Brute force wp-login.php modsecurity

[joaosavioli]

Hi!

Today morning I had a problem about an attack against some websties hosted in my server. This caused apache very slow and high load.

A lot of IP address (about 900 address) trying to access wp-login.php of some websites (about 20 websites), at the same time.
Do you have any way to block this using modsecurity rules?

I could found it in some threads about it, but some are to old. I´m using the last cpanel version, with easyapache4 and the new modsecurity tools.

Very thank you

Best
Joao

 

[cPanelLauren]

Hi @joaosavioli

The OWASP rulesets and what they're for are listed here OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation

I would suggest reading wordpress's own tutorial for resolving these issues Brute Force Attacks « WordPress Codex they also include a link to some ModSecurity rules that can be helpful to mitigate these.

Thanks!

 

[joaosavioli]

Hello guys, thank you for replying.

I've fixed the problem with this solution on modsecurity level. It´s working fine!
WordPress ModSecurity Rules | Liquid Web Knowledge Base

Cheers!
Joao

 

[cPanelLauren]

Hi @joaosavioli

I'm glad to hear you were able to resolve the issue, thanks for letting us know what helped you!

 

[Bidi]

Hello guys, dose anyone have new rules for mod_sec ?

The one from here WordPress ModSecurity Rules dose not work proprly, it just ban ip for 5 minutes, i increased bf_block=300 to 33600 but usless.

I dont know what happen but since the last update of wordpress in the last 1-2 weeks its a massive pain, milions of hits on ower websites.

Servers with load of 2-3 now we have 25-30 and all with wp-login.php brute force

I know this th is old but dont have to open new one.

What i changed and not working.


SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 1 h, more than 5 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3600,setvar:ip.bf_counter=0"
</locationmatch>

On csf it show 2 min ban not even 5 min, i even changed bf_counter=1/180 to bf_counter=1/3600 , still the same.

I changed on CSF this values.


[*]Enable failure detection of repeated Apache mod_security rule triggers

LF_MODSEC = 5

LF_MODSEC_PERM = 3600

And it works but it dose not takes value from the mod sec rules and i whant those.