[solved] Modsecurity rules to protect WP login?

[Yogesh Sarkar]

Are there any modsecurity rules which are fully compatible with Litespeed and can block users trying to brute force into wordpress and other script installs?

 

[NiteWave]

do you have these modsecurity rules which works for apahce ?

we can test and provide the compatibility info of these rules with litespeed.

 

[Yogesh Sarkar]

Actually I haven't tried it yet. The other day an IP was pounding one of my blog's login page so much, that it caused significant enough CPU usage for me to check the logs. While I banned that ip and since I use passwords which should be able to withstand most if not all dictionary attack, I guess I should be alright.

However the fact remains, such bots waste server resources and hence I searched for ways to prevent such things from happening again. Now I have the options of installing a wordpress plugin to do that (which I do not wish to do) or enable a way for server to detect ongoing brute force attempt and block the ip.

Here are the rules I could find on the web, I am a total noob and will likely ask my host to enable these for me, but I wanted to check beforehand, whether or not these are compatible with Litespeed.

<IfModule mod_security2.c>
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Location /wp-login.php>
# Setup brute force detection.

# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
</IfModule>

Source: http://www.frameloss.org/2011/07/29/stopping-brute-force-logins-against-wordpress/

 

[NiteWave]

I set up an env to test this rule on apache and litespeed.
initially work on apache but not on litespeed.
now it works on latest 4.2.2 build as well.

Thanks for giving the specific rule, so we can investigate it effectively. to catch up with the upstream of mod_security as short as possible, detailed and specific rules are needed.

 

[Yogesh Sarkar]

Thank you very much, will upgrade to latest build this weekend and try this out.

 

[bobykus]

How do you see it works?

I set

SecDebugLog /var/httpd/logs/modsec_debug.log
SecDebugLogLevel 9


but /var/httpd/logs/modsec_debug.log

still empty.

 

[bobykus]

Actually what I did is created test rule following


http://www.apachelounge.com/viewtopic.php?t=2520

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"

In Action field I put

deny,log,status:403


Enabled - yes

and checked the site



http://www.xxxx.com/?abc=../../


and nothing happens! I even updated litespeed to latest 4.2.3

 

[NiteWave]

my local tests succeeded on native virtual host. set the rule at vhost->Request Fillter.
"Security Audit Log" is set at server level, to "/tmp/sec.log"
/tmp>cat sec.log
--6d4a5c33-A--
[18/Jun/2013:20:42:55 +0800] - 192.168.2.125 49362 *:80 80
--6d4a5c33-B--
GET /phpinfo.php??abc=../../ HTTP/1.1
Host: 192.168.2.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ....
Connection: keep-alive

--6d4a5c33-F--
HTTP/1.1 403 Forbidden

--6d4a5c33-H--
Message: [client 192.168.2.125] mod_security: Access denied with code 403, [Rule: 'ARGS' '\.\./'] [ID "99999"] [Msg "D rive Access"] [severity "WARNING"] [MatchedString "../../"]

--6d4a5c33-Z--

 

[stormy]

I want to confirm that the rule works correctly for me.

If Litespeed could take any steps towards securing brute force attacks on Wordpress wp-login.php, it would be great!

 

[NiteWave]

as I posted, I did tests and it worked.

please try yourself and tell us the result.

 

[stormy]

Sorry I wasn't more clear in my reply!

I tried the rule and yes, it works.

However, it's not an ideal situation, it would be a lot better if it could be targetted higher up the chain instead of with mod_security. I don't know if that's possible though, but it's an idea

 

[mistwang]

Yeah, we will keep that in mind. Thanks!

 

[yak983]

it's possible have more info for how write into request filter in litespeed?

 

[NiteWave]

if you use apache configuration file, then it's same way for apache + mod_security, put the rules in a file and include from apache's httpd.conf

if not use apache's httpd.conf, then
lsws web admin -> Server -> Request Filter -> Request Filtering Rule Set: Add

 

[yak983]

i have do it but no work..
log file it's empty..

 

[NiteWave]

Sorry, I re-read this thread again.
I think "Request Filter" for lsws webadmin -> Server doesn't recognize
<Location /wp-login.php>
</Location>

so above file will work with apache's httpd.conf

you can comment out above 2 lines in your configuration, and make sure /var/log/httpd/modsec_debug.log is accessible by nobody.
without <Location /wp-login.php>, this rule will apply for all requests from an single IP --- not meed your goal, but anyway can take a test. not sure can add a modseure rule to work like <Location /wp-login.php>

 

[yak983]

it's need mod_security2.so load into apache ?

 

[NiteWave]

no need.

 

[yak983]

2631832 -rwxrwxrwx 1 apache apache 0 Feb 16 16:48 modsec_debug.log
its emprty .. how i can check if rules work?

 

[NiteWave]

may need enable audit log. add
SecAuditLog /path/to/modsec_audit.log

to trigger the rule, you can run "ab" test, for example
#ab -c 10 -n 20 domain.com/wp-login.php