Denied brutforce wp-login.php

nyanhost

Active Member
Nov 4, 2013
28
0
1
cPanel Access Level
Root Administrator
Hello!

I want to block the brutforce scripts inquiries to "wp-login.php".
[23/Feb/2014:08:42:24 +0100] "POST /wp-login.php HTTP/1.0" 200 2818

I use ModSecurity without ASL and another added software!

I created rules:
Code:
SecAuditLogType Concurrent
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    # Setup brute force detection.

    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"

    # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
But I receive in error_log Apache:
Code:
ModSecurity: Audit log: Failed to create subdirectories: logs/20140223/20140223-0846 (Permission denied)
ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "user", key "94.137.52.133"). Use SecDataDir to define data directory first.
I don't know name directory for SecDataDir...

Also I am using mod_Ruid2 + DSO :(
 
Last edited:

24x7server

Well-Known Member
Apr 17, 2013
1,907
95
78
India
cPanel Access Level
Root Administrator
Hello,

You will have to setup SecDataDir path in modsec2.conf file. Edit modsec2.conf and add:

Code:
SecDataDir /tmp
Also you can disable wp-login through httpd conf file of all domain

Edit /usr/local/apache/conf/httpd.conf and add the following near the other <Files></Files> lines:

Code:
<Files ~ "^wp-login.php">
Order allow,deny
Deny from all
 
Satisfy All
</Files>
ErrorDocument 403 "Not acceptable"
Restart Apache.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
RUID2 breaks the hell out of modsecurity. This is because the running HTTPD procs have different users, and thus, the logs can't be properly owned for modsecurity/apache.

If you need modsec (which honestly, everyone does, it's downright foolish to not use it), then I don't recommend using RUID2 unless you're comfortable with 777 logs and some other "workarounds." At this time it's much more compatible to use cloudlinux, suphp, cagefs, and a normal modsec implementation.

The main issue I've seen is when one domain creates a log or dir for modsec tmp data, that domains user takes ownership of the file (because of how RUID2 works). This ends up making it so that other domains cannot properly log or store tmp data for modsecurity.
 
Last edited:

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
We are using the Mod Security rule as listed above, but most of the hackers are wise to this so the attacks are distributed through a range of IP's. One of the best plugins we have seen recently (and we recommend to our users) is called Login Security Solutions it is an interesting plugin that throttles the attacker to a crawl. On the sites we manage it has helped. We also created a script to run to check the amount of incorrect logins
#!/bin/bash

grep -R "wp-login.php" /usr/local/apache/domlogs/* | grep "POST" | awk -F: '{ print $2 }' | awk '{print $1}' | sort | uniq -c | sort -n
We were shocked that someone could slowly attack and not get firewall from the Mod Security rule (like the above) but continue to attack as slow as molasses, this was going on before we added the Login Security Solutions plugin. We ban the IP's that have over 10 attempts.
 

F-X

Member
Feb 17, 2012
8
2
51
cPanel Access Level
Reseller Owner
I know that protection from the server as modsecurity can be better.
But sometimes not all people have access to the server as an administrator.

So the only solution I've found on different servers is to use these plugins: Wordfence Security and Easy Captcha (with reCaptcha).