Pages

Saturday, July 12, 2014

WP-Login Mod security Rule


(1)Compile apache to enable mod_security

(2)Make sure SecDataDir is present.

(3)If you do not have a SecDataDir anywhere then add it and also create the directory, for example:

mkdir /usr/local/apache/logs/modsec
chown root:nobody /usr/local/apache/logs/modsec
----------------------------------------------------------------------
root@server [/usr/local/apache/conf]# cat /usr/local/apache/conf/modsec2.conf | grep SecDataDir
SecDataDir /usr/local/apache/logs/modsec 
root@server [/usr/local/apache/conf]# 
-------------------------------------------------------------------

(4)Add the rule in a seperate file as follows.
-------------------------------------------------------------------

root@server [/usr/local/apache/conf]# cat modsec2.wplogin.conf
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecAction "phase:5,deprecatevar:ip.counter=3/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch> 
root@server [/usr/local/apache/conf]# 
-------------------------------------------------------------------
(5) Add the Include file accordingly as follows.
----------------------------------------------------------------
[root@server/usr/local/apache/conf]# cat modsec2.conf | grep Include
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/modsec2.wplogin.conf"
[root@server/usr/local/apache/conf]#
---------------------------------------------------------------
(6)Make sure that following ErrorDocument is existing
[root@mserver]# cat /usr/local/apache/conf/includes/errordocument.conf | grep 406
# 406 - Not Acceptable
ErrorDocument 406 /406.shtml
[root@server/usr/local/apache/conf]# 
--------------------------------------------------------------


exclude few IPs from the rule
---------------------------------
root@server [/usr/local/apache/conf]# cat modsec2.wplogin.conf
<LocationMatch "/wp-login.php">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371
SecRule  REMOTE_ADDR  "@pmFromFile /usr/local/apache/conf/whitlist.txt"  "nolog,allow,id:313372"
SecAction "phase:5,deprecatevar:ip.counter=3/30,pass,nolog,id:313372"
SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373"
SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374"
</LocationMatch> 
root@server [/usr/local/apache/conf]# 
-----------------------------------
Posted by at 0 comments
Subscribe to: Posts (Atom)