Multiple attempts to hack into wp-login from same IP

Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Multiple attempts to hack into wp-login from same IP

Post by Sergio »

Maybe these rules could help:
SecRule RESPONSE_BODY "ERROR</strong>: The password you entered for the username" \
"phase:4,deny,status:406,log,id:'990075',msg:'Sergio - WordPress Login Failure'"

SecRule RESPONSE_BODY "ERROR</strong>: Invalid username" \
"phase:4,deny,status:406,log,id:'990076',msg:'Sergio - WordPress Login Failure'"
They are more straight forward than what Patrick did, this rules are my own and working great in my servers, I don't assume any responsibility on the use of these rules, use it at your own risk.
sawbuck
Junior Member
Posts: 366
Joined: 10 Dec 2006, 16:20

Re: Multiple attempts to hack into wp-login from same IP

Post by sawbuck »

Guess I'll have to quit saying that I loathe posting WHT links as it keeps happening. ;)

Did find this solution to be helpful and thought others might also. The .htaccess seems to have an extra space between allow,deny. Otherwise it works as advertised.

We have only ever allowed access to wp-admin/login.php by customer IP address which in this attack situation seems so far to have helped prevent the load issues many are seeing.

http://www.webhostingtalk.com/showpost. ... tcount=196
dvk01
Junior Member
Posts: 80
Joined: 20 Feb 2010, 18:10

Re: Multiple attempts to hack into wp-login from same IP

Post by dvk01 »

looks like it is confirmed as a botnet attacking WP
http://www.bbc.co.uk/news/technology-22152296
yanayun
Junior Member
Posts: 2
Joined: 01 Sep 2013, 05:14

Re: Multiple attempts to hack into wp-login from same IP

Post by yanayun »

wordpress and joomla flood still problem until this time.
modsecurity can block this flood login, but still use high resource.

my sample logs:

ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg " WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [hostname "xxxxxxxxx.cxx"] [uri "/wp-login.php"] [unique_id "UiK@IkPk6zYAAGDLhW8AAAAY"]


another server use BFD/APF with modsec rules can block automatic.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="10"

if [ -f "/usr/local/apache/logs/error_log" ]; then
FILE="/usr/local/apache/logs/error_log"
TLOG_TF="httpd.modsec"
# old rule
#ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | sed -n -e '/tag/s/.*\[tag "\(.*\)"\] \[hostname "\([^ ]*\)"\].*/\1:\2:\0/p' | tr ':[]' ' '| awk '{print$12":"$1}' | tr '[:upper:]' '[:lower:]' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`

ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | awk '{ for (k=1;k<=NF;++k){ if ($k ~ /\[id/) {y=k} }; gsub("[\\\[\\\]\"]", ""); x=NF - 4; print $8":"$(y+1)":"$x}' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
elif [ -f "/var/log/httpd/error_log" ]; then
FILE="/var/log/httpd/error_log"
TLOG_TF="httpd.modsec"
# old rule
#ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | sed -n -e '/tag/s/.*\[tag "\(.*\)"\] \[hostname "\([^ ]*\)"\].*/\1:\2:\0/p' | tr ':[]' ' '| awk '{print$12":"$1}' | tr '[:upper:]' '[:lower:]' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`

ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | awk '{ for (k=1;k<=NF;++k){ if ($k ~ /\[id/) {y=k} }; gsub("[\\\[\\\]\"]", ""); x=NF - 4; print $8":"$(y+1)":"$x}' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi



how to block wordpress and joomla failed login using CSF/LFD using this logs?
how to modify this code work in LFD/CSF?
drsprite
Junior Member
Posts: 28
Joined: 21 Jun 2008, 18:39

Re: Multiple attempts to hack into wp-login from same IP

Post by drsprite »

I didn't see this post, and I ended up posting another thread here. It has some information in it, but I'm also broken.

Since I have so many domains that log to many different log files, user websavers (on this forum) suggested some custom regex to help with this. It's purpose is to scan all the files, look for the failures, and add them to the csf.deny.

It's not working though, and I think it's because my mod_security audit log is different than his.

Is anyone good with RegEx that can have a look?

Here's the thread: viewtopic.php?f=6&t=6950
Post Reply