Preventing brute force attack on WordPress and Joomla website

prakashnplink

Active Member
Apr 8, 2014
35
1
8
cPanel Access Level
Root Administrator
Hello,

I have used modsecurity rule list for cpanel and installed OWASP vendor through WHM. There are rules which we can turn OFF and ON. I have turned all rules ON. My question is how to turn ON brute force attack prevention mode because I do not see it in OWASP vendor rules for cpanel (https://documentation.cpanel.net/display/CKB/OWASP ModSecurity CRS)?

In one post I saw we can remove hash ('#') tag from /usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf and put login page name there.
Code:
#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=10', setvar:'tx.brute_force_block_timeout=300'"
I have tried it but it didn't work. Below is what I did.
  1. Go to https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/experimental_rules and copy modsecurity_crs_11_brute_force.conf to /usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/
  2. Load the file in /usr/local/apache/conf/modsec2.cpanel.conf
  3. open following file and edit
Code:
# vi /usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
replaced following
Code:
SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#'', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=10', setvar:'tx.brute_force_block_timeout=300'"
with
Code:
SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/administrator/index.php#'', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=5', setvar:'tx.brute_force_block_timeout=300'"
restarted apache
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter
Hello :),

Can you please try to use following modsecurity rule on your server for Brute Force attack.

Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:4900000
<Locationmatch "/wp-login.php">
        SecRule user:bf_block "@gt 0" "deny,status:401,log,severity:'2',id:4900001,msg:'Wordpress Brute Force: IP blocked for 5 minutes, more than 15 login attempts in 3 minutes'"
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>