03-BRUTEFORCE.conf

1. # tx.wprs_bruteforce_timespan
2. # tx.wprs_bruteforce_banperiod
3. # tx.wprs_bruteforce_threshold
4.  
5. SecRule tx:wprs_check_bruteforce "@eq 0" \
6. "phase:1,\
7. id:22100001,\
8. pass,\
9. nolog,\
10. skipAfter:END_WPRS_BRUTEFORCE"
11.  
12. SecMarker BEGIN_WPRS_BRUTEFORCE
13.  
14. SecAction "phase:1,id:22100011,nolog,pass,initcol:ip=%{tx.wprs_client_ip}"
15.  
16. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100012,nolog,pass,chain"
17. SecRule REQUEST_FILENAME "^/wp\-login\.php$" "id:22100012,nolog,chain"
18. SecRule &IP:wprs_login_attempt "@eq 0" "id:22100012,nolog,chain"
19. SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000012,\
20. log,\
21. rev:'1',\
22. severity:'6',\
23. maturity:'9',\
24. accuracy:'9',\
25. ver:'%{tx.wprs_version}',\
26. tag:'wordpress',\
27. tag:'login',\
28. skipAfter:END_WPRS_LOGIN_INCREMENT,\
29. setvar:ip.wprs_login_attempt=1,\
30. expirevar:ip.wprs_login_attempt=%{tx.wprs_bruteforce_timespan},\
31. logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
32. msg:'WordPress: Login Attempt'"
33.  
34. SecMarker BEGIN_WPRS_LOGIN_INCREMENT
35.  
36. SecRule REQUEST_METHOD "^POST$" "phase:2,id:22100013,nolog,pass,chain"
37. SecRule REQUEST_FILENAME "^/wp\-login\.php$" "phase:2,id:22100013,nolog,chain"
38. SecRule IP:wprs_login_attempt "@lt %{tx.wprs_bruteforce_threshold}" "id:22100013,nolog,chain"
39. SecRule IP:wprs_login_attempt "@ge 1" "id:22100013,nolog,chain"
40. SecRule &ARGS_POST_NAMES:log "@ge 1" "phase:2,id:22000013,\
41. log,\
42. rev:'1',\
43. severity:'INFO',\
44. maturity:'5',\
45. accuracy:'6',\
46. ver:'%{tx.wprs_version}',\
47. tag:'wordpress',\
48. tag:'login',\
49. setvar:ip.wprs_login_attempt=+1,\
50. logdata:'Count: %{ip.wprs_login_attempt} / Timespan: %{tx.wprs_bruteforce_timespan} / User: %{ARGS_POST:log}',\
51. msg:'WordPress: Login Attempt'"
52.  
53. SecMarker END_WPRS_LOGIN_INCREMENT
54.  
55. # Ban IP if login attempts == bruteforce threshold
56. SecRule IP:wprs_login_attempt "@eq %{tx.wprs_bruteforce_threshold}" "id:22100014,log,block,\
57. setvar:ip.wprs_login_attempt=+1,\
58. setvar:ip.wprs_bruteforce_banuntil=%{TIME_EPOCH},\
59. setvar:ip.wprs_bruteforce_banuntil=+%{tx.wprs_bruteforce_banperiod},\
60. rev:'1',\
61. severity:'WARNING',\
62. maturity:'5',\
63. accuracy:'6',\
64. ver:'%{tx.wprs_version}',\
65. tag:'wordpress',\
66. tag:'login',\
67. logdata:'Ban IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
68. msg:'WordPress: Too many login attempts'"
69.  
70. # Too many logins attempts
71. SecRule IP:wprs_login_attempt "@gt %{tx.wprs_bruteforce_threshold}" "id:22100016,log,block,\
72. rev:'1',\
73. severity:'CRITICAL',\
74. maturity:'5',\
75. accuracy:'6',\
76. ver:'%{tx.wprs_version}',\
77. tag:'wordpress',\
78. tag:'login',\
79. logdata:'Blocked IP Address %{tx.wprs_client_ip} until timestamp %{ip.wprs_bruteforce_banuntil}',\
80. msg:'WordPress: Too many login attempts'"
81.  
82. # Remove IP from Ban status if ban period expired
83. SecRule IP.wprs_bruteforce_banuntil "@lt %{TIME_EPOCH}" "id:22100015,log,pass,\
84. setvar:ip.wprs_login_attempt=0,\
85. setvar:ip.wprs_bruteforce_banuntil=9999999999,\
86. rev:'1',\
87. severity:'INFO',\
88. maturity:'5',\
89. accuracy:'6',\
90. ver:'%{tx.wprs_version}',\
91. tag:'wordpress',\
92. tag:'login',\
93. logdata:'IP: %{tx.wprs_client_ip}',\
94. msg:'WordPress: Ban Expired'"
95.  
96.  
97.  
98. SecMarker END_WPRS_BRUTEFORCE