Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # tx.wprs_bruteforce_timespan
- # tx.wprs_bruteforce_banperiod
- # tx.wprs_bruteforce_threshold
- SecRule tx:wprs_check_bruteforce "@eq 0" \
- "phase:1,\
- id:22100001,\
- pass,\
- nolog,\
- skipAfter:END_WPRS_BRUTEFORCE"
- SecMarker BEGIN_WPRS_BRUTEFORCE
- SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"
- SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100012,nolog,pass,chain"
- SecRule REQUEST_FILENAME "^/wp\-login\.php$" "id:22100012,nolog,chain"
- SecRule &IP:wprs_login_attempt "@eq 0" "id:22100012,nolog,chain"
- SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000012,\
- log,\
- rev:'1',\
- severity:'6',\
- maturity:'9',\
- accuracy:'9',\
- ver:'%{tx.wprs_version}',\
- tag:'wordpress',\
- tag:'login',\
- skipAfter:END_WPRS_LOGIN_INCREMENT,\
- setvar:ip.wprs_login_attempt=1,\
- expirevar:ip.wprs_login_attempt=%{tx.wprs_bruteforce_timespan},\
- logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
- msg:'WordPress: Login Attempt'"
- SecMarker BEGIN_WPRS_LOGIN_INCREMENT
- SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100013,nolog,pass,chain"
- SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100013,nolog,chain"
- SecRule IP:wprs_login_attempt "@lt %{tx.wprs_bruteforce_threshold}" "id:22100013,nolog,chain"
- SecRule IP:wprs_login_attempt "@ge 1" "id:22100013,nolog,chain"
- SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000013,\
- log,\
- rev:'1',\
- severity:'INFO',\
- maturity:'5',\
- accuracy:'6',\
- ver:'%{tx.wprs_version}',\
- tag:'wordpress',\
- tag:'login',\
- setvar:ip.wprs_login_attempt=+1,\
- logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
- msg:'WordPress: Login Attempt'"
- SecMarker END_WPRS_LOGIN_INCREMENT
- # Ban IP if login attempts == bruteforce threshold
- SecRule IP:wprs_login_attempt "@eq %{tx.wprs_bruteforce_threshold}" "id:22100014,log,block,\
- setvar:ip.wprs_login_attempt=+1,\
- setvar:ip.wprs_bruteforce_banuntil=%{TIME_EPOCH},\
- setvar:ip.wprs_bruteforce_banuntil=+%{tx.wprs_bruteforce_banperiod},\
- rev:'1',\
- severity:'WARNING',\
- maturity:'5',\
- accuracy:'6',\
- ver:'%{tx.wprs_version}',\
- tag:'wordpress',\
- tag:'login',\
- logdata:'Ban IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
- msg:'WordPress: Too many login attempts'"
- # Too many logins attempts
- SecRule IP:wprs_login_attempt "@gt %{tx.wprs_bruteforce_threshold}" "id:22100016,log,block,\
- rev:'1',\
- severity:'CRITICAL',\
- maturity:'5',\
- accuracy:'6',\
- ver:'%{tx.wprs_version}',\
- tag:'wordpress',\
- tag:'login',\
- logdata:'Blocked IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
- msg:'WordPress: Too many login attempts'"
- # Remove IP from Ban status if ban period expired
- SecRule IP.wprs_bruteforce_banuntil "@lt %{TIME_EPOCH}" "id:22100015,log,pass,\
- setvar:ip.wprs_login_attempt=0,\
- setvar:ip.wprs_bruteforce_banuntil=9999999999,\
- rev:'1',\
- severity:'INFO',\
- maturity:'5',\
- accuracy:'6',\
- ver:'%{tx.wprs_version}',\
- tag:'wordpress',\
- tag:'login',\
- logdata:'IP: %{tx.wprs_client_ip}',\
- msg:'WordPress: Ban Expired'"
- SecMarker END_WPRS_BRUTEFORCE
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement