How to use ModSecurity to Block Brute Force WP and Joomla Attacks

It goes without saying that Joomla and WordPress (WP) are the most popular choices among the web apps used for creating website quickly. Unfortunately, this popularity is inevitably associated with huge security risks. That’s why it is worth paying attention to the ways you can block brute force Joomla and WP attacks by using custom ModSecurity rules. Brute force attacks represent the most common types of attacks on these two popular platforms.

First Step – Install Mod_Security and create Brute Force files

The first thing you have to do is to install ModSecurity. Then you have to create a file called bruteforce.conf on the following location: /usr/local/apache/conf/bruteforce.conf

Once you have done so, use this command:

nano -w /usr/local/apache/conf/bruteforce.conf

Now, you are ready to paste the following content inside:

# WordPress & Joomla ModSecurity Brute Force Rules

# —————————————————————————–

# TX.max_requests – # of requests allowed during x period of time

# TX.requests_ttl – time in seconds

# TX.block_ttl – block time in seconds

# —————————————————————————–

 

SecRequestBodyAccess On

SecDataDir /tmp

SecAction “phase:1,pass,setvar:TX.max_requests=6,setvar:TX.requests_ttl=180,setvar:TX.block_ttl=900,initcol:ip=%{REMOTE_ADDR},nolog,id:5001000”

SecRule IP:blocked “@eq 1” “phase:1,drop,log,id:5001001”

 

# WordPress Anti Brute Force Rules

<LocationMatch “/wp-login.php”>

SecAction “phase:2,chain,nolog,id:5001002”

SecRule REQUEST_METHOD “^POST$” “chain”

SecRule ARGS_POST_NAMES “^log$” “chain”

SecRule ARGS_POST_NAMES “^pwd$” “chain”

SecAction “setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}”

 

SecRule IP:request_count “@ge %{TX.max_requests}” “phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:’Bloqueado por %{TX.block_ttl} segundos’,id:5001003”

 

# Joomla Anti Brute Force Rules

<LocationMatch “/administrator/index.php”>

SecAction “phase:2,chain,nolog,id:5001012”

SecRule REQUEST_METHOD “^POST$” “chain”

SecRule ARGS_POST_NAMES “^username$” “chain”

SecRule ARGS_POST_NAMES “^passwd$” “chain”

SecRule ARGS_POST:option “^com_login$” “chain”

SecRule ARGS_POST:task “^login$” “chain”

SecAction “setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}”

 

SecRule IP:request_count “@ge %{TX.max_requests}” “phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:’Bloqueado por %{TX.block_ttl} segundos’,id:5001013”

 

# Old Joomla installations

<LocationMatch “/administrator/index.php”>

SecAction “phase:2,chain,nolog,id:5001022”

SecRule REQUEST_METHOD “^POST$” “chain”

SecRule ARGS_POST_NAMES “^usrname$” “chain”

SecRule ARGS_POST_NAMES “^pass$” “chain”

SecAction “setvar:ip.request_count=+1,expirevar:ip.request_count=%{TX.requests_ttl}”

 

SecRule IP:request_count “@ge %{TX.max_requests}” “phase:2,drop,setvar:ip.blocked=1,expirevar:ip.blocked=%{TX.block_ttl},log,msg:’Bloqueado por %{TX.block_ttl} segundos’,id:5001023”

Second Step – Load the Anti Brute Force rules

The next thing you need to configure ModSecurity in order to load the brute force protection rules. You will do so by running this command:

echo “Include /usr/local/apache/conf/bruteforce.conf” >> /usr/local/apache/conf/modsec2.user.conf

You need to restart Apache in order for these changes to be applied:

service httpd restart

The brute force protection results for Joomla and WordPress will be logged at Apache error log.
Before setting the brute force rules, your wp-login.php login attempts looked like this:

111.111.111.111 – – [01/Dec/2016:09:31:37] “POST /wp-login.php HTTP/1.0” 200

222.222.222.222 – – [01/Dec/2016:09:31:38] “POST /wp-login.php HTTP/1.0” 200

111.111.111.111 – – [01/Dec/2016:09:31:39] “POST /wp-login.php HTTP/1.0” 200

After you set up the brute force rules, you will be able to notice 406 status associated with the each of brute force attacks:

111.111.111.111 – – [01/Dec/2016:09:35:41] “POST /wp-login.php HTTP/1.0” 406 –

222.222.222.222 – – [01/Dec/2016:09:35:43] “POST /wp-login.php HTTP/1.0” 406 –

111.111.111.111 – – [01/Dec/2016:09:35:45] “POST /wp-login.php HTTP/1.0” 406 –

If these rules are causing you any problems, then you can deactivate them by editing /usr/local/apache/conf/modsec2.user.conf file. You need to do one more thing and that is to remove the following line:

Include /usr/local/apache/conf/bruteforce.conf

Again you need to restart Apache for the changes to be applied:

service httpd restart

This should work. Now, you know how to block brute force attacks on WordPress and Joomla.

Leave a Reply

Your email address will not be published. Required fields are marked *