Dalam kuartal 4 atau akhir akhir tahun 2014 hingga sekarang, masih banyak linux server yang terinject script untuk mengakses footprint wp-login ke server lain dengan multi ratus akses yang biasa di sebut bruteforce.
Lebih lanjut untuk masalah security ini : http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
Abuse ini sampai pihak data center email ke kita untuk menghentikan hal ini karena pihak yang dituju melapokan ke data center kita juga.
Kita telah mengupdate patch mod_sec2 untuk filter serangan yang tertuju ke pihak lain, silahkan tambahkan ini ke file mod_sec2 yang ada di ->
/usr/local/apache/conf/modsec2.user.conf/
tambahkan :
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecRequestBodyAccess On
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000124
#<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
# SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
#SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
#SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
#SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
#</locationmatch>
ErrorDocument 401 default
#Block WP logins with no referring URL
<Locationmatch "/wp-login.php">
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000130,chain,msg:'wp-login request blocked, no referer'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>
#Wordpress Brute Force detection
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>
Setelah itu restart Httpd atau apache atau webserver yang terhubung ke apache (nginx/lsws {litespeed})
This piece of writing provides clear idea in favor of the new viewers of blogging, that in fact how to do running a blog.
Nice post. I learn something totally new and challenging on blogs I stumbleupon everyday. It’s always interesting to read content from other authors and practice a little something from their web sites.