sahostking

Well-Known Member
May 15, 2012
389
16
68
Cape Town, South Africa
cPanel Access Level
Root Administrator
Twitter
Hi guys,

As a shared host we have mod security installed with atomic rules which pick all this up. However this constant hit by these rules does seem to slow down the server if it occurs on more than one site at a time. It looks like it happens every 2 to 3 seconds.

Code:
194.226.8.168 - - [17/Jun/2015:12:21:00 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:21.0) Gecko/20140815 Firefox/32.0"
37.218.187.41 - - [17/Jun/2015:12:20:59 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_6; en-US) AppleWebKit/587.16 (KHTML, like Gecko) Chrome/10.0.468.226 Safari/586.16"
92.62.78.160 - - [17/Jun/2015:12:21:11 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.9.93 Version/10.4"
178.126.39.170 - - [17/Jun/2015:12:21:12 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.47 Version/12.7"
164.127.202.17 - - [17/Jun/2015:12:21:14 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:20.0) Gecko/20110101 Firefox/10.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.2.223 Version/11.3"
178.120.99.159 - - [17/Jun/2015:12:21:01 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:22.0) Gecko/20130815 Firefox/14.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:9.0) Gecko/20110815 Firefox/31.0"
77.120.149.232 - - [17/Jun/2015:12:21:02 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.176 Version/10.8"
178.124.23.225 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; U; Linux i686; cs-CZ; rv:1.5.13) Gecko/20100929"
109.228.209.210 - - [17/Jun/2015:12:21:08 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/22.0"
77.120.149.232 - - [17/Jun/2015:12:21:03 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20120101 Firefox/6.0"
145.255.173.22 - - [17/Jun/2015:12:21:10 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:3.0) Gecko/20130101 Firefox/5.0"
95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:7.0) Gecko/20130815 Firefox/6.0"
186.213.75.109 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20140101 Firefox/4.0"
95.58.184.28 - - [17/Jun/2015:12:21:16 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.5.226 Version/11.4"
14.168.179.230 - - [17/Jun/2015:12:21:19 +0200] "POST /wp-login.php HTTP/1.0" 200 1637 "http://sitename/wp-login.php" "Opera/9.80 (Windows NT 6.1; U; ru) Presto/2.1.249 Version/10.7"
 
Last edited by a moderator:

postcd

Well-Known Member
Oct 22, 2010
717
19
68
You may also consider allowing only certain IP on wp-login.php page and 403 to rest IPs:
add following to your .htaccess file in your WP site root directory (public_html usually)
<Files wp-login.php>
Order deny,allow
Deny from All
Allow from xxx.xxx.xxx.xxx
Allow from yyy.yyy.yyy.yyy
</Files>
add your IP instead of xxx.xxx*****

Im also using config server firewall, it is capable of blocking many bulk IP tries and also IPs that getting too many 403 or 401 errors.., even "Network class C 1*.*.*.0/24 has been blocked", CSF can block also /24 subnet maybe (not your case probably)

Im also using this mod security rule to deny 401 accesses without referer:
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,nolog,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0" "chain"
SecRule REQUEST_URI "wp-login.php"
PS: Doesnt mean code "200" in your access log you shown, that this visit is not denied (by mod security or by htaccess rule) ?
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Did all that already. Got CSF and already have a rule like that. But still because it's constantly different IPs I guess there is nothing can be done unless it hits the file with the same IP in a certain number of times.
Hello,

You may also want to consult with your provider to see if there are any steps they can take to help prevent this type of attack from the network level.

Thank you.