How to block automatically one webpage repeated opening?

[postcd]

Hello, using CSF or Fail2ban, how to block this?

31.186.250.149 - - [27/Oct/2014:11:06:36 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:37 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:38 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:40 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:41 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:42 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:43 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:44 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:45 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:51 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:53 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:54 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:55 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:56 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:58 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:06:59 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:00 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:01 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:02 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:03 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:04 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:05 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:06 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:07 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:08 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:10 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:11 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:13 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:14 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:15 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:22 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:36 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:25 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:28 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:30 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:37 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:39 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:45 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:46 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
31.186.250.149 - - [27/Oct/2014:11:07:47 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"

i mean automatically, not one time this IP. Thank you

 

[quizknows]

Just use a ModSecurity rule.

SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"

This will deny any POST to wp-login.php which does not have a referring URL (Any real user will submit their login with a proper HTTP referrer).

If you have CSF/LFD, once that rule is in place, the LF_MODSEC option in csf will block repeat offenders.

 

[postcd]

quizknows:
thanks for the idea, when i applied this rule, i got this from /var/log/lfd.log:

Oct 28 12:03:23 host1 lfd[24192]: (mod_security) mod_security (id:5000130) triggered by 104.194.12.145 (US/United States/-): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]

and from modsec_audit.log, many IP relevant entries like:

blog.mydomain.info 104.194.12.145 - - [28/Oct/2014:12:03:23 --0400] "POST /wp-login.php HTTP/1.0" 401 17 "-" "-" [email protected]@S2u2hR0AAFfXip8AAAAE "-" /mycpanelusername/20141028/20141028-1203/[email protected]@S2u2hR0AAFfXip8AAAAE 0 1255 md5:1505e6425defcaaa2a20ad794dc78ac5

so it appears it is working, im only unsure if would be better to filter out all requests, not only ones without referrer

 

[quizknows]

If you filter out all of them (even if there is a referrer) then nobody will be able to log into wordpress at all. Some bots use a referrer to look more legitimate, but many omit it, which is why I use this particular rule to drop many of the attacks.

 

[postcd]

thx, anyone please know how i can use CSF or Fail2ban to block any webpage requests just based on number of one page requests per time period? I mean when you look my first post log output so you can add instead of wp-login.php anything else and some ultimate CSF/Fail2ban rule will block if one page is loaded like 50 times in 120 seconds by 1 IP

 

[quizknows]

It might be possible with custom LFD regex, but that's a serious pain. The only CSF options for apache rate limiting are for 404 or 403's being returned, not 200s. Best of luck.

 

[tui]

Hello, how to apply this rule on the new version of cPanel? When i try to save it i get this:

Error: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecRule takes two or three arguments, rule target, operator and optional action list

If i try to add this other rule:

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

I got this other similar error:

Error: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list

 

[quizknows]

The rules are syntactically correct, it may be an issue with how you are copying / pasting them.

 

[tui]

The rules are syntactically correct, it may be an issue with how you are copying / pasting them.

I tried again copy from here and paste in notepad then copy from notepad and paste on whm, same errors

 

[postcd]

I tried again copy from here and paste in notepad then copy from notepad and paste on whm, same errors

Yes, got same error: http://forums.cpanel.net/f185/synta...on-takes-one-argument-action-list-441571.html
please continue in that thread if possible

 

[Archmactrix]

I'm having difficulties using modsecurity rule for wp-login because of errors, so I'm using fail2ban.

The below is a fail2ban rule for just wp-login you could try and improve. You can of course adjust the maxretry or other options to just go for the most excessive failures to be on the safe side in a hosting environment. You will need to monitor the fail2ban log for repeated bans and ban them manually temporarily or permanently. There is also a fail2ban script to do it automatically.

WordPress failed logins ban

Create the filter file:

/etc/fail2ban/filter.d/apache-wplogin.conf

Insert:

# Fail2Ban configuration file
#
# Bans repeated failed WordPress logins
#

[Definition]
failregex = ^<HOST> .*"POST .*/wp-login\.php HTTP.*
ignoreregex =

Edit or create the jail in your customizations jail.local file:

/etc/fail2ban/jail.local

Insert and edit as you need, like the maxretry, findtime, bantime and logpath:

# WordPress failed logins ban
[apache-wplogin]
enabled = true
filter = apache-wplogin
action = iptables-multiport[name=apache-wplogin, port="http,https", protocol=tcp]
port = http,https
logpath = /usr/local/apache/logs/access_log
maxretry = 10
findtime = 3600   ; 1 hour
bantime = 86400   ; 1 day

(You can add the below to the rule if you are not going to use the global ignoreip setting in your jail file:

ignoreip =

 

[tui]

I'm having difficulties using modsecurity rule for wp-login because of errors, so I'm using fail2ban.

Hello, Hi, Could you kindly explain how to fully implement this? Is this method fully compatible with CSF?

I was reading some blogs i found on Google but there i have my doubts as they are little old

regards

 

[Archmactrix]

Hello, Hi, Could you kindly explain how to fully implement this? Is this method fully compatible with CSF?

I was reading some blogs i found on Google but there i have my doubts as they are little old

regards

My post gave only information about fail2ban filter and the jail for repeated wp-login failures. This will work if you have or install fail2ban, but you need to customize the options for your needs and also improve the filter and the jail.

Fail2Ban can be used with or without CSF if you have it installed.

Here is a link to a cPanel forum post on the use of CSF and Fail2Ban that might be helpful.

The user has created a custom action for CSF just like you can create custom filter and jail.