Multiple attempts to hack into wp-login from same IP

[ahsteve]

Solution from Patrick helped to stop bruit force but they are still hitting the server. Is there anything that can be done at csf. Tried CT_LIMIT with 100 connections in 10 seconds but no luck.

[peterelsner]

I *think* Patrick's solution worked for us. Too early to tell yet.
Out of curiosity, how did everyone else implement Patrick's solution?

I added a file called: 05_pat_bruteforce_wp-login.conf to the mod sec rules directory I have (that contains the ASL files from GotRoot.com), with his solution in place.

Code: Select all

ErrorDocument 406 "Not Acceptable"

<LocationMatch "/wp-login.php">
        SecAction initcol:ip=%{REMOTE_ADDR},pass,log,id:313371
        SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,log,id:313372"
        SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
        SecAction "phase:2,pass,setvar:ip.counter=+1,log,id:313374"
</LocationMatch>

It appears to have stopped the high loads, but I won't know until after 1 PM today, when the attacks actually started.

[Sergio]

I *think* Patrick's solution worked for us. Too early to tell yet.
Out of curiosity, how did everyone else implement Patrick's solution?

I add Patricks's rule to my own set of rules, almost as you did, but I have made a small change on the rule, so in CMC I could see the rule number triggered instead of "unknown" and a message related to the rule:

From:
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"

To:
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:'313373',msg:'Patrick - Login Failure Detection: Wordpress'"

Modifying this line, in my CMC I can see when the rule is triggered.

[peterelsner]

Sergio,

Good idea. I changed mine to do the same.
Have an issue though...

Now I'm getting the following:

Code: Select all

[Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "4"] [id "313371"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AAC8mFPQAAAAE"]
[Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "7"] [id "313374"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AAC8mFPQAAAAE"]
[Thu Apr 11 12:13:46 2013] [error] [client 88.226.49.145] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "5"] [id "313372"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AACiLAIoAAAAJ"]

Seems like lines 4,5, and 7 (all the SecAction) rules are failing with:

ModSecurity: Warning. Unconditional match in SecAction

Any idea why that would be the case?

[Sergio]

Sergio,

Good idea. I changed mine to do the same.
Have an issue though...
Seems like lines 4,5, and 7 (all the SecAction) rules are failing with:

ModSecurity: Warning. Unconditional match in SecAction

Any idea why that would be the case?

Please compare the lines that has to be like this:

Code: Select all

<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:'313373',msg:'Patrick - Login Failure Detection: Wordpress'"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch>

This is what I have in my servers and are working flawless, double check that the large line doesn't has any breaks in the middle. Here appears like it has a lot of spaces between the words but is because the line is just one line and has been justified.

[peterelsner]

Sergio,

Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..."

I'll try changing the log back to nolog to see if that makes a difference.
Where did you put the ErrorDocument 406 "Not Acceptable" line?

Patrick stated it would/should work within the file itself, but I don't think you have it there.

[Sergio]

Sergio,

Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..."

I'll try changing the log back to nolog to see if that makes a difference.
Where did you put the ErrorDocument 406 "Not Acceptable" line?

Patrick stated it would/should work within the file itself, but I don't think you have it there.

I didn't need to add the ErrorDocument line as my Mod_Sec configuration already has it, but is ok to add it as Patrick saids.

[peterelsner]

Sergio,

Ok, I have confirmed that the rule works. I changed the log back to nolog and those Warnings stopped. Then tested the rule by going to a site that has wordpress and hit refresh 3 times within 30 seconds, and got the "Not Acceptable" message (from the 406 Error Page).

But with nolog, nothing shows up in ModSec Audit Log or error_log file.
So while the rule works, nothing is logged. Not even getting the msg you added "Patrick - Login Failure Detection: Wordpress

[peterelsner]

Got it!
Changed only the SecRule line to log. The SecAction lines are now at nolog and that seems to be doing the trick.

Thanks!!!

[peterelsner]

Damn. It looks like on 2 of my servers they have found a way around the rule...
They are now coming in from multiple IP's (not just one or two, but hundreds at random) so quickly that the rule can't keep up.

I see it triggering, but the load gets to 350+ within seconds... and server becomes unresponsive.

Now what?