[solved] Modsecurity rules to protect WP login?

Discussion in 'Install/Configuration' started by Yogesh Sarkar, Mar 29, 2013.

  1. yak983

    yak983 New Member

    try but no work ... no block wp-login and no log .. in httpd.conf i have add
    the file /var/log/httpd/modsec_debug2.log was be correctry created by litespeed
    2633668 -rw-r--r-- 1 apache apache 0 Feb 26 14:26 /var/log/httpd/modsec_debug2.log


    <IfModule mod_security2.c>
    SecAuditLog /var/log/httpd/modsec_debug2.log

    # This has to be global, cannot exist within a directory or location clause . . .
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
    <Location /wp-login.php>
    # Setup brute force detection.

    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

    # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
    SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </location>
    </IfModule>
     
  2. wanah

    wanah Member

    Hello,

    We are currently being hit quite hard from brute force attacks on wp-logins so I wanted to implement this too.

    I must be doing something wrong though…

    In cPanel went to apache include editor and added the following to the pre_main include :

    Code:
    <IfModule mod_security2.c>
    # This has to be global, cannot exist within a directory or location clause . . .
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
    <Location /wp-login.php>
    # Setup brute force detection.
    
    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"
    
    # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
    SecRule ip:bf_counter "@gt 2" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </location>
    </IfModule>
    I then went into litespeed and set request filtering to yes and did a gracefull restart.

    Notice the SecRule ip:bf_counter "@gt 2", it set it to 2 to lower the limit during my tests.

    I tried to login about 10 times in a few seconds and didn't get blocked.

    Any idea what I'm doing wrong ?

    Litespeed syggests the log file should be placed in /usr/local/apache/logs/lssecurityauditlog and when I applied it this file was created but remains empty.
     
  3. wanah

    wanah Member

    Just got this working.

    I recompiled with easy apache adding mod security and placed the code in /usr/local/apache/conf/modsec2.user.conf (I had to create the file).

    Next step, work out a rule for Joomla ! :)
     
  4. stormy

    stormy Member

    For some reason, this stopped working on my servers. Any idea how to troubleshoot it?
     
  5. mistwang

    mistwang LiteSpeed Staff

    you need to turn on mod_security debug logging by changing debug level configuration to

    SecDebugLogLevel 9
     
  6. stormy

    stormy Member

    Thanks. Now this is weird: the issue was solved by switching to Apache and then switching back. Does this make any sense?
     
  7. mistwang

    mistwang LiteSpeed Staff

    no idea, if it happen again, just restart Litespeed with debug logging enabled.
     

Share This Page