Blocking Wordpress Login and xmlprc attacks with LFD
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Nope missed that too!
I am not getting any notifications on this thread and as it was the weekend I was not checking manually.
Please can you do it again and also perhaps give a few days on the expiry?
Thanks
I am not getting any notifications on this thread and as it was the weekend I was not checking manually.
Please can you do it again and also perhaps give a few days on the expiry?
Thanks
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
@Sergio - thank you
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
I'm really confused. Why do you send a code that expires in 5 hrs or 12 hrs? Is it top secret? What's the problem on leaving it up for a longer ? Or if it really is very sensitive - then why not PM me with the URL ?
I have not been able to even view this mystical and magical ruleset because I live in some other timezone to you and don't seem to get any notification either! I check this post everyday, but you seem to have decided to move on? I feel so abandoned l0-) sniff sniff....
Re: Blocking Wordpress Login and xmlprc attacks with LFD
I tried to write the code here on the forum, but when I wrote the rule my post is blocked.
I saved the image in a free site where all the images are saved for a few hours, didn't expect you to take more time than that to see the picture.
About PMs, my INBOX is full and the Forum doesn't let me clean them all, so, I can't send or receive PMs.
Sorry.
I saved the image in a free site where all the images are saved for a few hours, didn't expect you to take more time than that to see the picture.
About PMs, my INBOX is full and the Forum doesn't let me clean them all, so, I can't send or receive PMs.
Sorry.
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hey @ Sergio - I appreciate your help - can you try to paste the code into https://pastebin.com/
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Can anybody assist with this?
Still need to find a way to block multiple attacks on wp-login.php
Have tried multiple times, but so far not working.
I'm also using mod security and have enabled the mod_sec rules in CSF.
Even though Mod Security is working and picking up the multiple violations, CSF is not blocking the IPs
I am also using this code block that does not appear to be working
Still need to find a way to block multiple attacks on wp-login.php
Have tried multiple times, but so far not working.
I'm also using mod security and have enabled the mod_sec rules in CSF.
Even though Mod Security is working and picking up the multiple violations, CSF is not blocking the IPs
I am also using this code block that does not appear to be working
<Locationmatch "/wp-login.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'denying %{REMOTE_ADDR} ip address blocked for 15 minutes, more than 10 login attempts in 10 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"
</locationmatch>
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hi.
This have been a long time since I tried to show you the code that I need to start from the beginning.
To help you, I need to see the latest reported error line from /etc/apache2/logs/error_log and I will try to give you the rule.
This have been a long time since I tried to show you the code that I need to start from the beginning.
To help you, I need to see the latest reported error line from /etc/apache2/logs/error_log and I will try to give you the rule.
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hi Sergio ! Thanks
There is nothing in error log for this - that's the issue... I need to add a rule where:
If too many attempts on wp-login.php e.g. 20 in 5 minutes (detected either from mod_sec log or from error_log) - then
(1) ban the IP address in csf
(2) block the IP in modsec
So far, mod_sec does its job for repeat offenders but CSF does not catch this from Mod_sec
There is nothing in error log for this - that's the issue... I need to add a rule where:
If too many attempts on wp-login.php e.g. 20 in 5 minutes (detected either from mod_sec log or from error_log) - then
(1) ban the IP address in csf
(2) block the IP in modsec
So far, mod_sec does its job for repeat offenders but CSF does not catch this from Mod_sec
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Here is the rule that I use to block at the first byte some ModSecurity rules:
You can add any ModSec IDs that you want, just add it using a pipe "|" and the number.
If you want the block to be on more than 1 trigger, change the "1","1" to what you want following the CSF structure.
Note:
My CUSTOM1_LOG is set to: "/etc/apache2/logs/error_log", change it to your own log.
Regards,
Sergio
Code: Select all
# BLOCKING ModSec Rules attacks
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) {
return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1");
}
If you want the block to be on more than 1 trigger, change the "1","1" to what you want following the CSF structure.
Note:
My CUSTOM1_LOG is set to: "/etc/apache2/logs/error_log", change it to your own log.
Regards,
Sergio
Re: Blocking Wordpress Login and xmlprc attacks with LFD
This does not appear to work any longer. It simply never fires off an action.Sergio wrote: ↑09 Sep 2020, 17:28 Here is the rule that I use to block at the first byte some ModSecurity rules:
You can add any ModSec IDs that you want, just add it using a pipe "|" and the number.Code: Select all
# BLOCKING ModSec Rules attacks if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) { return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1"); }
If you want the block to be on more than 1 trigger, change the "1","1" to what you want following the CSF structure.
Note:
My CUSTOM1_LOG is set to: "/etc/apache2/logs/error_log", change it to your own log.
Regards,
Sergio