The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block automatically one webpage repeated opening?

Discussion in 'Security' started by postcd, Oct 27, 2014.

  1. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    Hello, using CSF or Fail2ban, how to block this?

    Code:
    31.186.250.149 - - [27/Oct/2014:11:06:36 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:37 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:38 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:40 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:41 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:42 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:43 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:44 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:45 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:51 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:53 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:54 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:55 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:56 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:58 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:06:59 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:00 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:01 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:02 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:03 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:04 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:05 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:06 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:07 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:08 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:10 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:11 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:13 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:14 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:15 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:22 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:36 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:25 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:28 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:30 -0400] "POST /wp-login.php HTTP/1.0" 500 26 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:37 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:33 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:39 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:45 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:46 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    31.186.250.149 - - [27/Oct/2014:11:07:47 -0400] "POST /wp-login.php HTTP/1.0" 200 3978 "-" "-"
    
    i mean automatically, not one time this IP. Thank you
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Just use a ModSecurity rule.

    Code:
    SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
    SecRule &HTTP_REFERER "@eq 0" "chain"
    SecRule REQUEST_URI "wp-login.php"
    
    This will deny any POST to wp-login.php which does not have a referring URL (Any real user will submit their login with a proper HTTP referrer).

    If you have CSF/LFD, once that rule is in place, the LF_MODSEC option in csf will block repeat offenders.
     
  3. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    quizknows:
    thanks for the idea, when i applied this rule, i got this from /var/log/lfd.log:
    Code:
    Oct 28 12:03:23 host1 lfd[24192]: (mod_security) mod_security (id:5000130) triggered by 104.194.12.145 (US/United States/-): 5 in the last 3600 secs - *Blocked in csf* [LF_MODSEC]
    and from modsec_audit.log, many IP relevant entries like:
    Code:
    blog.mydomain.info 104.194.12.145 - - [28/Oct/2014:12:03:23 --0400] "POST /wp-login.php HTTP/1.0" 401 17 "-" "-" VE@@S2u2hR0AAFfXip8AAAAE "-" /mycpanelusername/20141028/20141028-1203/20141028-120323-VE@@S2u2hR0AAFfXip8AAAAE 0 1255 md5:1505e6425defcaaa2a20ad794dc78ac5
    so it appears it is working, im only unsure if would be better to filter out all requests, not only ones without referrer
     
    #3 postcd, Oct 28, 2014
    Last edited: Oct 28, 2014
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you filter out all of them (even if there is a referrer) then nobody will be able to log into wordpress at all. Some bots use a referrer to look more legitimate, but many omit it, which is why I use this particular rule to drop many of the attacks.
     
  5. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
    thx, anyone please know how i can use CSF or Fail2ban to block any webpage requests just based on number of one page requests per time period? I mean when you look my first post log output so you can add instead of wp-login.php anything else and some ultimate CSF/Fail2ban rule will block if one page is loaded like 50 times in 120 seconds by 1 IP
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    It might be possible with custom LFD regex, but that's a serious pain. The only CSF options for apache rate limiting are for 404 or 403's being returned, not 200s. Best of luck.
     
  7. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello, how to apply this rule on the new version of cPanel? When i try to save it i get this:

    Code:
    Error: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecRule takes two or three arguments, rule target, operator and optional action list
    If i try to add this other rule:

    Code:
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
    <Locationmatch "/wp-login.php">
    SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
    </locationmatch>
    I got this other similar error:
    Code:
    Error: The rule is invalid. Apache returned the following error: Syntax error on line 1 of -c/-C directives: SecAction takes one argument, an action list
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The rules are syntactically correct, it may be an issue with how you are copying / pasting them.
     
  9. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    I tried again copy from here and paste in notepad then copy from notepad and paste on whm, same errors :(
     
  10. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    619
    Likes Received:
    6
    Trophy Points:
    18
  11. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I'm having difficulties using modsecurity rule for wp-login because of errors, so I'm using fail2ban.

    The below is a fail2ban rule for just wp-login you could try and improve. You can of course adjust the maxretry or other options to just go for the most excessive failures to be on the safe side in a hosting environment. You will need to monitor the fail2ban log for repeated bans and ban them manually temporarily or permanently. There is also a fail2ban script to do it automatically.

    WordPress failed logins ban

    Create the filter file:

    /etc/fail2ban/filter.d/apache-wplogin.conf

    Insert:

    Code:
    # Fail2Ban configuration file
    #
    # Bans repeated failed WordPress logins
    #
    
    [Definition]
    failregex = ^<HOST> .*"POST .*/wp-login\.php HTTP.*
    ignoreregex =

    Edit or create the jail in your customizations jail.local file:

    /etc/fail2ban/jail.local

    Insert and edit as you need, like the maxretry, findtime, bantime and logpath:

    Code:
    # WordPress failed logins ban
    [apache-wplogin]
    enabled = true
    filter = apache-wplogin
    action = iptables-multiport[name=apache-wplogin, port="http,https", protocol=tcp]
    port = http,https
    logpath = /usr/local/apache/logs/access_log
    maxretry = 10
    findtime = 3600   ; 1 hour
    bantime = 86400   ; 1 day
    (You can add the below to the rule if you are not going to use the global ignoreip setting in your jail file:
    Code:
    ignoreip =
     
    #11 Archmactrix, Dec 3, 2014
    Last edited: Dec 3, 2014
  12. tui

    tui Active Member

    Joined:
    Jun 15, 2007
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello, Hi, Could you kindly explain how to fully implement this? Is this method fully compatible with CSF?

    I was reading some blogs i found on Google but there i have my doubts as they are little old

    regards
     
  13. Archmactrix

    Archmactrix Well-Known Member

    Joined:
    Jan 20, 2012
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    My post gave only information about fail2ban filter and the jail for repeated wp-login failures. This will work if you have or install fail2ban, but you need to customize the options for your needs and also improve the filter and the jail.

    Fail2Ban can be used with or without CSF if you have it installed.

    Here is a link to a cPanel forum post on the use of CSF and Fail2Ban that might be helpful.

    The user has created a custom action for CSF just like you can create custom filter and jail.
     
    #13 Archmactrix, Dec 5, 2014
    Last edited: Dec 5, 2014
Loading...

Share This Page