wordpress brutrforce protection via mod_sec rules with nginx installed - working solution?

[mitya4004]

Who try to use this rule set?

/http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/

I have apache 2.2.25, mod_seс 2.6.4 with nginx as front-end and mod_realip2 for REMOTE_ADDR issue correction.


But that rules determines my server IP as IP of attackers.

In mod_sec audit log i find that this info (111.211.111.73 - my server ip, 111.175.7.163 - my real IP )

--b5d14d22-A--
[27/Sep/2013:10:02:01 +0400] UkUfWV-Th4oAABEmtYwAAAAE 111.211.111.73 21108 111.211.111.73 80
--b5d14d22-B--
POST /wp-login.php HTTP/1.0
Host: outmax.ru
X-Real-IP: 111.175.7.163
X-Forwarded-For: 111.175.7.163
Connection: close
Content-Length: 120
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: [Removed]
Cookie: PHPSESSID=630a291c7c01f923d7745817d0b19f45; wordpress_test_cookie=WP+Cookie+check
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded


In internal database that this rules creates I have only one entry with server IP

CREATE_TIME
1380261568UPDATE_COUNTER1
bf_counter1LAST_UPDATE_TIME
1380261568 111.211.111.73


So I conclude that mod_sec could correctly determine IP, but something goes wrong..

Any ideas abut this?

 

[cPanelMichael]

Hello

I have not personally used that ruleset. Have you tried temporarily disabling Nginx to determine if you experience the same issue with the standard Apache installation?

Thank you.

 

[quizknows]

The question here is what IP does your normal apache log show?

See how the modsec data has the "Real" IP under "X-Forwarded-For"? this means Apache is seeing the proxy IP of nginx as the visitor, but that visit carries the original ip in the forwarded for header. I know there is a way to configure around this so that the apache logs use the "X-Forwarded-For" IP as the visitor IP rather than the IP of the host running the nginx reverse proxy. I think it my have to do with mod zeus that was used for load balancers or something similar to that. Basically, it's not a problem with modsec, and there should be a way to fix it but I don't recall the exact way. This might help you:

proxy - how to make nginx and apache work together for showing the real client IP? - Stack Overflow

 

[mitya4004]

Apache correclty determines IP of visitor - we use mod_rpaf for it (that already desribed in that article).

In mod_sec logs correct IP of visitor is also determined.

Bt in fact that rule set block only server IP...

If we disable nginx 0 we get correct work of that rules set.

I suppose that problem is around "mod_rpaf + mod_security"

It would be great if cpanel uodates mod_sec so we cah test ot on latest version - or may be we found another solution of it..

 

[quizknows]

That makes sense, it may have to do with the processing phase of the rule. Good luck.