Last active
August 29, 2015 14:07
-
-
Save alzabo/7ab74c634b43352bdbdb to your computer and use it in GitHub Desktop.
IP-Based WP/xmlrpc brute force ModSecurity rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # These rules are designed to be effective versus /non distributed/ brute | |
| # force attacks. | |
| # | |
| # A more aggressive version of this rule set may be used to combat more | |
| # widely-distributed attacks. | |
| # | |
| # See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html | |
| # for additional information | |
| # | |
| # SecDataDir is probably better configured as something other than | |
| # /tmp. It merely needs to be a directory to which the web server | |
| # daemon can write | |
| SecDataDir /tmp | |
| SecResponseBodyAccess On | |
| SecResponseBodyLimitAction ProcessPartial | |
| SecResponseBodyMimeType text/xml | |
| # SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater | |
| SecStreamInBodyInspection On | |
| SecAction "phase:1,nolog,pass,id:19300,\ | |
| initcol:ip=%{REMOTE_ADDR}" | |
| <FilesMatch "xmlrpc.php"> | |
| SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\ | |
| t:none,t:urlDecode,setvar:ip.xmlrpc_bf_counter=+1,\ | |
| deprecatevar:ip.xmlrpc_bf_counter=1/300,pass" | |
| SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\ | |
| deny,status:406,phase:4,t:none,t:urlDecode,\ | |
| msg:'Temporary block due to multiple XML-RPC method call failures'" | |
| SecRule ip:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\ | |
| t:removeWhitespace | |
| </FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment