Magento Brute Force

How do I stop magento brute force attacks? I don’t see that Magento is protected.

To protect Magento from brute-force attacks you need to add its login page in file
/<path_to_cwaf>/cwaf/etc/userdata/userdata_login_pages and restart web-server.

If you use our plugin with some WHCMS (for example cPanel), it could be done with Comodo WAF - Userdata - Login Pages - Save.

Is the Magento login-page login.phpml?

Standard I think it is /index.php/admin/

Would be great to have a rule for this as you have with Joomla/Wordpress :slight_smile:

We’ll add it to the next rules update.

+1 for Magento brute force protection

I’ve added “/downloader/index.php” and “/downloader/” to Comodo CWAF » Userdata » Login Pages, but it doesn’t block the attacks.

Almost every morning I find a server overloaded because a domain keeps getting thousands of hits like these: - - [22/Dec/2015:11:30:48 +0100] "GET /downloader/index.php?A=loggedin HTTP/1.1" 200 2604 "-" "-" - - [22/Dec/2015:11:30:49 +0100] "POST /downloader/ HTTP/1.1" 302 0 "-" "-"

I’m sorry, we need some time to reproduce this issue and find a solution.

Hi, we have verified this issue and protection works on our side. URL which partially match any line of ‘userdata_login_pages’ is protected against series of POST requests.

Does Apache also fails to protect ‘userdata_login_pages’?

I don’t see anything for Magento in 1.59 update. When is it coming?


Did you try to add part of URL to userdata_login_pages?

How do I stop userdata files from being overriden with every cwaf update? I am using cwaf as CPanel vendor, not plugin (had problems with plugin). Userdata files are at: /usr/local/apache/conf/modsec_vendor_configs/comodo_apache


This is complicated question and answer is ‘possible’ :slight_smile:

I’ll try to explain why.
cPanel have Perl script to perform vendor update (/usr/local/cpanel/scripts/modsec_vendor).
This script run once per day check if new version of rules available and download rules archive.
It extract archive to /usr/local/apache/conf/modsec_vendor_configs/ folder and certainly overwrite all files (including userdata)

If you have some knowledge in Perl/bash programming you can create script which will copy/symlink previously saved userdata to rules location.
This script can be called in /usr/local/cpanel/scripts/modsec_vendor at the end of sub update before return $all_ok; (line 184 in my setup)

Regards, Oleg