Blocking Wordpress Login and xmlprc attacks with LFD

FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Nope missed that too!

I am not getting any notifications on this thread and as it was the weekend I was not checking manually.

Please can you do it again and also perhaps give a few days on the expiry?

Thanks
FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

@Sergio - thank you
FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Sergio wrote: 13 Jun 2020, 06:40 Here is the new link for the image:
will be active for 12 hours.

Sergio
I'm really confused. Why do you send a code that expires in 5 hrs or 12 hrs? Is it top secret? What's the problem on leaving it up for a longer ? Or if it really is very sensitive - then why not PM me with the URL ?

I have not been able to even view this mystical and magical ruleset because I live in some other timezone to you and don't seem to get any notification either! I check this post everyday, but you seem to have decided to move on? I feel so abandoned l0-) sniff sniff....
Sergio
Junior Member
Posts: 1461
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

I tried to write the code here on the forum, but when I wrote the rule my post is blocked.
I saved the image in a free site where all the images are saved for a few hours, didn't expect you to take more time than that to see the picture.
About PMs, my INBOX is full and the Forum doesn't let me clean them all, so, I can't send or receive PMs.

Sorry.
FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Hey @ Sergio - I appreciate your help - can you try to paste the code into https://pastebin.com/
FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Can anybody assist with this?

Still need to find a way to block multiple attacks on wp-login.php

Have tried multiple times, but so far not working.

I'm also using mod security and have enabled the mod_sec rules in CSF.

Even though Mod Security is working and picking up the multiple violations, CSF is not blocking the IPs

I am also using this code block that does not appear to be working
<Locationmatch "/wp-login.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'denying %{REMOTE_ADDR} ip address blocked for 15 minutes, more than 10 login attempts in 10 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/600,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"

</locationmatch>
Sergio
Junior Member
Posts: 1461
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

Hi.
This have been a long time since I tried to show you the code that I need to start from the beginning.

To help you, I need to see the latest reported error line from /etc/apache2/logs/error_log and I will try to give you the rule.
FutherForward20
Junior Member
Posts: 14
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Hi Sergio ! Thanks

There is nothing in error log for this - that's the issue... I need to add a rule where:

If too many attempts on wp-login.php e.g. 20 in 5 minutes (detected either from mod_sec log or from error_log) - then

(1) ban the IP address in csf
(2) block the IP in modsec

So far, mod_sec does its job for repeat offenders but CSF does not catch this from Mod_sec
Sergio
Junior Member
Posts: 1461
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

Here is the rule that I use to block at the first byte some ModSecurity rules:

Code: Select all

# BLOCKING ModSec Rules attacks

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\]/i)) {
		return ("mod_security attack id $2",$1,"SecmasRules_ModSec","1","1");
	}
You can add any ModSec IDs that you want, just add it using a pipe "|" and the number.

If you want the block to be on more than 1 trigger, change the "1","1" to what you want following the CSF structure.

Note:
My CUSTOM1_LOG is set to: "/etc/apache2/logs/error_log", change it to your own log.

Regards,
Sergio
Post Reply