Denied brutforce wp-login.php

[nyanhost]

Hello!

I want to block the brutforce scripts inquiries to "wp-login.php".
[23/Feb/2014:08:42:24 +0100] "POST /wp-login.php HTTP/1.0" 200 2818

I use ModSecurity without ASL and another added software!

I created rules:

SecAuditLogType Concurrent
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
    # Setup brute force detection.

    # React if block flag has been set.
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"

    # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

But I receive in error_log Apache:

ModSecurity: Audit log: Failed to create subdirectories: logs/20140223/20140223-0846 (Permission denied)
ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "user", key "94.137.52.133"). Use SecDataDir to define data directory first.

I don't know name directory for SecDataDir...

Also I am using mod_Ruid2 + DSO

 

[24x7server]

Hello,

You will have to setup SecDataDir path in modsec2.conf file. Edit modsec2.conf and add:

SecDataDir /tmp

Also you can disable wp-login through httpd conf file of all domain

Edit /usr/local/apache/conf/httpd.conf and add the following near the other <Files></Files> lines:

<Files ~ "^wp-login.php">
Order allow,deny
Deny from all
 
Satisfy All
</Files>
ErrorDocument 403 "Not acceptable"

Restart Apache.

 

[bltst2]

I had pretty good success with Fail2Ban. Very easy implementation. I wrote a blog post on it here:

Preventing WordPress Brute Force Attacks with Fail2Ban

 

[cPanelMichael]

Hello

WordPress has an official document on blocking brute force attacks that might interest you:

Brute Force Attacks « WordPress Codex

Thank you.

 

[quizknows]

RUID2 breaks the hell out of modsecurity. This is because the running HTTPD procs have different users, and thus, the logs can't be properly owned for modsecurity/apache.

If you need modsec (which honestly, everyone does, it's downright foolish to not use it), then I don't recommend using RUID2 unless you're comfortable with 777 logs and some other "workarounds." At this time it's much more compatible to use cloudlinux, suphp, cagefs, and a normal modsec implementation.

The main issue I've seen is when one domain creates a log or dir for modsec tmp data, that domains user takes ownership of the file (because of how RUID2 works). This ends up making it so that other domains cannot properly log or store tmp data for modsecurity.

 

[rhenderson]

We are using the Mod Security rule as listed above, but most of the hackers are wise to this so the attacks are distributed through a range of IP's. One of the best plugins we have seen recently (and we recommend to our users) is called Login Security Solutions it is an interesting plugin that throttles the attacker to a crawl. On the sites we manage it has helped. We also created a script to run to check the amount of incorrect logins

#!/bin/bash

grep -R "wp-login.php" /usr/local/apache/domlogs/* | grep "POST" | awk -F: '{ print $2 }' | awk '{print $1}' | sort | uniq -c | sort -n

We were shocked that someone could slowly attack and not get firewall from the Mod Security rule (like the above) but continue to attack as slow as molasses, this was going on before we added the Login Security Solutions plugin. We ban the IP's that have over 10 attempts.

 

[ladis]

we are using plugins like Hide WP and it can hide login page, there is couple of free plugins like this as well.

 

[F-X]

I know that protection from the server as modsecurity can be better.
But sometimes not all people have access to the server as an administrator.

So the only solution I've found on different servers is to use these plugins: Wordfence Security and Easy Captcha (with reCaptcha).