alzabo · October 9, 2020 09:51
diff --git a/xmlrpc-distributed-brute-defense.conf b/xmlrpc-distributed-brute-defense.conf
 # These rules are designed to be effective versus /distributed/ brute force
 # attacks. While they will function just as well against attacks which are
 # /not distributed/ they will deny access to all XML-RPC method calls
 # namespaced with the prefix "wp."
 #
 # An IP-based version of these rules may be more appropriate for sites which
 # attacked from just a few distinct IP addresses.
 #
 # See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
 # for additional information
 #
 # SecDataDir is probably better configured as something other than
 # /tmp. It merely needs to be a directory to which the web server 
 # daemon can write
 SecDataDir /tmp

 SecResponseBodyAccess On
 SecResponseBodyLimitAction ProcessPartial
 SecResponseBodyMimeType text/xml

 # SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
 SecStreamInBodyInspection On

 SecAction "phase:1,nolog,pass,id:19300,\
    initcol:RESOURCE=%{SERVER_NAME}_%{SCRIPT_FILENAME}"

 <FilesMatch "xmlrpc.php">
    SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
        t:none,t:urlDecode,setvar:RESOURCE.xmlrpc_bf_counter=+1,\
        deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300,pass"

    SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
        deny,status:406,phase:4,t:none,t:urlDecode,\
        msg:'Temporary block due to multiple XML-RPC method call failures'"

    SecRule RESOURCE:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
        t:removeWhitespace"
 </FilesMatch>
	# These rules are designed to be effective versus /distributed/ brute force
	# attacks. While they will function just as well against attacks which are
	# /not distributed/ they will deny access to all XML-RPC method calls
	# namespaced with the prefix "wp."
	#
	# An IP-based version of these rules may be more appropriate for sites which
	# attacked from just a few distinct IP addresses.
	#
	# See http://alzabo.io/modsecurity/2014/09/15/wordpress-xml-rpc-brute-force.html
	# for additional information
	#
	# SecDataDir is probably better configured as something other than
	# /tmp. It merely needs to be a directory to which the web server
	# daemon can write
	SecDataDir /tmp

	SecResponseBodyAccess On
	SecResponseBodyLimitAction ProcessPartial
	SecResponseBodyMimeType text/xml

	# SecStreamInBodyInspection requires ModSecurity 2.6.0 or greater
	SecStreamInBodyInspection On

	SecAction "phase:1,nolog,pass,id:19300,\
	initcol:RESOURCE=%{SERVER_NAME}_%{SCRIPT_FILENAME}"

	<FilesMatch "xmlrpc.php">
	SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
	t:none,t:urlDecode,setvar:RESOURCE.xmlrpc_bf_counter=+1,\
	deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300,pass"

	SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
	deny,status:406,phase:4,t:none,t:urlDecode,\
	msg:'Temporary block due to multiple XML-RPC method call failures'"

	SecRule RESOURCE:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
	t:removeWhitespace"
	</FilesMatch>