ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Blocking Wordpress Login and xmlprc attacks with LFD

https://mail.forum.configserver.com/viewtopic.php?t=9447

Page 4 of 4

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 03 Oct 2024, 16:01
by Sergio
Post a log line of your ModSecurity error_log for me to check it, thanks.

Sergio

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 03 Oct 2024, 19:37
by kd-bbd
Sergio wrote: 03 Oct 2024, 16:01 Post a log line of your ModSecurity error_log for me to check it, thanks.

Sergio

This is the exact rule I want it to fire on.

Code: Select all

Thu Oct 03 13:30:22.623029 2024] [security2:error] [pid 646349:tid 646389] [client ***.***.***.***:60072] [client ***.***.***.***] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\b(close|keep-alive),[\\\\t\\\\n\\\\r ]{0,1}(close|keep-alive)\\\\b" at REQUEST_HEADERS:Connection. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/12_HTTP_Protocol.conf"] [line "70"] [id "210350"] [rev "1"] [msg "COMODO WAF: Multiple/Conflicting Connection Header Data Found||www.********.com|F|4"] [data "keep-alive, close"] [severity "WARNING"] [tag "CWAF"] [tag "Protocol"] [hostname "www.******.com"] [uri "/***/***/*****/****/styles.min.css"] [unique_id "Zv7ivsvjZEQ4Az_IRxul6wAAAc0"]

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 04 Oct 2024, 06:24
by Sergio
Here is the new rule:

Code: Select all

# BLOCKING ModSec Rules attacks

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[\S+:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) {
		return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1");
	}
Sergio
All times are UTC
Page 4 of 4

Powered by phpBB® Forum Software © phpBB Limited