Announcement

Collapse
No announcement yet.

Captcha - WordPress login

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Captcha - WordPress login

    I noticed that Comodo WAF stopped working after Imunify360 was installed. Its not reporting any hits in WHM anymore.
    Bug? (CSF and LFD is enabled)

    I also did a brute force attack, but CWAF did not stop it. But after alot of attempts IM360 did stop it.

    I got this message in WP login page:
    Error: 405 Method Not Allowed

    Sorry, the requested URL http://fakedomain.com/wp-login.php caused an error:

    Method not allowed.

    Shouldnt captcha show when refreshing?
    I had to manually change URL to fakedomain.com and captcha was showing there.

    INFO:
    Fri Mar 10 02:52:35.644660 2017 fakedomain.com /wp-login.php WordPress login attempt

    Sensor:
    ossec

    Rule:
    10605

    Abuser:
    185.137.18.xx

    Is there any possibility to change ossec rule 10605? To block faster?

  • #2
    Dear Customer,

    Regarding the blocking rate, currently we block a user if there are 10 login attempts in 2 minutes. We find this reasonable in the first iteration of the rule to avoid many false positives. In the future we may decrease this value if there are no complaints from the customers. If you are eager to do this right now you can tune these parameters in /var/ossec/etc/rules.d/defence360_rules.xml line 39 followed by /var/ossec/bin/ossec-control restart.

    Regarding the automatic captcha redirect, we are looking to implement this in one of our next releases in about 2 weeks. This would be helpful indeed.

    Regards,
    Imunify360 staff.

    Comment


    • #3
      Thanks for your reply. I will check that .xml file and see if I do some changes or not.

      But about Comodo WAF issue you didnt find anything on that? I tried changing the logging from Serial to Concurrent and that didnt work.
      Seems like Imunify did take over mod_security on the server:

      --11e7d75f-B--
      POST /wp-login.php HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
      Content-Length: 52
      Host: domain.tld
      Cookie: wordpress_test_cookie=WP+Cookie+check

      --11e7d75f-H--
      Message: Warning. Pattern match "^POST$" at REQUEST_METHOD. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360_rules/i360.conf"] [line "25"] [id "33332"] [rev "1"] [msg "WordPress login attempt"] [severity "WARNING"] [maturity "1"]
      Stopwatch: 1489244594741842 103920 (- - -)
      Stopwatch2: 1489244594741842 103920; combined=3900, p1=444, p2=3114, p3=61, p4=26, p5=171, sr=66, sw=84, l=0, gc=0
      Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
      Server: Apache
      Engine-Mode: "ENABLED"

      --11e7d75f-Z--

      When I asked Igor last time, he said that Imunify360 should not do any WAF rules and will not function as that as it was hard to compete and invent the weel again.

      In /etc/apache2/conf.d/modsec_vendor_configs/imunify360_rules/i360.conf I only see 3 rules.

      Comment


      • #4
        CWAF seems to still be working and logging to:
        /usr/local/apache/logs/modsec_audit.log

        --0ffe2e30-B--
        GET /test.html HTTP/1.1
        User-Agent: Mozilla/5.0 (compatible; AhrefsBot/5.2; +http://ahrefs.com/robot/)
        Accept: */*
        Accept-Encoding: deflate, gzip
        Host: http://www.domain.tld

        --0ffe2e30-H--
        Message: Access denied with code 403 (phase 2). Matched phrase "AhrefsBot" at REQUEST_HEADERS:User-Agent. [file "/var/cpanel/cwaf/rules/02_Global_Agents.conf"] [line "34"] [id "210832"] [rev "2"] [msg "COMODO WAF: Blacklisted by userdata_bl_agents||http://www.domain.tld|F|4"] [data "AhrefsBot"] [severity "WARNING"]
        Action: Intercepted (phase 2)
        Stopwatch: 1489245322672179 685505 (- - -)
        Stopwatch2: 1489245322672179 685505; combined=717, p1=562, p2=121, p3=0, p4=0, p5=34, sr=82, sw=0, l=0, gc=0
        Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
        Server: Apache
        Engine-Mode: "ENABLED"

        --0ffe2e30-Z--

        But logging inside WHM->
        Home »Security Center »ModSecurity™ Tools »Hits List
        Stopped logging when installed Imunify360.

        If you need to check this you can follow up in the email on friday and get access if you need to replicate this when installing IM360.

        Comment


        • #5
          It is a bug. We are working on fixing it.

          Comment


          • #6
            Thanks Igor

            Comment


            • #7
              Im also seeing Comodo WAF no longer functioning on all servers with Imunify360 installed

              Comment


              • #8
                I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!

                Comment


                • #9
                  > I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!

                  Hi Morten,

                  This is a bug, jira id is DEF-1128. Please expect this jira bugfix will appear in one of subsequent bugfix releases: 1.0.5 or 1.0.6

                  Comment


                  • #10
                    In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?

                    Comment


                    • #11
                      > In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?

                      Pretty sure CWAF is not working for you then. In my testing server its logging both from Imunify and CWAF in that file.

                      Comment


                      • #12
                        >> I did upgrade to version 1.1.4 today and hits from Comodo WAF is still not listed in WHM!
                        >
                        > Hi Morten,
                        >
                        > This is a bug, jira id is DEF-1128. Please expect this jira bugfix will appear in one of subsequent bugfix releases: 1.0.5 or 1.0.6

                        Thanks! Looking forward for a fix :-)

                        Comment


                        • #13
                          >> In addition to entries not being logged in WHM, Im not seeing anything new in /usr/local/apache/logs/modsec_audit.log either. Does this mean that ModSecurity is not functioning at all now?
                          >
                          > Pretty sure CWAF is not working for you then. In my testing server its logging both from Imunify and CWAF in that file.

                          Im not getting anything new logged in /usr/local/apache/logs/modsec_audit.log or in Imunify. Comodo WAF was working perfectly before installing Imunify.

                          Any idea how to fix? I should note I am using Litespeed and not Apache.

                          Comment


                          • #14
                            Actually, its not logging on either of my test servers, one running Litespeed, the other Apache.

                            Comment


                            • #15
                              Ok, I have only tested this on a Apache server with mod_lsapi. Do not dare to test on LiteSpeed yet Did you upgrade to latest version that came today?

                              Comment

                              Working...
                              X