Re: [mod-security-users] Wordpress Brute Force
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Wordpress Brute Force
|
From: Jose P. V. L. <pab...@gm...> - 2013-08-23 10:30:32
|
Hi. Sorry for reply so later, but I was on holidays :).
Try to use fail2ban app if you are using linux box and/or two factor
authentication in application web and honeypot form fields in order to
blacklist those robots.
Kind regards,
2013/8/14 Jeremy Brock <jb...@xt...>
> Hi Ryan,
>
> Thank you for the input, I did read your blog post which is
> actually where I got the idea to begin with : ) so thx.
>
> I am going to revisit the Brute Force method I now see more clearly
> in the blog. I think that is a great idea since I can limit it to a
> specific login page vs iptables is more global.
>
> I also read a similar approach in your book Web Application
> Defenders Cookbook, which is fantastic! However I was not able to get
> them to work, so I produced something that I was able to get working. I
> am sure it is just my novice modsecurity abilities and not your examples.
>
> Thank you for the JS idea, I will look into that and see if I can
> apply it to some of our internal WP sites.
>
> Hope you have an excellent week as well and thank you for an
> amazing product.
>
> ~Jeremy
>
> --
>
> Jeremy Brock
>
> XtremeServices.Net
> Xtreme Services, LLC
>
> On 8/14/2013 3:07 PM, Ryan Barnett wrote:
> > On 8/14/13 12:48 PM, "Jeremy Brock" <jb...@xt...> wrote:
> >
> >> Hi All,
> >>
> >> Been trying to limit the exposure of my clients to the massive
> >> Brute Force bot nets out there and came up with the following :
> >>
> >> ##Collect Data
> >> SecAction
> >>
> phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},i
> >> d:5000134
> >>
> >> ## Honor blocked IPs
> >> SecRule user:bfwp_block "@gt 0" "drop,log,id:5000135,msg:'ip address
> >> blocked for 5 minutes due to WordPress login attempts in 3 minutes.'"
> >>
> >> ## Block more than 2 attempts against WordPress authentication (invalid
> >> username)
> >> SecRule REQUEST_FILENAME "@streq /wp-login.php"
> >> "chain,phase:4,id:5000136,t:none,nolog,pass"
> >> SecRule REQUEST_METHOD "@streq POST" "chain"
> >> SecRule ARGS:log ".*" "chain"
> >> SecRule RESPONSE_STATUS "200" "chain"
> >> SecRule RESPONSE_BODY "@contains <strong>ERROR</strong>: Invalid
> >> username"
> >>
> "chain,t:none,setvar:ip.bf_wp_user_counter=+1,deprecatevar:ip.bf_wp_user_c
> >> ounter=1/180"
> >> SecRule ip:bf_wp_user_counter "@gt 2"
> >>
> "t:none,setvar:user.bfwp_block=1,expirevar:user.bfwp_block=300,setvar:ip.b
> >> f_wp_user_counter=0"
> >>
> >> ## Block more than 5 attempts against WordPress password authentication
> >> SecRule REQUEST_FILENAME "@streq /wp-login.php"
> >> "chain,phase:4,id:5000137,t:none,nolog,pass"
> >> SecRule REQUEST_METHOD "@streq POST" "chain"
> >> SecRule ARGS:pwd ".*" "chain"
> >> SecRule RESPONSE_STATUS "200" "chain"
> >> SecRule RESPONSE_BODY "@contains <strong>ERROR</strong>: The password
> >> you entered"
> >>
> "chain,t:none,setvar:ip.bf_wp_pass_counter=+1,deprecatevar:ip.bf_wp_pass_c
> >> ounter=1/180"
> >> SecRule ip:bf_wp_pass_counter "@gt 5"
> >>
> "t:none,setvar:user.bfwp_block=1,expirevar:user.bfwp_block=300,setvar:ip.b
> >> f_wp_pass_counter=0"
> >>
> >> ###################### End WordPress Brute Force
> #########################
> >>
> >>
> >> However, I do not believe this is very efficient since it is
> >> waiting till Phase 4 after the login attempt has failed.
> >>
> >> Can anyone recommend a better approach?
> >>
> >> The Bot Nets are rolling IPs constantly which is why this is so
> >> intensive causing mlogc to lock up bringing down the entire web server.
> >>
> >> Thx in advance,
> >>
> >> ~Jeremy
> >>
> > Jeremy,
> > Did you see my past blog post on this topic for more options?
> >
> http://blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-fo
> > rce-attacks.html
> >
> >
> > You have two main options here:
> > 1) Rate limit requests (per IP) to the authentication page
> > In this scenario, you don't care what the username/password credentials
> > are. You are simply denying clients who hit that page too often.
> >
> > 2) Rate limit clients (per IP) based on failed auth attempts
> > This is what you are doing already and you must wait intil after the auth
> > attempt to know if the credentials are valid or not.
> >
> > Besides rate limiting, another technique I would suggest is some type of
> > client/user validation check prior to allowing authentication. For
> > example, you could simply inject some JS code into the WordPress auth
> page
> > html that will add a new Cookie value. Then, when someone authenticates
> > to the WordPress, you simply check for the existence of the JS cookie.
> If
> > it is missing, then you know that the client was most likely not a real
> > person using a web browser. This works surprisingly well against botnet
> > clients as they are using Perl scripts to send attacks and they therefor
> > won't execute JS code like browsers.
> >
> > As a side note - I outline this technique in Recipe 15-1: JavsScript
> > Cookie Testing of my book -
> >
> http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118362187,descCd-tableO
> > fContents.html
> >
> > -Ryan
> >
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Get 100% visibility into Java/.NET code with AppDynamics Lite!
> > It's a free troubleshooting tool designed for production.
> > Get down to code-level detail for bottlenecks, with <2% overhead.
> > Download for free and get started troubleshooting in minutes.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|