[solved] Modsecurity rules to protect WP login?

#21
try but no work ... no block wp-login and no log .. in httpd.conf i have add
the file /var/log/httpd/modsec_debug2.log was be correctry created by litespeed
2633668 -rw-r--r-- 1 apache apache 0 Feb 26 14:26 /var/log/httpd/modsec_debug2.log


<IfModule mod_security2.c>
SecAuditLog /var/log/httpd/modsec_debug2.log

# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
</IfModule>
 

wanah

Well-Known Member
#22
Hello,

We are currently being hit quite hard from brute force attacks on wp-logins so I wanted to implement this too.

I must be doing something wrong though…

In cPanel went to apache include editor and added the following to the pre_main include :

Code:
<IfModule mod_security2.c>
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
SecRule ip:bf_counter "@gt 2" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
</IfModule>
I then went into litespeed and set request filtering to yes and did a gracefull restart.

Notice the SecRule ip:bf_counter "@gt 2", it set it to 2 to lower the limit during my tests.

I tried to login about 10 times in a few seconds and didn't get blocked.

Any idea what I'm doing wrong ?

Litespeed syggests the log file should be placed in /usr/local/apache/logs/lssecurityauditlog and when I applied it this file was created but remains empty.
 

wanah

Well-Known Member
#23
Just got this working.

I recompiled with easy apache adding mod security and placed the code in /usr/local/apache/conf/modsec2.user.conf (I had to create the file).

Next step, work out a rule for Joomla ! :)
 

stormy

Well-Known Member
#26
Thanks. Now this is weird: the issue was solved by switching to Apache and then switching back. Does this make any sense?
 
Top