The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing brute force attack on WordPress and Joomla website

Discussion in 'Security' started by prakashnplink, Aug 30, 2015.

  1. prakashnplink

    prakashnplink Active Member

    Joined:
    Apr 8, 2014
    Messages:
    29
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    I have used modsecurity rule list for cpanel and installed OWASP vendor through WHM. There are rules which we can turn OFF and ON. I have turned all rules ON. My question is how to turn ON brute force attack prevention mode because I do not see it in OWASP vendor rules for cpanel (https://documentation.cpanel.net/display/CKB/OWASP ModSecurity CRS)?

    In one post I saw we can remove hash ('#') tag from /usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf and put login page name there.
    Code:
    #
    # -- [[ Brute Force Protection ]] ---------------------------------------------------------
    #
    # If you are using the Brute Force Protection rule set, then uncomment the following
    # lines and set the following variables:
    # - Protected URLs: resources to protect (e.g. login pages) - set to your login page
    # - Burst Time Slice Interval: time interval window to monitor for bursts
    # - Request Threshold: request # threshold to trigger a burst
    # - Block Period: temporary block timeout
    #
    #SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=10', setvar:'tx.brute_force_block_timeout=300'"
    
    I have tried it but it didn't work. Below is what I did.
    1. Go to https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/experimental_rules and copy modsecurity_crs_11_brute_force.conf to /usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/
    2. Load the file in /usr/local/apache/conf/modsec2.cpanel.conf
    3. open following file and edit
    Code:
    # vi /usr/local/apache/conf/modsec_vendor_configs/OWASP/modsecurity_crs_10_setup.conf
    
    replaced following
    Code:
    SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#'', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=10', setvar:'tx.brute_force_block_timeout=300'"
    
    with
    Code:
    SecAction "id:'900014', phase:request, nolog, pass, t:none, setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/administrator/index.php#'', setvar:'tx.brute_force_burst_time_slice=60', setvar:'tx.brute_force_counter_threshold=5', setvar:'tx.brute_force_block_timeout=300'"
    
    restarted apache
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    Can you please try to use following modsecurity rule on your server for Brute Force attack.

    Code:
    SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:4900000
    <Locationmatch "/wp-login.php">
            SecRule user:bf_block "@gt 0" "deny,status:401,log,severity:'2',id:4900001,msg:'Wordpress Brute Force: IP blocked for 5 minutes, more than 15 login attempts in 3 minutes'"
            SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
            SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
            SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </Locationmatch>
     
Loading...

Share This Page