Hi folks ! I'm trying to follow instructions found here : http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ on how to protect some WordPress sites against blind and repetitive login attempts, but I can't seem to make it effective.
Would your mind commenting on my config to help me why it's not working ?
It's only the protection part that is not working : the rest of the
service is ok, and has always been. It's just that I recently added the
recipe found on HAProxy blog, and I get no result.
My peers definition :
peers mypeers
peer machine1.fqdn haproxy-1:1024
peer machine2.fqdn haproxy-2:1024
peer machine3.fqdn haproxy-3:1024
My frontend definition :
frontend wordpress-frontend
bind X.X.X.X:80
bind Y.Y.Y.Y:80
mode http
tcp-request inspect-delay 10s
tcp-request content accept if HTTP # <==== despite what was
written on the blog post, HAProxy refused to let "tcp-request"
without "content" keyword. I guess this is expected.
acl wp_login path_beg -i /wp-login.php
acl flagged_as_abuser sc1_get_gpc0 gt 0
stick-table type binary len 20 size 500 store gpc0 peers mypeers
tcp-request content track-sc1 base32+src if METH_POST wp_login
use_backend bk_login_abusers if flagged_as_abuser
default_backend wordpress-http-backend
My backend definition :
backend wordpress-http-backend
tcp-request inspect-delay 10s
tcp-request content accept if HTTP
# brute force protection
acl wp_login path_beg -i /wp-login.php
stick-table type binary len 20 size 500 store http_req_rate(20s)
peers mypeers
tcp-request content track-sc2 base32+src if METH_POST wp_login
stick store-request base32+src if METH_POST wp_login
acl bruteforce_detection sc2_http_req_rate gt 2 # <=====
adjusted to "2" to see if I got anything better. No luck.
acl flag_bruteforce sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection flag_bruteforce
balance roundrobin
option http-server-close
option forwardfor
option httpchk GET /haproxy-check.php HTTP/1.1\r\nHost:\
backend.address.fqdn
http-check expect string ALLOK
http-check disable-on-404
server web-1 web-1:80 check slowstart 5000ms
server web-2 web-2:80 check slowstart 5000ms
server web-3 web-3:80 check slowstart 5000ms
server sorry-1 webfront-1:50000 check backup
server sorry-2 webfront-2:50000 check backup
My sandbox backend :
backend bk_login_abusers
mode http
log global
option httplog
timeout tarpit 1s
http-request tarpit
errorfile 500 /etc/haproxy/errorfiles/wp_fake_login.http
errorfile 503 /etc/haproxy/errorfiles/wp_fake_login.http
Finally, the contents of the stick tables :
# table: wordpress-frontend, type: binary, size:500, used:0
# table: wordpress-http-backend, type: binary, size:500, used:6
0xe71b10: key=410B34765BD290FF000000000000000000000000 use=0 exp=0
server_id=2 http_req_rate(20000)=0
0xe4abd0: key=410B3476B2891330000000000000000000000000 use=0 exp=0
server_id=1 http_req_rate(20000)=0
0xdb7e50: key=B77846E1A2F88FA1000000000000000000000000 use=0 exp=0
server_id=2 http_req_rate(20000)=0
0xe4fd00: key=BA68E942D972C985000000000000000000000000 use=0 exp=0
server_id=1 http_req_rate(20000)=0
0xdb7f00: key=C45BC90B5BC80C04000000000000000000000000 use=0 exp=0
server_id=1 http_req_rate(20000)=0
0xdb7da0: key=F58B492055EE71FC000000000000000000000000 use=0 exp=0
server_id=1 http_req_rate(20000)=0
I tested with cURL and querying a lot on the /wp-login.php address with
POST requests (more than twice per 20s, for sure), but the counters
don't raise.
I'm open to new ideas on how to solve my case, and mistakes in my config.
Thanks !
Hoggins!
signature.asc
Description: OpenPGP digital signature
