With a LOT of clients using WordPress, we're getting hammered with brute force login activity that generates additional server load. Joomla use causes some as well, but not quite as bad (for now).
I was looking into using snort to combat this, but on CloudLinux 5 there are so many dependencies on libraries I can't get installed to get the latest snort source compiled. I think even if I did, I might have to do manual work to each wordpress site to get snort tracking the activity anyway. I'd rather have a global solution.
I've noticed that all the brute force traffic seems to have no referrer. I can't think of a case where a legit POST request would have no referer. I've written a script that runs every minute via cron and checks all users' apache logs that have been modified in the last minute, and blackholes any IP that is POSTing, isn't local, and has no referer. (I could use mod_security for this, but this lets me blackhole the IP entirely from any access to the server.)
My concern is whether a legit POST with no referer is common. The RFC suggests it might be okay in some cases. The section covering POST requests has a final sentence that says "See section 15.1.3 for security considerations", which contains:
At any rate, I though I'd pose this question and see what other folks think about the legitimacy of POST requests with no referer. Thanks in advance for any feedback you can provide!
I was looking into using snort to combat this, but on CloudLinux 5 there are so many dependencies on libraries I can't get installed to get the latest snort source compiled. I think even if I did, I might have to do manual work to each wordpress site to get snort tracking the activity anyway. I'd rather have a global solution.
I've noticed that all the brute force traffic seems to have no referrer. I can't think of a case where a legit POST request would have no referer. I've written a script that runs every minute via cron and checks all users' apache logs that have been modified in the last minute, and blackholes any IP that is POSTing, isn't local, and has no referer. (I could use mod_security for this, but this lets me blackhole the IP entirely from any access to the server.)
My concern is whether a legit POST with no referer is common. The RFC suggests it might be okay in some cases. The section covering POST requests has a final sentence that says "See section 15.1.3 for security considerations", which contains:
In addition to blackholing immediately when finding a POST with no referrer, I'm also checking for POST frequency to URIs with wp-login.php, wp-admin, /administrator/index.php. etc. when there is a referer, and blocking on heavy activity (with a threshold set high enough to hopefully not block legitimate traffic.) I suppose if POST requests with no referer are common enough, I could stop the immediate block and instead perhaps include a heavier weight to those requests when deciding to block on frequency.
At any rate, I though I'd pose this question and see what other folks think about the legitimacy of POST requests with no referer. Thanks in advance for any feedback you can provide!
Last edited: