Joomla brute force attacks
- Thread starter stormy
- Start date
I'm testing the following rule at the moment :
Code:
# Joomla Brute Force Protection
#
<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 30 minutes. More than 15 Joomla POST requests within 3 minutes.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:00115"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=1800,setvar:ip.bf_counter=0"
</LocationMatch>I've had success with what appears to be a variant of the one you posted:
Code:
<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 3 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>Yes, I adapted that one to fit my needs. I didn't like the 3 in 10 seconds and prefered 15 in 3 minutes.
Adding just the Jooomla and the Wordpress rule reduced the load on our server by nearly half and hasn't noticibly reduced the response times. I'm quite impressed by litespeed's implementation of mod security.
Adding just the Jooomla and the Wordpress rule reduced the load on our server by nearly half and hasn't noticibly reduced the response times. I'm quite impressed by litespeed's implementation of mod security.
Hello,
The rule mentionned above created false positives.
I'm now trying the following rule that's closer to wordpress's one :
Found here :
http://forum.joomla.org/viewtopic.php?f=621&t=810233#p3159172
The rule mentionned above created false positives.
I'm now trying the following rule that's closer to wordpress's one :
Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
<LocationMatch /administrator/index.php>
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:403,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationMatch>http://forum.joomla.org/viewtopic.php?f=621&t=810233#p3159172
The new rule is better but it still creates false positives. The problem is that many legit operations inside Joomla's administrator area cause a lot of requests, and admins get blocked.
Any ideas?
I don't think this can be solved until Litespeed can scan the response body.
It would be great to have some official comment.
Any ideas?
I don't think this can be solved until Litespeed can scan the response body.
It would be great to have some official comment.
Hello,
I've just installed Comodo WAF rules and have disabled all groups except the one that contains the 4 brute force rules.
I'm now watching for Joomla and Wordpress brute force attacks (haven't got any at the moment) and also for false possitives.
I will update this thread in a few days when I've had enough time to make sure there are no false possitives and that the brute forces don't continue.
I've just installed Comodo WAF rules and have disabled all groups except the one that contains the 4 brute force rules.
I'm now watching for Joomla and Wordpress brute force attacks (haven't got any at the moment) and also for false possitives.
I will update this thread in a few days when I've had enough time to make sure there are no false possitives and that the brute forces don't continue.
I had issues getting the rules to detect anything, that's when I noticed that the following line in modsec2.conf :
LoadFile /opt/lua/lib/liblua.so
was commented.
I uncommented it and restarted litespeed. It imediatly detected the ongoing brute force for wordpress that I had noticed but just once, almost as if detecting the brute force once made something crash in litespeed.
I'm waiting for an answer from comodo about this, but could it be a bug in the litespeed modsecurity engine ?
LoadFile /opt/lua/lib/liblua.so
was commented.
I uncommented it and restarted litespeed. It imediatly detected the ongoing brute force for wordpress that I had noticed but just once, almost as if detecting the brute force once made something crash in litespeed.
I'm waiting for an answer from comodo about this, but could it be a bug in the litespeed modsecurity engine ?
Just opened a bug report about this so not to fill up this thread :
http://www.litespeedtech.com/support/forum/threads/comodo-waf-brute-force-rules-issues.9292/
http://www.litespeedtech.com/support/forum/threads/comodo-waf-brute-force-rules-issues.9292/
Will litespeed 5 have response body support when it makes it to stable ?
About half of our server ressources go to brute force attacks, forgetting about the security impact, just the ressource usage alone is costing us alot.
Recently attacks have been from bot,ets with lots of ip's and manually blocking each IP is very time consuming.
Thinking about trying to use geoip to block access to /administrator and wp-login.php in .htaccess file to try and reduce some of these attacks, mainly at the moment from russia and ukraine.
About half of our server ressources go to brute force attacks, forgetting about the security impact, just the ressource usage alone is costing us alot.
Recently attacks have been from bot,ets with lots of ip's and manually blocking each IP is very time consuming.
Thinking about trying to use geoip to block access to /administrator and wp-login.php in .htaccess file to try and reduce some of these attacks, mainly at the moment from russia and ukraine.