[Closed] Comodo Waf brute force rules issues
- Thread starter wanah
- Start date
- Status
- Not open for further replies.
For the one request triggered the logging, does it returns 403? please check the audit_log.
You may need to set SecDebugLogLevel to 9, and check the detailed debug logging. and flood it with "POST" requests to the login URL.
Remember, the default threshold of triggering the brutal force rule is pretty high, 30 "POST" requests in 60 seconds.
Better do it on a test server so you wont get too much log messages for all traffic.
You may need to set SecDebugLogLevel to 9, and check the detailed debug logging. and flood it with "POST" requests to the login URL.
Remember, the default threshold of triggering the brutal force rule is pretty high, 30 "POST" requests in 60 seconds.
Better do it on a test server so you wont get too much log messages for all traffic.
There is no 403 or any apparent block occuring when these brute force attacks are detected:
http://pastebin.com/raw.php?i=nb2diAeG
The attack was frequent enough (100's per minute) that this definitely should've been logged multiple times. This does seem to be a problem with Litespeed.
http://pastebin.com/raw.php?i=nb2diAeG
The attack was frequent enough (100's per minute) that this definitely should've been logged multiple times. This does seem to be a problem with Litespeed.
Strange, you must've changed the build after you told me to update, or there was a delay before it was available. I just force upgraded again via CLI and now it's 403'ing the brute force attempts - which is great.
Is it possible to get this to log multiple times still, so that something like CSF/LFD can pick up the repeated attempts and block the IP address at the firewall level? Right now it's 403'ing the IP address, but it still only logs a single time so CSF/LFD won't perform any action.
Is it possible to get this to log multiple times still, so that something like CSF/LFD can pick up the repeated attempts and block the IP address at the firewall level? Right now it's 403'ing the IP address, but it still only logs a single time so CSF/LFD won't perform any action.
I haven't been able to confirm the blockages are working yet, brute forces seem to be shared between multiple IP's to not go over 30 tries in 1 minute per IP :
Code:
46.165.228.144 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:16 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:19 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:25 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:36 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:53 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:01 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:32 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:34 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:40 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:43 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:46 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:49 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:54 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:59 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:18 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:24 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:30 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:35 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:39 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:42 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:44 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"Hello,
Sadly I've just had proof that the rules aren't working :
As you can see there are more than 30 attempts from the same ip in one minute… this attack had been going on for a few hours without being blocked.
Sadly I've just had proof that the rules aren't working :
Code:
213.251.182.12 - - [29/Aug/2014:11:01:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"
213.251.182.12 - - [29/Aug/2014:11:01:15 +0200] "POST /wp-login.php HTTP/1.1" 200 4049 "-" "-"Comodo's answer about why these rules don't work
So I'm back to trying to work out how to effectiently block Wordpress and Joomla brute forces…
Any advice ?
Unfortunately LiteSpeed is not supports modsecurity fully. Here is list of not implemented (yet) features: https://www.litespeedtech.com/support/wiki/doku.php/litespeed_wiki:config:mod_security-compatibility
Brute Force require support of "scan response header/body" feature to work.
Brute Force require support of "scan response header/body" feature to work.
Any advice ?
- Status
- Not open for further replies.