So this one rule will protect all wordpress sites on the server? If the
forward slash is in front of the wp-login.php - doesn't that mean in the
root or is it any wp-login.php anywhere?
SecRule REQUEST_METHOD "@streq POST"
"chain,id:'1',phase:2,t:none,block,log,msg:'Warning: Direct Login
Missing Referer.'"
SecRule REQUEST_FILENAME "@pm /wp-login.php /wp-admin/" "chain"
SecRule &REQUEST_HEADERS:Referer "@eq 0"
Delia Wilson Lunsford
WizTech, Inc., (formerly Delia Wilson Design, LLC.)
434-202-4307
Terms and Conditions for working with WizTech, Inc.
(http://www.teamwiztech.com/terms-conditions.php)
On Fri, Jul 18, 2014 at 7:40 AM, Ryan Barnett <rbarn...@trustwave.com>
wrote:
> See this blog post -
>
> http://blog.spiderlabs.com/2013/04/defending-wordpress-logins-from-brute-force-attacks.html
>
> *Ryan Barnett*
>
> Senior Lead Security Researcher, SpiderLabs
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
>
> www.trustwave.com
>
> On Jul 18, 2014, at 7:31 AM, "Aniyan Rajan" <aniyan.raj...@gmail.com>
> wrote:
>
> Hello,
>
> I am getting the following in my /var/log/apache2/access.log. It is an
> attack I believe, as it has "http://";. Please correct me if I am wrong.
> They have correctly identified my domain name also. Is it possible to
> prevent these by installing and configuring modsecurity ? Please suggest.
> Thanks.
>
> 146.0.72.182 - - [17/Jul/2014:23:37:27 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:29 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:30 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:30 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:31 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:32 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:33 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
> 146.0.72.182 - - [17/Jul/2014:23:37:33 +0000] "POST
> http://MY-DOMAIN.COM/wp-login.php/ HTTP/1.1" 200 3968 "-" "Mozilla/5.0
> (Windows; U; Windows NT 5.1; ru; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2"
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
>
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
