Page 3 of 4
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 12:04
by ahsteve
Solution from Patrick helped to stop bruit force but they are still hitting the server. Is there anything that can be done at csf. Tried CT_LIMIT with 100 connections in 10 seconds but no luck.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 14:35
by peterelsner
I *think* Patrick's solution worked for us. Too early to tell yet.
Out of curiosity, how did everyone else implement Patrick's solution?
I added a file called: 05_pat_bruteforce_wp-login.conf to the mod sec rules directory I have (that contains the ASL files from GotRoot.com), with his solution in place.
Code: Select all
ErrorDocument 406 "Not Acceptable"
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,log,id:313371
SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,log,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,log,id:313374"
</LocationMatch>
It appears to have stopped the high loads, but I won't know until after 1 PM today, when the attacks actually started.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 14:58
by Sergio
peterelsner wrote:I *think* Patrick's solution worked for us. Too early to tell yet.
Out of curiosity, how did everyone else implement Patrick's solution?
I add Patricks's rule to my own set of rules, almost as you did, but I have made a small change on the rule, so in CMC I could see the rule number triggered instead of "unknown" and a message related to the rule:
From:
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
To:
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:'313373',msg:'Patrick - Login Failure Detection: Wordpress'"
Modifying this line, in my CMC I can see when the rule is triggered.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 18:17
by peterelsner
Sergio,
Good idea. I changed mine to do the same.
Have an issue though...
Now I'm getting the following:
Code: Select all
[Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "4"] [id "313371"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AAC8mFPQAAAAE"]
[Thu Apr 11 12:13:46 2013] [error] [client 81.213.192.113] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "7"] [id "313374"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AAC8mFPQAAAAE"]
[Thu Apr 11 12:13:46 2013] [error] [client 88.226.49.145] ModSecurity: Warning. Unconditional match in SecAction. [file "/usr/local/apache/conf/modsec_rules/modsec/05_pat_brute_force_wp-login.conf"] [line "5"] [id "313372"] [hostname "domainname.tld"] [uri "/wp-login.php"] [unique_id "UWbvStC0Hs4AACiLAIoAAAAJ"]
Seems like lines 4,5, and 7 (all the SecAction) rules are failing with:
ModSecurity: Warning. Unconditional match in SecAction
Any idea why that would be the case?
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 18:30
by Sergio
peterelsner wrote:Sergio,
Good idea. I changed mine to do the same.
Have an issue though...
Seems like lines 4,5, and 7 (all the SecAction) rules are failing with:
ModSecurity: Warning. Unconditional match in SecAction
Any idea why that would be the case?
Please compare the lines that has to be like this:
Code: Select all
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:'313373',msg:'Patrick - Login Failure Detection: Wordpress'"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch>
This is what I have in my servers and are working flawless, double check that the large line doesn't has any breaks in the middle. Here appears like it has a lot of spaces between the words but is because the line is just one line and has been justified.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 18:46
by peterelsner
Sergio,
Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..."
I'll try changing the log back to nolog to see if that makes a difference.
Where did you put the ErrorDocument 406 "Not Acceptable" line?
Patrick stated it would/should work within the file itself, but I don't think you have it there.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 18:54
by Sergio
peterelsner wrote:Sergio,
Yes, the lines are identical, except the nolog/log and your msg which says "Patrick..."
I'll try changing the log back to nolog to see if that makes a difference.
Where did you put the ErrorDocument 406 "Not Acceptable" line?
Patrick stated it would/should work within the file itself, but I don't think you have it there.
I didn't need to add the ErrorDocument line as my Mod_Sec configuration already has it, but is ok to add it as Patrick saids.
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 19:03
by peterelsner
Sergio,
Ok, I have confirmed that the rule works. I changed the log back to nolog and those Warnings stopped. Then tested the rule by going to a site that has wordpress and hit refresh 3 times within 30 seconds, and got the "Not Acceptable" message (from the 406 Error Page).
But with nolog, nothing shows up in ModSec Audit Log or error_log file.
So while the rule works, nothing is logged. Not even getting the msg you added "Patrick - Login Failure Detection: Wordpress
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 19:11
by peterelsner
Got it!
Changed only the SecRule line to log. The SecAction lines are now at nolog and that seems to be doing the trick.
Thanks!!!
Re: Multiple attempts to hack into wp-login from same IP
Posted: 11 Apr 2013, 20:46
by peterelsner
Damn. It looks like on 2 of my servers they have found a way around the rule...
They are now coming in from multiple IP's (not just one or two, but hundreds at random) so quickly that the rule can't keep up.
I see it triggering, but the load gets to 350+ within seconds... and server becomes unresponsive.
Now what?