SHARE
TWEET

03-BRUTEFORCE.conf

a guest Nov 17th, 2019 81 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # tx.wprs_bruteforce_timespan
  2. # tx.wprs_bruteforce_banperiod
  3. # tx.wprs_bruteforce_threshold
  4.  
  5. SecRule tx:wprs_check_bruteforce "@eq 0" \
  6.   "phase:1,\
  7.   id:22100001,\
  8.   pass,\
  9.   nolog,\
  10.   skipAfter:END_WPRS_BRUTEFORCE"
  11.  
  12. SecMarker BEGIN_WPRS_BRUTEFORCE
  13.  
  14. SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"
  15.  
  16. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100012,nolog,pass,chain"
  17.   SecRule REQUEST_FILENAME "^/wp\-login\.php$" "id:22100012,nolog,chain"
  18.     SecRule &IP:wprs_login_attempt "@eq 0" "id:22100012,nolog,chain"
  19.       SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000012,\
  20.         log,\
  21.         rev:'1',\
  22.         severity:'6',\
  23.         maturity:'9',\
  24.         accuracy:'9',\
  25.         ver:'%{tx.wprs_version}',\
  26.         tag:'wordpress',\
  27.         tag:'login',\
  28.         skipAfter:END_WPRS_LOGIN_INCREMENT,\
  29.         setvar:ip.wprs_login_attempt=1,\
  30.         expirevar:ip.wprs_login_attempt=%{tx.wprs_bruteforce_timespan},\
  31.         logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
  32.         msg:'WordPress: Login Attempt'"
  33.  
  34. SecMarker BEGIN_WPRS_LOGIN_INCREMENT
  35.  
  36. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100013,nolog,pass,chain"
  37.   SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100013,nolog,chain"
  38.     SecRule IP:wprs_login_attempt "@lt %{tx.wprs_bruteforce_threshold}" "id:22100013,nolog,chain"
  39.       SecRule IP:wprs_login_attempt "@ge 1" "id:22100013,nolog,chain"
  40.         SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000013,\
  41.           log,\
  42.           rev:'1',\
  43.           severity:'INFO',\
  44.           maturity:'5',\
  45.           accuracy:'6',\
  46.           ver:'%{tx.wprs_version}',\
  47.           tag:'wordpress',\
  48.           tag:'login',\
  49.           setvar:ip.wprs_login_attempt=+1,\
  50.           logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
  51.           msg:'WordPress: Login Attempt'"
  52.  
  53. SecMarker END_WPRS_LOGIN_INCREMENT
  54.  
  55. # Ban IP if login attempts == bruteforce threshold
  56. SecRule IP:wprs_login_attempt "@eq %{tx.wprs_bruteforce_threshold}" "id:22100014,log,block,\
  57.   setvar:ip.wprs_login_attempt=+1,\
  58.   setvar:ip.wprs_bruteforce_banuntil=%{TIME_EPOCH},\
  59.   setvar:ip.wprs_bruteforce_banuntil=+%{tx.wprs_bruteforce_banperiod},\
  60.   rev:'1',\
  61.   severity:'WARNING',\
  62.   maturity:'5',\
  63.   accuracy:'6',\
  64.   ver:'%{tx.wprs_version}',\
  65.   tag:'wordpress',\
  66.   tag:'login',\
  67.   logdata:'Ban IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  68.   msg:'WordPress: Too many login attempts'"
  69.  
  70. # Too many logins attempts
  71. SecRule IP:wprs_login_attempt "@gt %{tx.wprs_bruteforce_threshold}" "id:22100016,log,block,\
  72.   rev:'1',\
  73.   severity:'CRITICAL',\
  74.   maturity:'5',\
  75.   accuracy:'6',\
  76.   ver:'%{tx.wprs_version}',\
  77.   tag:'wordpress',\
  78.   tag:'login',\
  79.   logdata:'Blocked IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  80.   msg:'WordPress: Too many login attempts'"
  81.  
  82. # Remove IP from Ban status if ban period expired
  83. SecRule IP.wprs_bruteforce_banuntil "@lt %{TIME_EPOCH}" "id:22100015,log,pass,\
  84.   setvar:ip.wprs_login_attempt=0,\
  85.   setvar:ip.wprs_bruteforce_banuntil=9999999999,\
  86.   rev:'1',\
  87.   severity:'INFO',\
  88.   maturity:'5',\
  89.   accuracy:'6',\
  90.   ver:'%{tx.wprs_version}',\
  91.   tag:'wordpress',\
  92.   tag:'login',\
  93.   logdata:'IP: %{tx.wprs_client_ip}',\
  94.   msg:'WordPress: Ban Expired'"
  95.  
  96.  
  97.  
  98. SecMarker END_WPRS_BRUTEFORCE
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top