Forked from alzabo/xmlrpc-distributed-brute-defense.conf
Last active
August 29, 2015 14:06
-
-
Save tripflex/1bf576f4d73f13edd42e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecRequestBodyAccess On | |
| SecResponseBodyAccess On | |
| SecResponseBodyLimitAction ProcessPartial | |
| SecResponseBodyMimeType text/xml | |
| <FilesMatch "xmlrpc.php"> | |
| # Block brute force attempts using xmlrpc.php as the vector | |
| # Increment our counter when the xmlrpc API indicates a failure | |
| SecRule REQUEST_BODY "wp\.getUsersBlogs" "id:13504,deny,chain,status:406,\ | |
| phase:4,t:none,t:urlDecode,chain,deny,\ | |
| msg:'xmlrpc.php call failures triggered temporary block'" | |
| SecRule RESOURCE:xmlrpc_bf_block "@gt 0" | |
| SecRule RESPONSE_BODY "faultString" "id:13505,nolog,\ | |
| phase:4,t:none,t:urlDecode,\ | |
| setvar:RESOURCE.xmlrpc_bf_counter=+1,\ | |
| deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300" | |
| SecRule RESOURCE:xmlrpc_bf_counter "@gt 2" "id:13506,nolog,\ | |
| setvar:RESOURCE.xmlrpc_bf_block=1,\ | |
| expirevar:RESOURCE.xmlrpc_bf_block=900,\ | |
| setvar:RESOURCE.xmlrpc_bf_counter=0" | |
| </FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment