Brute force protection not working on litespeed

Hello,

I’ve just installed the lastest version of your rules for litespeed (1.12) and am running the lastest stable versin of litespeed. For the moment I just wanted to block Wordpress and Joomla brute force attacks so I only enabled the brute force group and I also enabled the bot group.

However wp-login.php files and administrartor/index.php’s are both getting hit hard at the momenet and mod security is only reporting a few bots being stopped.

Should brute force work on litespeed ?

If not how can I implement a custom rule at least for Wordpress, something like this :

# Wordpress Brute Force Protection 
#
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:1234123456
<Location /wp-login.php>
SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 #minutes.',id:1234123457"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:1234123458"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:1234123459"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>

?

Thanks !

  1. Add this to modsec2.conf before the closing tag :
Include "/usr/local/apache/conf/modsec2.user.conf"
  1. Then you can add to modsec2.user.conf the rule you have or the rules we use:
# WordPress Brute Force and Comment Spam Protection

<LocationMatch "/(wp-login.php|wp-comments-post.php)">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00110
SecRule user:bf_block "[at]gt 0" "deny,status:403,log,id:00111,msg:'IP address blocked for 5 minutes. More than 3 POST requests to wp-login.php or wp-comments-post.php within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00112"
SecRule ip:bf_counter "[at]gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>

# Joomla Brute Force Protection

<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "[at]gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 30 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "[at]gt 30" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>

Remember to replace [at] with the at sign in the code above.

As always, use at your own risk.

Bruteforce protection is disabled by default, make sure it is enabled.

Hello :

Brute force is enabled :

cat /usr/local/apache/conf/modsec2.conf
LoadFile /opt/xml2/lib/libxml2.so 
# LoadFile /opt/lua/lib/liblua.so 
LoadModule security2_module  modules/mod_security2.so 
<IfModule mod_security2.c> 
SecRuleEngine On 
SecTmpDir /tmp 
SecDataDir /tmp 
SecRequestBodyAccess On 
SecAuditEngine On 
SecPcreMatchLimitRecursion 250000 
SecDebugLog logs/modsec_debug.log 
SecPcreMatchLimit 250000 
SecAuditLog logs/modsec_audit.log 
SecDebugLogLevel 9 
Include "/var/cpanel/cwaf/etc/cwaf.conf" 
</IfModule>

Modsecurity rules are triggered when I enable other rule groups but for brute force none are triggered.

/usr/local/apache/logs/modsec_audit.log

remains empty during brute force attacks if other rule groups are disabled

/usr/local/apache/logs/modsec_debug.log

was created but have never had anything written to it.

Here’s a sample of the most recent brute force attack I stopped manually :

198.50.152.104 - - [10/Aug/2014:23:47:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:47:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:48:57 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:48:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:48:59 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:48:59 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:18 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:18 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:19 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:19 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:21 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:21 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:24 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:24 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:25 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:25 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:26 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:26 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:26 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:29 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:29 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:30 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:35 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:35 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:36 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
198.50.152.104 - - [10/Aug/2014:23:49:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"

Is it normal that :

LoadFile /opt/lua/lib/liblua.so

is commented ? Dosn’t litespeed need this to parse mod security rules ?

I think that might have been the issue, I un commented this line and an IP that was running a brute force attack was blocked… :slight_smile:

I’ll let you know how it goes !

Hello again,

After restarting litespeed the rule is triggered once and then the brute force continues, is this a bug that I need to report to litespeed or is this a problem with the rules ?

The brute force rule was triggered once but the brute force continues :

In the modsecurity logs I’ve now got :

Whole contents of /usr/local/apache/logs/modsec_audit.log

--05f88488-A--
[11/Aug/2014:10:06:11 +0200] - 46.4.82.100 38772 O.U.R.IP:80 80
--05f88488-B--
POST /wp-login.php HTTP/1.1
Host: CUSTOMERDOMAIN.TLD
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

--05f88488-F--

--05f88488-H--
Message: Detected , [Rule: 'IP:BRUTE_FORCE_BURST_COUNTER' '@ge 2'] [id "230007"] [msg "COMODO WAF: Potential Brute Force Attack from %{tx.real_ip} - # of Request Bursts: %{ip.brute_force_burst_counter}"] [severity "WARNING"] [MatchedString "2"]

--05f88488-Z--

--533a2faf-A--
[11/Aug/2014:10:09:23 +0200] - 195.3.144.79 3191 O.U.R.IP:80 80
--533a2faf-B--
POST /wp-login.php/wp-login.php HTTP/1.1
Host: CUSTOER2DOMAIN.TLD
Keep-Alive: 300
Connection: keep-alive
Cookie: wordpress_[...CONTENTS OF COOKIE REMOVED FOR THIS FORUM...]
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0 USA\Miami Style
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,en-us;q=0.8,es;q=0.3
Accept-Charset: utf-8;q=0.7,*;q=0.7
Referer: http://CUSTOMER2DOMAIN.TLD/wp-login.php/wp-login.php

--533a2faf-F--

--533a2faf-H--
Message: Detected , [Rule: 'IP:BRUTE_FORCE_BURST_COUNTER' '@ge 2'] [id "230007"] [msg "COMODO WAF: Potential Brute Force Attack from %{tx.real_ip} - # of Request Bursts: %{ip.brute_force_burst_counter}"] [severity "WARNING"] [MatchedString "2"]

--533a2faf-Z--

But in the access logs I’ve got :

46.4.82.100 - - [11/Aug/2014:10:05:55 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:05:55 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:05:55 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:06 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:07 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:10 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:15 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:15 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:15 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:16 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:16 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"
46.4.82.100 - - [11/Aug/2014:10:06:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4389 "-" "-"

As you can see, the rule deteted this IP but did nothing to block it.

