Mod_security rules to prevent spam registrations and comments on wordpress sites

[caisc]

Hi,

Looking for some working set of Mod_security rules to prevent spam registrations and comments on wordpress sites on cpanel server


did some search and found following set of rules -

#comments blacklist
SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog"
SecRule IP: spam "[USER=3202]@gt[/USER] 0" "id:400001,phase:1,chain,drop,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php"
SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,log,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"

But this does not seem to be working coz not a single IP was blocked, any help from experienced admins is appreciated.

Thanks

 

[quizknows]

First off, using zen to block web traffic is a really bad idea. It lists all dynamic IP space (i.e. home user ISP space) on the premise those users should not run SMTP servers, but they do browse the web normally. You will deny many legitimate users with this. You want to use SBL/XBL. Second, using a counter is pretty unnecessary here... just deny the comments is fine in my opinion.

I'd try this:

# Block POST requests based on Spamhaus sbl-xbl. Don't use zen since it lists dynamic space.
# Whitelist file too just in case.
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" "chain,id:12345,log,t:normalisePath,deny,status:411,msg:'IP on RBL: sbl-xbl.spamhaus.org'"
SecRule REQUEST_METHOD "POST" "chain"
SecRule REMOTE_ADDR "[email protected] /usr/local/apache/conf/modsec2/ip_whitelist.txt" "chain"
SecRule REMOTE_ADDR "@rbl sbl-xbl.spamhaus.org"

Create the file /usr/local/apache/conf/modsec2/ip_whitelist.txt first; you can add IP addresses to it to whitelist them in the event of false positives. It's OK to have it blank.

 

[caisc]

Thanks quizknows for your suggestions.


While trying to implement your ruleset, noticed that there is no folder "modsec2" at path /usr/local/apache/conf

Shall i create this file ip_whitelist.txt at this path /etc/apache2/conf.d/modsec/

Server runs EA4 with Cloudlinux 7

Thanks

 

[quizknows]

You can create the file anywhere apache can read it, so your proposed path is fine if you update the rule. My path was more appropriate for EA3

 

[caisc]

Got that!

quizknows are you using these rule-set that you mentioned on any production server? If yes how is the response.

Thanks

 

[mariusfv]

Try a smart approach:

1. Install CSF firewall on your server(if you already haven't done this).
2. Activate firewall and Check Server Security.
3. Go to CSF -> lfd Blocklist and activate(uncomment, remove: #) from HONEYPOT, CIARMY, TOR, OPENBL and other spam/hack database IP's of your choice.
Remember that some projects are listed on Modsecurity too(HONEYPOT) via API.
It is not recommended to activate all -> your server will need a lot of memory(RAM).
Modsecurity works together with CSF!

In that way your server will block hundreds of thousands or even millions of spammers/hackers IP's before touch your server.

 

[caisc]

Hey mariusfv!

Many thanks for the suggestion, using CSF since very long but completely missed this feature,
as of now enabled following -

STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip
HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

Do you recommend any other BL to be enabled? primary issue to deal is exploit upload and forum/comment spam

Thanks

 

[mariusfv]

HONEYPOT in the last days appear to be in maintenance mode!
I use HONEYPOT since 2007 if I remember correctly, now I use TOR and OPENBL too.
For WordPress protection I recommend you to install the WordPress plugin WordFence and a good captcha, I recommend recaptcha by Google, to stop robots post on your websites.

 

[quizknows]

Got that!

quizknows are you using these rule-set that you mentioned on any production server? If yes how is the response.

Thanks

I use them for wp-login.php and xmlrpc.php, but not for comment pages. It works well for wp-login. I may actually try the rule I gave you on my own sites now

 

[caisc]

HONEYPOT in the last days appear to be in maintenance mode!
I use HONEYPOT since 2007 if I remember correctly, now I use TOR and OPENBL too.
For WordPress protection I recommend you to install the WordPress plugin WordFence and a good captcha, I recommend recaptcha by Google, to stop robots post on your websites.

When there are 300+ wp sites on server its not possible to ask every end user to install proper plugins, as an admin you know this pain

actually I wanted to know each BL specialize in some area or they are all general, like
HONEYPOT for spammers
OPENBL for email spammers etc etc


Also how does CSF again downloads the updated ip list and at what frequency? will I have to restart CSF for this everytime.

Also thanks quizknows, do update me with your results.

 

[quizknows]

What CSF will do is count modsecurity failures by IP. if one IP trips too many warnings as set with LF_MODSEC in csf.conf it will block the IP automatically. You only need to restart CSF/LFD the first time you enable LF_MODSEC.

 

[cPanelMichael]

Hello @caisc,

Feel free to let us know the outcome after implementing any of the solutions recommended on this thread. There's also another thread where a similar topic is discussed:

SOLVED - Distributed wordpress attacks/scans

Thank you.

 

[caisc]

For wp-login brute force and xmlrpc requests I also use modsec rules they work fine.

After enabling STOPFORUMSPAM and OPENBL in CSF LFD blocklist I have noticed approx 7-10% lower load on server.
Although because of these 2 blocklist approx 11k IP were added in iptables blocklist, this eats up some resources.

Benefit is that because of reduced spam activity mysql server gets slightly more time to serve genuine requests.