Guest User

03-BRUTEFORCE.conf

a guest
Nov 17th, 2019
189
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # tx.wprs_bruteforce_timespan
  2. # tx.wprs_bruteforce_banperiod
  3. # tx.wprs_bruteforce_threshold
  4.  
  5. SecRule tx:wprs_check_bruteforce "@eq 0" \
  6. "phase:1,\
  7. id:22100001,\
  8. pass,\
  9. nolog,\
  10. skipAfter:END_WPRS_BRUTEFORCE"
  11.  
  12. SecMarker BEGIN_WPRS_BRUTEFORCE
  13.  
  14. SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"
  15.  
  16. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100012,nolog,pass,chain"
  17. SecRule REQUEST_FILENAME "^/wp\-login\.php$" "id:22100012,nolog,chain"
  18. SecRule &IP:wprs_login_attempt "@eq 0" "id:22100012,nolog,chain"
  19. SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000012,\
  20. log,\
  21. rev:'1',\
  22. severity:'6',\
  23. maturity:'9',\
  24. accuracy:'9',\
  25. ver:'%{tx.wprs_version}',\
  26. tag:'wordpress',\
  27. tag:'login',\
  28. skipAfter:END_WPRS_LOGIN_INCREMENT,\
  29. setvar:ip.wprs_login_attempt=1,\
  30. expirevar:ip.wprs_login_attempt=%{tx.wprs_bruteforce_timespan},\
  31. logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
  32. msg:'WordPress: Login Attempt'"
  33.  
  34. SecMarker BEGIN_WPRS_LOGIN_INCREMENT
  35.  
  36. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100013,nolog,pass,chain"
  37. SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100013,nolog,chain"
  38. SecRule IP:wprs_login_attempt "@lt %{tx.wprs_bruteforce_threshold}" "id:22100013,nolog,chain"
  39. SecRule IP:wprs_login_attempt "@ge 1" "id:22100013,nolog,chain"
  40. SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000013,\
  41. log,\
  42. rev:'1',\
  43. severity:'INFO',\
  44. maturity:'5',\
  45. accuracy:'6',\
  46. ver:'%{tx.wprs_version}',\
  47. tag:'wordpress',\
  48. tag:'login',\
  49. setvar:ip.wprs_login_attempt=+1,\
  50. logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
  51. msg:'WordPress: Login Attempt'"
  52.  
  53. SecMarker END_WPRS_LOGIN_INCREMENT
  54.  
  55. # Ban IP if login attempts == bruteforce threshold
  56. SecRule IP:wprs_login_attempt "@eq %{tx.wprs_bruteforce_threshold}" "id:22100014,log,block,\
  57. setvar:ip.wprs_login_attempt=+1,\
  58. setvar:ip.wprs_bruteforce_banuntil=%{TIME_EPOCH},\
  59. setvar:ip.wprs_bruteforce_banuntil=+%{tx.wprs_bruteforce_banperiod},\
  60. rev:'1',\
  61. severity:'WARNING',\
  62. maturity:'5',\
  63. accuracy:'6',\
  64. ver:'%{tx.wprs_version}',\
  65. tag:'wordpress',\
  66. tag:'login',\
  67. logdata:'Ban IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  68. msg:'WordPress: Too many login attempts'"
  69.  
  70. # Too many logins attempts
  71. SecRule IP:wprs_login_attempt "@gt %{tx.wprs_bruteforce_threshold}" "id:22100016,log,block,\
  72. rev:'1',\
  73. severity:'CRITICAL',\
  74. maturity:'5',\
  75. accuracy:'6',\
  76. ver:'%{tx.wprs_version}',\
  77. tag:'wordpress',\
  78. tag:'login',\
  79. logdata:'Blocked IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
  80. msg:'WordPress: Too many login attempts'"
  81.  
  82. # Remove IP from Ban status if ban period expired
  83. SecRule IP.wprs_bruteforce_banuntil "@lt %{TIME_EPOCH}" "id:22100015,log,pass,\
  84. setvar:ip.wprs_login_attempt=0,\
  85. setvar:ip.wprs_bruteforce_banuntil=9999999999,\
  86. rev:'1',\
  87. severity:'INFO',\
  88. maturity:'5',\
  89. accuracy:'6',\
  90. ver:'%{tx.wprs_version}',\
  91. tag:'wordpress',\
  92. tag:'login',\
  93. logdata:'IP: %{tx.wprs_client_ip}',\
  94. msg:'WordPress: Ban Expired'"
  95.  
  96.  
  97.  
  98. SecMarker END_WPRS_BRUTEFORCE
RAW Paste Data