LiteSpeed has a limited support of mod_security rules, so we can’t give guarantee of proper work, anyway we are going to contact with LiteSpeed developers to provide maximum compatibility and performance.

Thanks,

I’ll also point them to this thread to see if they can work out what is wrong :slight_smile:

Litespeed’s looking into getting this fixed :slight_smile:

Litespeed guys are a nice bunch of guys who care for their customers and users. We like working with them. I am sure they will resolve this issue very soon.

Subscribed - please post back once this has been resolved.

Hello,

I havn’t been able to determine if this is fixed as brute forcers seem to have found out how not to get blocked.

I belive Comodo WAF starts a block after 30 in one minute but we are not getting 30 per minute from a single IP, they are attacking with multiple IP’s.

Example :

46.165.228.144 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:05 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:12 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:14 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:16 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:19 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:25 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:31 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:36 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:53 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:21:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:01 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:02 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:11 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:22 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:32 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:34 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:37 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:40 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:43 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:46 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:49 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:52 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:54 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:22:58 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:22:59 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:03 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:04 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:08 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:09 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:13 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:17 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:18 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:20 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:23 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:24 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:27 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:28 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:30 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:35 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:33 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:38 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:39 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:41 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
125.253.124.48 - - [23/Aug/2014:10:23:42 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"
46.165.228.144 - - [23/Aug/2014:10:23:44 +0200] "POST /wp-login.php HTTP/1.1" 200 4962 "-" "-"

Can something be done to stop these attacks ?

Please, check modsec_audit.log.
I suppose you’ll find next errors: “ModSecurity: collections_remove_stale: Failed deleting collection”

Please, see link: ModSecurity: collections_remove_stale: Failed deleting collection · Issue #576 · SpiderLabs/ModSecurity · GitHub
So, there is no solution to fix this error besides bruteforce rules off.

Sorry, not sure to have understood your answer.

I don’t have any errors, the link you posted was for apache modsecurity, not litespeed.

My issue here is the brute force rules don’t stop attacks from multiple ip’s doing each less than 30 tries a minute over a long period of time.

As you can see from the logs I posted two ip’s were bruteforcing but not being stopped.

After 10 or 15 tries on,wp-login.php the ip should be blocked.

From what i have understood an ip can do 25 tries per minute or 1500 per hour without being blocked.

We’re also experiencing the same problem, using LiteSpeed.

Brute Force Enabled.
Nothing in the /usr/local/apache/logs/modsec_debug.log
No “ModSecurity: collections_remove_stale: Failed deleting collection” errors in the modsec audit log either (grepped the word stale and couldn’t find anything)

All of our servers are being hammered, we came from Atomicorp’s paid ruleset with Apache to LiteSpeed with CMC. Should we collaborate with LiteSpeed directly or Comodo’s team regarding this issue? it’s causing a lot of load on our servers.


91.135.76.69 - - [31/Aug/2014:04:56:21 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:21 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:23 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:23 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:24 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:25 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:25 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:27 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:27 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:28 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:29 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:29 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:31 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:31 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:32 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:33 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:33 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:35 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:36 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:36 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:38 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
37.247.98.108 - - [31/Aug/2014:04:56:38 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”
91.135.76.69 - - [31/Aug/2014:04:56:39 +1000] “POST /wp-login.php HTTP/1.1” 200 5782 “-” “-”

brute force blocks should be stopping this.

Hi

Unfortunately LiteSpeed is not supports modsecurity fully. Here is list of not implemented (yet) features: litespeed_wiki:mod_security_compatibility [LiteSpeed Wiki]
Brute Force require support of “scan response header/body” feature to work.

Ok,

How can I keep comodo rules and add custom rules to block wordpress.

Every time I update comodo plugin it removes my edits. Where can I add custom rules while I waiting for either comodo to adapt to to tools litespeed provdes or for litespeed to add support for comodo’s rules ?

Why don’t you keep cPanel’s user include ?

Thanks

Hi

You can add your own rules to user config through menu “Userdata”-“Custom Rules” or to file /var/cpanel/cwaf/etc/httpd/custom_user.conf
It will survive updates.

I just used this as per following link and it works beautifully, is there no way Comodo can test this aswell and implement it in the next update? Seems to be working well for me against the wp-login.php brute force attacks.

http://forums.cpanel.net/f185/wp-login-php-mod-security-430242.html

#Block WP logins with no referring URL
<Locationmatch “/wp-login.php”>
SecRule REQUEST_METHOD “POST” “deny,status:401,id:5000130,chain,msg:‘wp-login request blocked, no referer’”
SecRule &HTTP_REFERER “@eq 0”

#Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch “/wp-login.php”>

Setup brute force detection.

React if block flag has been set.

SecRule ip:bf_block “@gt 0” “deny,status:401,log,id:5000135,msg:‘ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.’”

Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.

SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136”
SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137”
SecRule ip:bf_counter “@gt 10” “t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0”