joaosavioli

Well-Known Member
Feb 7, 2008
67
12
58
Hi!

Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load.

A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time.
Do you have any way to block this using modsecurity rules?

I could found it in some threads about it, but some are to old. I´m using the last cpanel version, with easyapache4 and the new modsecurity tools.

Very thank you

Best
Joao
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,292
313
Houston
  • Like
Reactions: ajithpa

Bidi

Well-Known Member
Oct 3, 2012
117
15
68
Romania, Transilvania
cPanel Access Level
DataCenter Provider
Hello guys, dose anyone have new rules for mod_sec ?

The one from here WordPress ModSecurity Rules dose not work proprly, it just ban ip for 5 minutes, i increased bf_block=300 to 33600 but usless.

I dont know what happen but since the last update of wordpress in the last 1-2 weeks its a massive pain, milions of hits on ower websites.

Servers with load of 2-3 now we have 25-30 and all with wp-login.php brute force

I know this th is old but dont have to open new one.

What i changed and not working.


SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 1 h, more than 5 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3600,setvar:ip.bf_counter=0"
</locationmatch>

On csf it show 2 min ban not even 5 min, i even changed bf_counter=1/180 to bf_counter=1/3600 , still the same.

I changed on CSF this values.


[*]Enable failure detection of repeated Apache mod_security rule triggers

LF_MODSEC = 5

LF_MODSEC_PERM = 3600

And it works but it dose not takes value from the mod sec rules and i whant those.