ModSecurity Brute Force Protection for wp-login.php

#1
I'm trying to prevent brute force login attempts on wp-login.php on a server running Litespeed 5.0.19, and I've got the following rule set up for ModSecurity in ModSecurity -> Rules List -> Edit Rules:
Code:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:6
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:7,msg:'ip address blocked for 5 minutes, more than 10 WordPress login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:8"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:9"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
Unfortunately, it doesn't seem to be working even after a restart of Litespeed, because on a site that's running the Login Security Solutions plugin, I got 122 failed logins over the course of 59 minutes. Other sites are undergoing similar attacks. The other custom rules I have are working. I'm also running the Comodo WAF rules for Litespeed as a vendor in ModSecurity.

Is there some other ModSecurity rule I should be using with Litespeed to block brute force attacks on wp-login.php, or do I have an error in mine that's preventing it from working?
 

mistwang

LiteSpeed Staff
#2
We have tested this rule before, it is working fine.
You may need to turn on modsec debug logging with
SecRuleDebugLevel 9

to check what is going on. Maybe the rule was bypassed for some reason.
 
#3
Thanks for the reply. Do you mean SecDebugLogLevel?

It looks like I didn't need my custom rule because there is a similar one in the Comodo WAF vendor rules for Litespeed. It's possible the two were interfering with each other. I removed my custom rule and will see if this takes care of the brute force attacks I'm having get through.
 
Top