wordpress brutrforce protection via mod_sec rules with nginx installed - working solution?

mitya4004

Member
Dec 30, 2008
11
0
51
Who try to use this rule set?

/http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/

I have apache 2.2.25, mod_seс 2.6.4 with nginx as front-end and mod_realip2 for REMOTE_ADDR issue correction.


But that rules determines my server IP as IP of attackers.

In mod_sec audit log i find that this info (111.211.111.73 - my server ip, 111.175.7.163 - my real IP )

--b5d14d22-A--
[27/Sep/2013:10:02:01 +0400] UkUfWV-Th4oAABEmtYwAAAAE 111.211.111.73 21108 111.211.111.73 80
--b5d14d22-B--
POST /wp-login.php HTTP/1.0
Host: outmax.ru
X-Real-IP: 111.175.7.163
X-Forwarded-For: 111.175.7.163
Connection: close
Content-Length: 120
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: [Removed]
Cookie: PHPSESSID=630a291c7c01f923d7745817d0b19f45; wordpress_test_cookie=WP+Cookie+check
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded


In internal database that this rules creates I have only one entry with server IP

CREATE_TIME
1380261568UPDATE_COUNTER1
bf_counter1LAST_UPDATE_TIME
1380261568 111.211.111.73


So I conclude that mod_sec could correctly determine IP, but something goes wrong..

Any ideas abut this?
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

I have not personally used that ruleset. Have you tried temporarily disabling Nginx to determine if you experience the same issue with the standard Apache installation?

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
86
78
cPanel Access Level
DataCenter Provider
The question here is what IP does your normal apache log show?

See how the modsec data has the "Real" IP under "X-Forwarded-For"? this means Apache is seeing the proxy IP of nginx as the visitor, but that visit carries the original ip in the forwarded for header. I know there is a way to configure around this so that the apache logs use the "X-Forwarded-For" IP as the visitor IP rather than the IP of the host running the nginx reverse proxy. I think it my have to do with mod zeus that was used for load balancers or something similar to that. Basically, it's not a problem with modsec, and there should be a way to fix it but I don't recall the exact way. This might help you:

proxy - how to make nginx and apache work together for showing the real client IP? - Stack Overflow
 

mitya4004

Member
Dec 30, 2008
11
0
51
Apache correclty determines IP of visitor - we use mod_rpaf for it (that already desribed in that article).

In mod_sec logs correct IP of visitor is also determined.

Bt in fact that rule set block only server IP...

If we disable nginx 0 we get correct work of that rules set.

I suppose that problem is around "mod_rpaf + mod_security"

It would be great if cpanel uodates mod_sec so we cah test ot on latest version - or may be we found another solution of it..