wp-login.php and mod security

NabiKAZ

Member
Jun 18, 2007
6
0
51
Referring to this thread, wp-login.php and mod security

And using the mod sec rules suggested by the very helpful @quizknows

I have a similar issue to @rregister - all rules work fine - but not the brute force detection.

Just wondering if you managed to solve this ?

Here are my rules in modsec/modsec2.user.conf
- using EA4 / CENTOS 6.9 x86_64 cPanel & WHM build 64

Code:
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On

#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

#Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=900,setvar:ip.bf_counter=0"
</locationmatch>
#900 = block for 15 minutes

# check bots by user agent and match to included file
# block bad bots
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/apache2/conf.d/blackbots.txt" "id:980001,rev:1,severity:2,log,msg:'Bot Rule: Black Bot detected.'"

#XMLRPC block
SecRule REQUEST_LINE "POST .*xmlrpc.*" "pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.maxlimit=+1,deprecatevar:ip.maxlimit=1/600,nolog,id:350201"
SecRule IP:MAXLIMIT "@gt 10" "log,deny,id:350202,msg:'wp-xmlrpc: denying %{REMOTE_ADDR} (%{ip.maxlimit} connection attempts)'"
Thanks for any advice!


On the "CLOUDLINUX 7.6 kvm [server] v74.0.12 Load Averages: 2.79 3.35 4.15"

I put your code in the "/usr/local/apache/conf/modsec2.user.conf" file.

But didn't resolved the problem.

- Removed -

Do you can help me?
 
Last edited by a moderator:

dstana

Well-Known Member
Jul 6, 2016
72
8
8
Phoenix, AZ
cPanel Access Level
Root Administrator
I have a server that's getting hosed with Wordpress related spam (wp-login and xmlrpc). I've tried using these modesc rules:

Code:
#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST"  "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>

#Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
However, grepping through the apache log, none of these rules get any hits. I do have a couple rules that are working and show in the modsec hit list:

Code:
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000901,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"


SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000900,chain,msg:'xmlrpc request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "xmlrpc.php
I need some relief here and I'm not sure what else to do. Thanks for your help.
 

dstana

Well-Known Member
Jul 6, 2016
72
8
8
Phoenix, AZ
cPanel Access Level
Root Administrator
Hello @dstana,

I moved your post into the existing thread on this topic. Let us know if the previous posts help.

Thank you.
Idk what for, apparently no one monitors or responds to these kind of questions on the forum. I have POST and GET requests to wp-login.php and xmlrpc.php out the wazoo and I haven't had a single hit on any of the modsec rules I posted above. Care to weigh in?