraded again via CLI and now it's 403'ing the brute force attempts - which is great.

    Is it possible to get this to log multiple times still, so that something like CSF/LFD can pick up the repeated attempts and block the IP address at the firewall level? Right now it's 403'ing the IP address, but it still only logs a single time so CSF/LFD won't perform any action.
  6. mistwang

    mistwang LiteSpeed Staff

    You need to change the action of rule 230001, remove "nolog" action. it follows the rule.
  7. JulesR

    JulesR New Member

    Thanks, I'll raise that with Comodo then.
  8. wanah

    wanah Member

    I haven't been able to confirm the blockages are working yet, brute forces seem to be shared between multiple IP's to not go over 30 tries in 1 minute per IP :

    Code:
    46.165.228.144 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:16 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:19 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:25 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:36 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:53 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:01 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:32 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:34 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:40 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:43 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:46 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:49 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:54 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:22:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:22:59 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:18 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:24 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:30 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:35 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:39 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    125.253.124.48 - - [23/Aug/2014:10:23:42 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
    46.165.228.144 - - [23/Aug/2014:10:23:44 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
  9. mistwang

    mistwang LiteSpeed Staff

    You just need to change the threshold in the comodo ruleset.
  10. wanah

    wanah Member

    I will see with them about differenciating wordpress from Joomla. While wordpress with wp-login should have a lower limit, Jooma runs all it's pages on index.php so should keep a threshold of 30.
  11. wanah

    wanah Member

    Hello,

    Sadly I've just had proof that the rules aren't working :

    Code:
    213.251.182.12 - - [29/Aug/2014:11:01:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    213.251.182.12 - - [29/Aug/2014:11:01:15 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
    As you can see there are more than 30 attempts from the same ip in one minute… this attack had been going on for a few hours without being blocked.
  12. wanah

    wanah Member

Share This Page