Created
April 13, 2013 05:20
-
-
Save wycks/5377061 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WordPress block botnet brute force with Mod_security | |
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134 | |
<Locationmatch "/wp-login.php"> | |
# Setup brute force detection. | |
# React if block flag has been set. | |
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" | |
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. | |
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" | |
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" | |
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0" | |
</locationmatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment