The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

wordpress brutrforce protection via mod_sec rules with nginx installed - working solution?

Discussion in 'Security' started by mitya4004, Sep 27, 2013.

  1. mitya4004

    mitya4004 Member

    Joined:
    Dec 30, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Who try to use this rule set?

    /http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/

    I have apache 2.2.25, mod_seс 2.6.4 with nginx as front-end and mod_realip2 for REMOTE_ADDR issue correction.


    But that rules determines my server IP as IP of attackers.

    In mod_sec audit log i find that this info (111.211.111.73 - my server ip, 111.175.7.163 - my real IP )

    --b5d14d22-A--
    [27/Sep/2013:10:02:01 +0400] UkUfWV-Th4oAABEmtYwAAAAE 111.211.111.73 21108 111.211.111.73 80
    --b5d14d22-B--
    POST /wp-login.php HTTP/1.0
    Host: outmax.ru
    X-Real-IP: 111.175.7.163
    X-Forwarded-For: 111.175.7.163
    Connection: close
    Content-Length: 120
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: [Removed]
    Cookie: PHPSESSID=630a291c7c01f923d7745817d0b19f45; wordpress_test_cookie=WP+Cookie+check
    Cache-Control: max-age=0
    Content-Type: application/x-www-form-urlencoded


    In internal database that this rules creates I have only one entry with server IP

    CREATE_TIME
    1380261568UPDATE_COUNTER1
    bf_counter1LAST_UPDATE_TIME
    1380261568 111.211.111.73


    So I conclude that mod_sec could correctly determine IP, but something goes wrong..

    Any ideas abut this?
     
    #1 mitya4004, Sep 27, 2013
    Last edited by a moderator: Sep 27, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I have not personally used that ruleset. Have you tried temporarily disabling Nginx to determine if you experience the same issue with the standard Apache installation?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The question here is what IP does your normal apache log show?

    See how the modsec data has the "Real" IP under "X-Forwarded-For"? this means Apache is seeing the proxy IP of nginx as the visitor, but that visit carries the original ip in the forwarded for header. I know there is a way to configure around this so that the apache logs use the "X-Forwarded-For" IP as the visitor IP rather than the IP of the host running the nginx reverse proxy. I think it my have to do with mod zeus that was used for load balancers or something similar to that. Basically, it's not a problem with modsec, and there should be a way to fix it but I don't recall the exact way. This might help you:

    proxy - how to make nginx and apache work together for showing the real client IP? - Stack Overflow
     
  4. mitya4004

    mitya4004 Member

    Joined:
    Dec 30, 2008
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Apache correclty determines IP of visitor - we use mod_rpaf for it (that already desribed in that article).

    In mod_sec logs correct IP of visitor is also determined.

    Bt in fact that rule set block only server IP...

    If we disable nginx 0 we get correct work of that rules set.

    I suppose that problem is around "mod_rpaf + mod_security"

    It would be great if cpanel uodates mod_sec so we cah test ot on latest version - or may be we found another solution of it..
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That makes sense, it may have to do with the processing phase of the rule. Good luck.
     
Loading...
Similar Threads - wordpress brutrforce protection
  1. dld
    Replies:
    6
    Views:
    152
  2. Rockforduk
    Replies:
    2
    Views:
    500
  3. remcie
    Replies:
    4
    Views:
    560
  4. akust0m
    Replies:
    3
    Views:
    576
  5. bmango
    Replies:
    3
    Views:
    380

Share This Page