Blocking Wordpress Login and xmlprc attacks with LFD

Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

Post a log line of your ModSecurity error_log for me to check it, thanks.

Sergio
kd-bbd
Junior Member
Posts: 2
Joined: 03 Oct 2024, 06:57

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by kd-bbd »

Sergio wrote: 03 Oct 2024, 16:01 Post a log line of your ModSecurity error_log for me to check it, thanks.

Sergio

This is the exact rule I want it to fire on.

Code: Select all

Thu Oct 03 13:30:22.623029 2024] [security2:error] [pid 646349:tid 646389] [client ***.***.***.***:60072] [client ***.***.***.***] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(close|keep-alive),[\\\\t\\\\n\\\\r ]{0,1}(close|keep-alive)\\\\b" at REQUEST_HEADERS:Connection. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "70"] [id "210350"] [rev "1"] [msg "COMODO WAF: Multiple/Conflicting Connection Header Data Found||www.********.com|F|4"] [data "keep-alive, close"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [hostname "www.******.com"] [uri "/***/***/*****/****/styles.min.css"] [unique_id "Zv7ivsvjZEQ4Az_IRxul6wAAAc0"]
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

Here is the new rule:

Code: Select all

# BLOCKING ModSec Rules attacks

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[\S+:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) {
		return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1");
	}
Sergio
Post Reply