Joomla BruteForce Update?

brijendrasial · June 14, 2014, 9:48am

Hello,

Is there any joomla admin login bruteforce security rule?

MH-Stefan · June 15, 2014, 7:44am

Not sure if there’s a rule from Comodo for this, but you can use this one:

# Joomla Brute Force Protection

<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "[at]gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 3 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "[at]gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>

Warning: Replace [at] with the at sign above

It counts the number of POST requests to “/administrator/index.php” and if there are more than 3 within 10 seconds, the IP gets blocked for 5 minutes. We’re using this since a few days and it seems to throttle the attacks so far.

Note: Use at your own risk.

brijendrasial · June 15, 2014, 11:22pm

I saw this rule somewhere on some random website. Ty for help man. I will also await for comodo tec reply regarding this

MH-Stefan · June 16, 2014, 7:36am

No problem. It’s actually a modified version of the WordPress brute force rules from LiquidWeb. Instead of tracking the status code, I modified it to track the number of POST requests. You may want to reduce the threshold to something like 3 requests per 10 seconds since there are many distributed brute force attacks from various IPs lately.

brijendrasial · June 16, 2014, 11:04am

Great but I think we already have a centralized rule to block bruteforce attack.

see here: https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/wordpress-bruteforce-protection-not-working-t104851.0.html

MH-Stefan · June 16, 2014, 2:30pm

Maybe Dmitry can confirm. As far as I’m aware, WordPress brute force rules won’t work with Joomla because they generate different HTTP status codes. Or you can just give it a try and see if it works.

brijendrasial · June 16, 2014, 3:05pm

you are absolutely correct its not working May be admin can provide update regarding this

TDmitry · June 19, 2014, 1:22pm

Current bruteforce protection isn’t protect Joomla, but it is planned in next updates.

TDmitry · July 3, 2014, 11:21am

Joomla bruteforce protection is available now.

joshuatan17 · July 14, 2014, 3:20pm

Hello TDmitry…

May I know where to download the update for Joomla BruteForce protection… thz!

ezynic · July 14, 2014, 11:23pm

Do you have Joomla bruteforce protection working for Litespeed?

ezynic · July 14, 2014, 11:32pm

Please notice that the forum software is turning the at sign into “[at]”, so the code doesn’t work if you use it directly.

MH-Stefan · July 15, 2014, 4:11pm

Good point, I’ve added a warning to my initial post. :-TU

TDmitry · July 25, 2014, 10:59am

Directly from COMODO WAF site: https://waf.comodo.com/