[solved] Modsecurity rules to protect WP login?

Discussion in 'Install/Configuration' started by Yogesh Sarkar, Mar 29, 2013.

  1. Yogesh Sarkar

    Yogesh Sarkar Banned

    Are there any modsecurity rules which are fully compatible with Litespeed and can block users trying to brute force into wordpress and other script installs?
  2. NiteWave

    NiteWave Administrator

    do you have these modsecurity rules which works for apahce ?

    we can test and provide the compatibility info of these rules with litespeed.
  3. Yogesh Sarkar

    Yogesh Sarkar Banned

    Actually I haven't tried it yet. The other day an IP was pounding one of my blog's login page so much, that it caused significant enough CPU usage for me to check the logs. While I banned that ip and since I use passwords which should be able to withstand most if not all dictionary attack, I guess I should be alright.

    However the fact remains, such bots waste server resources and hence I searched for ways to prevent such things from happening again. Now I have the options of installing a wordpress plugin to do that (which I do not wish to do) or enable a way for server to detect ongoing brute force attempt and block the ip.

    Here are the rules I could find on the web, I am a total noob and will likely ask my host to enable these for me, but I wanted to check beforehand, whether or not these are compatible with Litespeed.

  4. NiteWave

    NiteWave Administrator

    I set up an env to test this rule on apache and litespeed.
    initially work on apache but not on litespeed.
    now it works on latest 4.2.2 build as well.

    Thanks for giving the specific rule, so we can investigate it effectively. to catch up with the upstream of mod_security as short as possible, detailed and specific rules are needed.
  5. Yogesh Sarkar

    Yogesh Sarkar Banned

    Thank you very much, will upgrade to latest build this weekend and try this out.
  6. bobykus

    bobykus Well-Known Member

    How do you see it works?

    I set

    SecDebugLog /var/httpd/logs/modsec_debug.log
    SecDebugLogLevel 9

    but /var/httpd/logs/modsec_debug.log

    still empty.
  7. bobykus

    bobykus Well-Known Member

  8. NiteWave

    NiteWave Administrator

    my local tests succeeded on native virtual host. set the rule at vhost->Request Fillter.
    "Security Audit Log" is set at server level, to "/tmp/sec.log"
    /tmp>cat sec.log
    [18/Jun/2013:20:42:55 +0800] - 49362 *:80 80
    GET /phpinfo.php??abc=../../ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: ....
    Connection: keep-alive

    HTTP/1.1 403 Forbidden

    Message: [client] mod_security: Access denied with code 403, [Rule: 'ARGS' '\.\./'] [ID "99999"] [Msg "D rive Access"] [severity "WARNING"] [MatchedString "../../"]

  9. stormy

    stormy Well-Known Member

    I want to confirm that the rule works correctly for me.

    If Litespeed could take any steps towards securing brute force attacks on Wordpress wp-login.php, it would be great!
  10. NiteWave

    NiteWave Administrator

    as I posted, I did tests and it worked.

    please try yourself and tell us the result.
  11. stormy

    stormy Well-Known Member

    Sorry I wasn't more clear in my reply! :)

    I tried the rule and yes, it works.

    However, it's not an ideal situation, it would be a lot better if it could be targetted higher up the chain instead of with mod_security. I don't know if that's possible though, but it's an idea :)
  12. mistwang

    mistwang LiteSpeed Staff

    Yeah, we will keep that in mind. Thanks!
  13. yak983

    yak983 Member

    it's possible have more info for how write into request filter in litespeed?
  14. NiteWave

    NiteWave Administrator

    if you use apache configuration file, then it's same way for apache + mod_security, put the rules in a file and include from apache's httpd.conf

    if not use apache's httpd.conf, then
    lsws web admin -> Server -> Request Filter -> Request Filtering Rule Set: Add
  15. yak983

    yak983 Member

    i have do it but no work..
    log file it's empty..

    Attached Files:

  16. NiteWave

    NiteWave Administrator

    Sorry, I re-read this thread again.
    I think "Request Filter" for lsws webadmin -> Server doesn't recognize
    <Location /wp-login.php>

    so above file will work with apache's httpd.conf

    you can comment out above 2 lines in your configuration, and make sure /var/log/httpd/modsec_debug.log is accessible by nobody.
    without <Location /wp-login.php>, this rule will apply for all requests from an single IP --- not meed your goal, but anyway can take a test. not sure can add a modseure rule to work like <Location /wp-login.php>
  17. yak983

    yak983 Member

    it's need mod_security2.so load into apache ?
  18. NiteWave

    NiteWave Administrator

    no need.
  19. yak983

    yak983 Member

    2631832 -rwxrwxrwx 1 apache apache 0 Feb 16 16:48 modsec_debug.log
    its emprty .. how i can check if rules work?
  20. NiteWave

    NiteWave Administrator

    may need enable audit log. add
    SecAuditLog /path/to/modsec_audit.log

    to trigger the rule, you can run "ab" test, for example
    #ab -c 10 -n 20 domain.com/wp-login.php

Share This Page