Author Topic: Wish List (Please post your wishes here)  (Read 11466 times)

Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Wish List (Please post your wishes here)
« Reply #45 on: June 09, 2015, 07:12:38 AM »
Hi Mike

Webmin plugin is released :)
Please check here.

Regards, Oleg

Offline gshost

  • Newbie
  • *
  • Posts: 6
Re: Wish List (Please post your wishes here)
« Reply #46 on: July 24, 2015, 03:23:16 AM »
It would be great for directadmin if you can add:

1. statistics page
2. user level extension so users can see what problems do they have on their web page
3. user level and admin level should have the option to block certain countries (china,etc...)



Offline oleg.tsygany

  • Comodo's Hero
  • *****
  • Posts: 275
Re: Wish List (Please post your wishes here)
« Reply #47 on: July 24, 2015, 04:17:54 AM »
By the way customers can add country-based protection right now using custom rules.
Here is instructions:
https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/how-to-block-access-to-your-site-from-certain-country-t112172.0.html

Regards, Oleg

Offline LBJ

  • Newbie
  • *
  • Posts: 11
Re: Wish List (Please post your wishes here)
« Reply #48 on: October 20, 2015, 07:52:19 PM »
G'day Team,

This was raised quite a while ago and TDmitry replied at...

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/configuring-a-global-modsecurity-message-t111927.0.html;msg812601#msg812601

...but it's still a very needed unavailable feature...

Could we please have a simple and single location within CWAF where a generic message can be configured to advise the user that a modsecurity rule has blocked their access?

Can secdefaultaction specify a default redirect for example which will apply to all filter actions?

Best regards,

LBJ

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: Wish List (Please post your wishes here)
« Reply #49 on: October 23, 2015, 05:49:59 AM »
G'day Team,

This was raised quite a while ago and TDmitry replied at...

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/configuring-a-global-modsecurity-message-t111927.0.html;msg812601#msg812601

...but it's still a very needed unavailable feature...

Could we please have a simple and single location within CWAF where a generic message can be configured to advise the user that a modsecurity rule has blocked their access?

Can secdefaultaction specify a default redirect for example which will apply to all filter actions?

Best regards,

LBJ

Since CWAF rules generates 403 error code in most cases so the simplest solution would be to modify your default 403 webpage with an your generic message.

Offline LBJ

  • Newbie
  • *
  • Posts: 11
Re: Wish List (Please post your wishes here)
« Reply #50 on: October 27, 2015, 05:53:25 PM »
Since CWAF rules generates 403 error code in most cases so the simplest solution would be to modify your default 403 webpage with an your generic message.

Yes, but a 403 is raised for a lot more than just modsec. However, a global redirect from SecDefaultAction allows a message to be provided for *just* CWAF blocking.

Offline linux4me

  • Newbie
  • *
  • Posts: 20
Re: Wish List (Username-Based Brute Force Blocking Rules for WordPress)
« Reply #51 on: August 15, 2016, 11:56:04 AM »
I'm getting brute-force attacks on wp-login.php that use the same username, but don't use the same IP address more than once or twice, so they get by the IP-based brute-force attack rule currently in Comodo WAF.

I would like to see Comodo include a rule that would block brute-force attacks on wp-login.php based on username, independent of IP address.

Thanks!

Offline TDmitry

  • Head CWAF Rule Writing Team
  • Comodo's Hero
  • *****
  • Posts: 365
Re: Wish List (Username-Based Brute Force Blocking Rules for WordPress)
« Reply #52 on: August 19, 2016, 04:41:08 AM »
I'm getting brute-force attacks on wp-login.php that use the same username, but don't use the same IP address more than once or twice, so they get by the IP-based brute-force attack rule currently in Comodo WAF.

I would like to see Comodo include a rule that would block brute-force attacks on wp-login.php based on username, independent of IP address.

Thanks!

As I understand wide spreaded bruteforce attack could be detected but protection would lead to numerous false positives because we can't know who from legitimate users and from where willing to login. In this case better to use any captcha or whitelisting mechanism.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14623
    • Video Blog
Re: Wish List (Username-Based Brute Force Blocking Rules for WordPress)
« Reply #53 on: August 19, 2016, 08:52:56 AM »
I'm getting brute-force attacks on wp-login.php that use the same username, but don't use the same IP address more than once or twice, so they get by the IP-based brute-force attack rule currently in Comodo WAF.

I would like to see Comodo include a rule that would block brute-force attacks on wp-login.php based on username, independent of IP address.

Thanks!

can you give us exactly what do you have in mind as a rule? Few use cases would allow us to understand if this will cause too many false positives or not.
thanks

Offline linux4me

  • Newbie
  • *
  • Posts: 20
Re: Wish List (Username-Based Brute Force Blocking Rules for WordPress)
« Reply #54 on: August 19, 2016, 11:53:12 AM »
can you give us exactly what do you have in mind as a rule? Few use cases would allow us to understand if this will cause too many false positives or not.
thanks

I was thinking that after a set number of failed logins using the same user name, additional logins using that user name would be dropped for a set time period. Sort of the same as your brute force protection based on IP address, but using the user name instead of the IP. I've seen this sample for a Rails application, but I wanted one specifically for WordPress/wp-login.php:

Code: [Select]
# Username-based blocking.
<LocationMatch /sessions>
        # Retrieve the username
        SecAction phase:2,nolog,pass,initcol:USER=%{ARGS.username}

        # Enforce an existing username block
        SecRule USER:bf_block "[at]eq 1" \
                "phase:2,deny,\
                msg:'Username \"%{ARGS.username}\" blocked because of suspected brute-force attack'"

        # Check that this is a POST
        SecRule REQUEST_METHOD "[at]streq POST" "phase:5,chain,t:none,nolog,pass"
                # AND Check for authentication failure and increment counters
                # NOTE this is for a Rails application, you probably need to customize this
                SecRule RESPONSE_STATUS "^200" \
                        "setvar:IP.bf_counter=+1"

        # Check for too many failures for a single username
        SecRule USER:bf_counter "[at]ge 3" \
                "phase:5,t:none,pass,\
                setvar:USER.bf_block,\
                setvar:!USER.bf_counter,\
                expirevar:USER.bf_block=600"
</LocationMatch>

Offline linux4me

  • Newbie
  • *
  • Posts: 20
Re: Wish List (Username-Based Brute Force Blocking Rules for WordPress)
« Reply #55 on: August 19, 2016, 01:56:08 PM »
can you give us exactly what do you have in mind as a rule? Few use cases would allow us to understand if this will cause too many false positives or not.
thanks

What you were asking about false positives finally registered, and I realized how impractical blocking by user name would be. What I've been seeing is a bunch of login attempts with user names we don't even have registered brute forced from a variety of different IPs. Blocking them wouldn't be an issue because they aren't real users, but if we had a rule to do so, it could be used to intentionally or unintentionally block legitimate users. I can't think of a way around that using ModSecurity; it would probably have to be done at the application level or with a whitelist of IPs, and too many users don't have dedicated IPs, or access sites from a variety of them. Sorry about the confusion.

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1498
  • BETA FORCE MEMBER
Re: Wish List (Please post your wishes here)
« Reply #56 on: August 25, 2017, 12:48:39 PM »
Please, a plugin for ISPConfig!

Any update about this wish? :)

Offline akabakov

  • Comodo's Hero
  • *****
  • Posts: 375
Re: Wish List (Please post your wishes here)
« Reply #57 on: August 30, 2017, 07:05:08 AM »
Unfortunately, we don't develop plug-in for ISPConfig.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek