Created
October 2, 2014 13:11
-
-
Save rutger1140/a47d2aacab6cb5de68de to your computer and use it in GitHub Desktop.
ModSecurity - block WordPress brute force hack attempts - Plesk 12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/httpd/modsecurity.d/wordpress.conf | |
| # This has to be global, cannot exist within a directory or location clause | |
| SecAction phase:1,log,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:1 | |
| <Location /wp-login.php> | |
| # Setup brute force detection. | |
| # React if block flag has been set. | |
| SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 60 minutes, more than 15 login attempts in 3 minutes.',id:2" | |
| # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. | |
| SecRule RESPONSE_STATUS "^302" "phase:5,t:none,log,pass,setvar:ip.bf_counter=0,id:3" | |
| SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,log,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:4" | |
| SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=3600,setvar:ip.bf_counter=0" | |
| </Location> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you want to get rid of that log Warning message, use "nolog" action to like 4 -
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:1