Thank you Reindl,

    I hadn't considered rate limits with IPtables, that makes a lot more sense and I will give it a whirl.

    Unfortunately WordPress seems to have become the Defacto Website Framework of choice amongst many of my shared hosted clients.  It has gotten better with Security recently and a few plugins like wordfence but Thank God for Mod Security :).

    Hope you have an excellent week!

~Jeremy
--

Jeremy Brock

XtremeServices.Net
Xtreme Services, LLC
On 8/14/2013 12:56 PM, Reindl Harald wrote:

Am 14.08.2013 21:48, schrieb Jeremy Brock:
anyone recommend a better approach?
for Brute Force?
surely!

*forget* the application layer a let iptables do the job
brutue forc emeans you have a lot connections in a short time frame
this is nothing someone would like on his webserver at all

you need to adjust thar $-variables and test it in your environment
but that is from a production infrastructure

after that consider if proven insecure software like wordpress is
worth the money you may earn to maintain it over the whole life cycle

 echo "DOS-PROTECTION: not more than $RATE_CONTROL_MAX new connections per two seconds and client-ip"
 iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --set
 iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2
--hitcount $RATE_CONTROL_MAX -j DROP
 iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2
--hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall Rate-Control: "
 iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --set
 iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update
--seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP
 iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update
--seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall
Rate-Control: "
 echo "DOS-PROTECTION: not more than $CONNECTION_MAX parallel connections to port 80/443"
 iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG --log-level debug --log-prefix "Firewall Slowloris: "
 iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above $CONNECTION_MAX -j DROP



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/