The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Denied brutforce wp-login.php

Discussion in 'Security' started by nyanhost, Feb 23, 2014.

  1. nyanhost

    nyanhost Active Member

    Joined:
    Nov 4, 2013
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello!

    I want to block the brutforce scripts inquiries to "wp-login.php".
    [23/Feb/2014:08:42:24 +0100] "POST /wp-login.php HTTP/1.0" 200 2818

    I use ModSecurity without ASL and another added software!

    I created rules:
    Code:
    SecAuditLogType Concurrent
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
    <Locationmatch "/wp-login.php">
        # Setup brute force detection.
    
        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
    
        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
        SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </locationmatch>
    
    But I receive in error_log Apache:
    Code:
    ModSecurity: Audit log: Failed to create subdirectories: logs/20140223/20140223-0846 (Permission denied)
    ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "user", key "94.137.52.133"). Use SecDataDir to define data directory first.
    
    I don't know name directory for SecDataDir...

    Also I am using mod_Ruid2 + DSO :(
     
    #1 nyanhost, Feb 23, 2014
    Last edited: Feb 23, 2014
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    You will have to setup SecDataDir path in modsec2.conf file. Edit modsec2.conf and add:

    Code:
    SecDataDir /tmp
    Also you can disable wp-login through httpd conf file of all domain

    Edit /usr/local/apache/conf/httpd.conf and add the following near the other <Files></Files> lines:

    Code:
    <Files ~ "^wp-login.php">
    Order allow,deny
    Deny from all
     
    Satisfy All
    </Files>
    ErrorDocument 403 "Not acceptable"
    Restart Apache.
     
  3. bltst2

    bltst2 Member

    Joined:
    Jun 10, 2008
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    RUID2 breaks the hell out of modsecurity. This is because the running HTTPD procs have different users, and thus, the logs can't be properly owned for modsecurity/apache.

    If you need modsec (which honestly, everyone does, it's downright foolish to not use it), then I don't recommend using RUID2 unless you're comfortable with 777 logs and some other "workarounds." At this time it's much more compatible to use cloudlinux, suphp, cagefs, and a normal modsec implementation.

    The main issue I've seen is when one domain creates a log or dir for modsec tmp data, that domains user takes ownership of the file (because of how RUID2 works). This ends up making it so that other domains cannot properly log or store tmp data for modsecurity.
     
    #5 quizknows, Feb 24, 2014
    Last edited: Feb 24, 2014
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    We are using the Mod Security rule as listed above, but most of the hackers are wise to this so the attacks are distributed through a range of IP's. One of the best plugins we have seen recently (and we recommend to our users) is called Login Security Solutions it is an interesting plugin that throttles the attacker to a crawl. On the sites we manage it has helped. We also created a script to run to check the amount of incorrect logins
    We were shocked that someone could slowly attack and not get firewall from the Mod Security rule (like the above) but continue to attack as slow as molasses, this was going on before we added the Login Security Solutions plugin. We ban the IP's that have over 10 attempts.
     
  7. ladis

    ladis Registered

    Joined:
    Mar 3, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    we are using plugins like Hide WP and it can hide login page, there is couple of free plugins like this as well.
     
  8. F-X

    F-X Member

    Joined:
    Feb 17, 2012
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    I know that protection from the server as modsecurity can be better.
    But sometimes not all people have access to the server as an administrator.

    So the only solution I've found on different servers is to use these plugins: Wordfence Security and Easy Captcha (with reCaptcha).
     
Loading...

Share This Page