Announcement

Collapse
No announcement yet.

Captcha down?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Captcha down?

    Hello,

    I had impression that the captcha system was locally on our hosting server?
    I tested with a brute force attack on wordpress and after the upgrade its just loading all the time. In the end it shows error. See attachment.

  • #2
    Imunify360 is loaded and running:
    service imunify360 status
    Redirecting to /bin/systemctl status imunify360.service
    ● imunify360.service - Imunify360 agent
    Loaded: loaded (/usr/lib/systemd/system/imunify360.service; enabled; vendor preset: disabled)
    Active: active (running) since Tue 2017-03-14 15:34:05 CET; 5min ago
    Process: 114458 ExecStart=/usr/bin/imunify360-agent start --daemon --pidfile /var/run/imunify360.pid (code=exited, status=0/SUCCESS)
    Main PID: 114478 (imunify360-agen)
    CGroup: /system.slice/imunify360.service
    └─114478 /opt/alt/python35/bin/python3 /usr/bin/imunify360-agent start --daemon --pidfile /var/run/imunify360.pid

    But if I restart I will pass trough to the website again. And if I refresh I see that IP is blocked in CSF.
    Still some bugs there...

    Comment


    • #3
      Please expect the fix for this bug (jira id DEF-1152) to be released today.

      Could you please attach output of
      # imunify360-agent doctor
      command so we can follow up if our guess regarding this bug is correct.

      Thank you,
      Imunify developer

      Comment


      • #4
        Key: AGSSbjYPaIQIHC5dCv.b0ab343e-87f1-4d94-859f-a22de6194b67

        Comment


        • #5
          > I tested with a brute force attack on wordpress and after the upgrade the captcha just loading all the time. In the end it shows error. See attachment.

          Hi Morten,

          Please update to Imunify 1.1.4-9 recent bugfix release. The issue with captcha shall be fixed now.

          Thank you,
          Imunify developer

          Comment


          • #6
            Using: 1.1.4-9.el7

            I tested again on a domain with WP and did a brute force. Got blocked by CSF/LFD because that has less retries before I got blocked. So I turned off CSF/LFD and in the end I got message:
            405: Method Not Allowed

            No captcha to remove the greylist at all.
            But if I change URL from http://domain.tld/wp-login.php to domain.tld in browser I get the captcha screen.

            Comment


            • #7
              Morten,

              Could you please list here ModSecurity settings from command? -
              # whmapi1 modsec_get_settings | grep -A20 SecRuleEngine

              Thank you,
              Imunify developer

              Comment


              • #8
                directive: SecRuleEngine
                engine: 1
                name: Rules Engine
                radio_options:
                -
                name: Process the rules.
                option: On
                -
                name: Do not process the rules.
                option: Off
                -
                name: Process the rules in verbose mode, but do not execute disruptive actions.
                option: DetectionOnly
                setting_id: 2
                state: DetectionOnly
                type: radio
                url: https://github.com/SpiderLabs/ModSec...#secruleengine
                -
                default: Off
                description: Disables backend compression while leaving the frontend compression enabled.
                directive: SecDisableBackendCompression

                Comment


                • #9
                  Hi Morten,

                  > Using: 1.1.4-9.el7
                  >
                  > I tested again on a domain with WP and did a brute force. Got blocked by CSF/LFD because that has less retries before I got blocked. So I turned off CSF/LFD and in the end I got message:
                  > 405: Method Not Allowed
                  >
                  > No captcha to remove the greylist at all.
                  > But if I change URL from domain.tld/wp-login.php to domain.tld in browser I get the captcha screen.

                  Unfortunately, I cannot reproduce this bug in my test env. Could you please open helpdesk request and upload imunify doctor key from this command -
                  # imunify360-agent doctor

                  Thank you for the feedback,

                  Comment


                  • #10
                    I will do some more testing, but I used Opera with built in vpn to test this. I will also test Chrome and other browsers as I may think it will work fine in Chrome only...

                    Comment


                    • #11
                      I tested on a new server where I installed IM360. First I tested with CWAF and CSF/LFD enabled. I got blocked by CSF after around 30 attempts and lost connection to server. Then I disabled CSF/LFD and started brute force on customers WP login page again. After 120 logins I gave up! I notice them in CWAF in WHM, but I cannot find any trace of the IP in IM360 I used Chrome to test with.

                      Comment


                      • #12
                        Can you send the support "imunify360-agent doctor"?

                        --
                        imunify360 dev team

                        Comment


                        • #13
                          Sure, here it is:
                          Key: AGSSUKajNN0hg71rhR.f1a213e6-3a9b-4595-9e81-933ddc4292f5

                          I tried brute force from a vpn with ip:
                          82.103.128.158

                          Comment


                          • #14
                            I dont see imunify360 mod security ruleset. Can you enable it in "Home »Security Center »ModSecurity™ Vendors » Manage Vendors"?
                            Link to ruleset

                            Comment


                            • #15
                              > I dont see imunify360 mod security ruleset. Can you enable it in "Home »Security Center »ModSecurity™ Vendors » Manage Vendors"?
                              > Link to ruleset

                              Hmmm... So you will be providing mod_security rules?
                              We use to use CWAF as mod_security rules and in the future use IM360 for firewall so IM360 can block those request that are triggered by CWAF!?

                              Comment

                              Working...
                              X