Bruteforce on Wordpress/Apache is not working anymore

Free Modsecurity rules - Comodo Web Application Fi
1

Have you done any changes on this rule lately?

It has been working fine before.
When checking domain access logs:
60.43.208.83 - - [04/Jun/2015:20:03:18 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:20 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:22 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:24 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:25 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:27 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:29 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:31 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:33 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:35 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:37 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:39 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:41 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:43 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:45 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:47 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:49 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:50 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:52 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:54 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:56 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:03:58 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:00 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:04 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:05 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:07 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:09 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:11 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:13 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:15 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:17 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:19 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:21 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:22 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:24 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:26 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:28 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:30 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:32 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:33 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:35 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:37 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:40 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:42 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:43 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:45 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:47 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:49 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:51 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:53 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:55 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:57 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:04:58 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:00 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:03 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:05 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:06 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:08 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:10 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:12 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:14 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:16 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:18 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:20 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:22 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:24 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:26 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”
60.43.208.83 - - [04/Jun/2015:20:05:28 +0200] “POST /wp-login.php HTTP/1.0” 200 3676 “-” “-”

It should give 403 error and in the end be blocked by our csf. But it does not work…Any ideas?
I see that comodo plugin is working and blocking other rules…

2

Did check the logs and last time we saw Bruteforce rule working was 27 May. We updated the rules then which was released the day before!
Also, we got the newest rules now, but still Bruteforce rule on Wordpress is not working on Apache. (And Litespeed in another old thread).

3

Hi Hedloff

Ruleset released May 26 containing exclude fix, so it can be issue.
Please check if your exclude list not containing Bruteforce rule for Wordpress.
Also it would be good to regenerate exclude list by performing any Catalog operation (for example by turning some rule off and immediately on).

Regards, Oleg

4

Ok. Did try to turn off whole bruteforce rules on every account and back on again.
It gave the attackers 302 errors for 1-2 minutes, then gave 200 again.

I have checked csf logs also. They are blocked there too but they still have access.
Really confused here :frowning:

Will try some more digging…

5

The rules are “On” and not excluded.
Looks like bruteforce is not working on any servers atm… On one server i disabled the bruteforce rule and enabled it and it worked.
Is it possible to “Reload” or “Restart” Comodo WAF trough ssh with a command?

6

Yes, WAF is part of Apache (mod_security module), so try to restart Apache (service httpd restart etc)
Also please check Apache logs for errors. As far as I know Bruteforce rules using persistent storage, which is broken in current mod_security version.
Here is more info about this issue.

Regards, Oleg

7

Any updates on this? I am frequently getting hit and have to manually deny the offending IP in CSF.

Example from cPanel’s ModSec Hit List:

http://content.screencast.com/users/mobileappfx/folders/Jing/media/31e39ca8-30ab-4199-b06f-8b29f566d2b5/2015-08-18_1344.png

And this goes on for pages and pages…

8

What is your point? Are you getting too much log entries and you wish that we do something with that?

9

Dmitry mean this log entries indicate IP IS blocked.
You complaining there is too many log entries?

Regards, Oleg

10

If this IP is getting blocked, I’m curious to know why as soon as I block the IP in CSF the server load dramatically drops?

Also these logs show the IP is attempting every few seconds, which to me doesnt seem like the bruteforce is being stopped?

11

This IP is not blocked permanently, it will be unblocked after 5 minutes if it will stop bruteforce attack. Let us check if we can find any optimization here to reduce server load.

12

Thanks for taking a look, very much appreciated!

Just to make sure I understand this correctly, the IP is blocked for 5 minutes but will still create log entries whenever it attempts to connect during this time? (in this case every few seconds?)

Cheers!

13

Yes, you understand correctly. We will modify this rule also to generate one log entry per user in few minutes with number of blocked requests.

14

Its not blocked at the firewall level (CSF/iptables) though, just with mod_sec/apache. Right?

15

Yes, on the application level, but not on the network (iptables).

Right now, CWAF doesn’t work on the network level and target on web application protection only. Maybe in a future we will integrate to CWAF additional methods/tools for network protection.

16

We do use CSF to monitor mod_security log to block IP.

17

Yes, this is productive decision.
We have plans about integration mod_security with some iptable level firewall.