Hello, I have been getting an ongoing attack from a set range of IPs on my wordpress sites about every 10 minutes. This happens every day, and every time OSSEC just gives these IPs 503 responses for 600 seconds as default. On a side note, I see hardly any sort of blacklisting for these set of IPs by major providers/blacklisters. I would really like to increase the limits and have OSSEC deal with these repeat offenders more severely. Here are options I'm considering or have questions about:
1) Repeat Offenders Response I heard of the repeat offenders response I can add to ossec but so far I haven't been very good at getting it set up. I tried adding rules to OSSEC but both times I had configuration errors result. At one point the error was so bad I had to restore a back up of my server. Simply deleting what I added to these files didn't seem to do the trick. a) To block repeat offenders, I tried to add this to the active response section of ossec.conf. Without the # symbols of course. ##<active-response> ##<repeated_offenders>30,60,120</repeated_offenders> ##</active-response> b) And to block access to the readme.html file in Wordpress tried to add the following to local_rules.xml I found this at at hackertarget.com. <rule id="100040" level="6"> <if_sid>31100</if_sid> <match>readme.html</match> <description>WordPress Recon - /readme.html accessed.</description> </rule> 2) Permanent Blocking Other than the fact that at some point some other party other than offender might use the IP in question why is the response 600 seconds so short? What is the actual concern over permanent or semi-permanent blocks? 3) Increase default response substantially If permanently blocking isn't a good idea, What if I changed the default 600s response to 10,000s or more..... would it hurt anything? I really don't want to see any responses for a while from this set of IPs. In fact I'd love to send an FU message along with that LOL but I'm sure your response would be that it would put a strain on my server. 4) OTHER QUESTIONS: I use ManageWP to manage my wordpress sites. Even though I have whitelisted those IPs and my own IP address OSSEC still sends me error messages about too many POST requests. Some at level 8 or more. Sometimes these types of errors even quote my IP or even my servers own IP address. Is this something I should worry about? Please forgive my noobness and all my own questions all of this. I have had OSSEC installed for 2 years but only recently discovered that it wasn't set up correctly (I did not have NGINX logs or my wordpress logs added to the files. I have been reading various sections of the OSSEC documentation but a lot of it doesn't make sense to me. I really appreciate any advice you can give. Thank you! INFO: I'm using the latest version of OSSEC 2.7.1 On LEMP server/Ubuntu with quite a number of wordpress websites -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
