WordPress Brute Force Attacks: lock your wp-login.php with ModSecurity

28 Ottobre 2015 / By Andrea Pernici
  • Home
  • WordPress Brute Force Attacks: lock your wp-login.php with ModSecurity
tastiera

I think everybody using WordPress faced the following problem at least once in a lifetime.

Solving the issue when running only a website is pretty easy, but the big problem arise when you have more than 200 WordPress installations on the same server.

I found a very fast solution using ModSecurity.

Create a wordpress.conf file inside /etc/modsecurity/modsec and insert the following directives

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:1
<Location /wp-login.php>
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:2"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,id:3"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:4"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>

restart Apache and the trivial spammers/crackers are now out.

You can check if it works reading your log files.

 
1. Offender IP accessing wp-login.php trying to brute force

46.118.118.215 - - [28/Oct/2015:15:31:08 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:18 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:27 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:35 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:41 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:50 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:31:59 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:08 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:16 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:24 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:34 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:41 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:32:50 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:00 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:10 +0100] "POST wp-login.php HTTP/1.1" 200 2150 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:21 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:32 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:43 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:33:54 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:34:08 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:34:21 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:34:34 +0100] "POST wp-login.php HTTP/1.1" 200 2150 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:34:46 +0100] "POST wp-login.php HTTP/1.1" 200 2152 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:34:58 +0100] "POST wp-login.php HTTP/1.1" 200 2152 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:10 +0100] "POST wp-login.php HTTP/1.1" 200 2150 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:20 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:30 +0100] "POST wp-login.php HTTP/1.1" 200 2150 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:36 +0100] "POST wp-login.php HTTP/1.1" 200 2152 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:44 +0100] "POST wp-login.php HTTP/1.1" 200 2152 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:51 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:35:59 +0100] "POST wp-login.php HTTP/1.1" 200 2151 "-" "-"
46.118.118.215 - - [28/Oct/2015:15:36:08 +0100] "POST wp-login.php HTTP/1.1" 401 514 "-" "-"

 
2. Locked offender IP by ModSecurity

[Wed Oct 28 15:31:59 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDcX1NnO2UAAFMCJvsAAAAL"]
[Wed Oct 28 15:32:08 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDcaFNnO2UAAFWLXGwAAAAY"]
[Wed Oct 28 15:32:16 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDccFNnO2UAAFL@JFIAAAAH"]
[Wed Oct 28 15:32:24 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDceFNnO2UAAFLsIo0AAAAB"]
[Wed Oct 28 15:32:34 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDcglNnO2UAAFMDJ70AAAAM"]
[Wed Oct 28 15:32:41 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDciVNnO2UAAFXvZ7MAAAAJ"]
[Wed Oct 28 15:32:50 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDcklNnO2UAAFYVetgAAAAQ"]
[Wed Oct 28 15:33:00 2015] [error] [client 46.118.118.215] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/etc/modsecurity/modsec/wordpress.conf"] [line "10"] [id "2"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."] [hostname "www.tuosito.it"] [uri "/wp-login.php"] [unique_id "VjDcnFNnO2UAAFWNXY4AAAAa"]

Hope it will save you some times and some handmade jobs.

Tags
, , ,
About Me
about-me
Andrea Pernici

Chief Technology Officer at Search On Media Group and 3BMeteo.com

Popular Post
Recent Comment