mod security rule to stop Joomla brute force attacks? - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

mod security rule to stop Joomla brute force attacks?

Looking to fine tune a rule that creates false positives

stormy

9:34 pm on Aug 7, 2014 (gmt 0)

10+ Year Member

I'm trying to find a mod_security rule that will stop brute force attacks on Joomla. I'm using Litespeed and not Apache, so I can't scan the response body.

This is the best I could find, but it creates false positives, since there are many legitimate operations inside the administrator area that create many requests:

# Joomla Brute Force Protection
<LocationMatch "/administrator/index.php">
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:00113
SecRule user:bf_block "@gt 0" "deny,status:403,log,id:00114,msg:'IP address blocked for 5 minutes. More than 3 Joomla POST requests within 10 seconds.'"
SecRule REQUEST_METHOD "^POST$" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/10,id:00115"
SecRule ip:bf_counter "@gt 3" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</LocationMatch>

I'm going to tune it now to be triggered with 20 requests during 10 seconds, but it will probably still generate false positives.

I've also tried <location> instead of <locationmatch> but it made no difference.

One fix would be for the rule should ignore any query strings, and only be activated when /administrator/index.php is hit. There are modules, like the popular Akeeba backup, that do post to this URL, like this:

/administrator/index.php?option=com_akeeba&view=backup&task=ajax

Any ideas?

lucy24

10:39 pm on Aug 7, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

since there are many legitimate operations inside the administrator area that create many requests

But surely they don't come through as ordinary external requests from any old IP? You'd want to exempt yourself, and also, uhm, er, whatever the mod_security equivalent of [NS] is.

I've also tried <location> instead of <locationmatch> but it made no difference.

In general, the difference between {blahblah} and {blahblahMatch} is simply that one version accepts a Regular Expression. If you're writing the rule for one specific file, you don't need it. In fact, do you need <Location> at all? What Apache version are you on? Ordinarily I'd expect to see rules inside a <Directory> envelope-- or, in this case, <Files> inside <Directory>-- referring to the physical directory where your /administrator/ files really live. Unless there's some really special circumstance. How often do you rearrange your directories?

I'm envious anyway ;) The current version of mod_security can't be used in htaccess, so I can only rubber-stamp the host's decisions. (Or, of course, say "No thanks, don't want it"-- but I keep track, and they don't seem to be excluding anyone I'd want to let in.)

As always, it helps to start by laying out in English what the intended result is. Here it looks like you want to block repeated POST attempts from the same IP for the same file within a set time period. Is that right?

stormy

11:01 pm on Aug 7, 2014 (gmt 0)

10+ Year Member

Sorry for the incomplete information!

This is a server-wide rule for a shared hosting server. Hence, the <Location> part.

The goal is to stop hackers from trying brute force logins to Joomla, by posting usernames and passwords to /administrator/index.php.

Maybe a regex could be used to mean "/administrator/index.php" and no more characters after it?

phranque

12:03 am on Aug 8, 2014 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

Location(Match) won't see the query string.

http://httpd.apache.org/docs/current/mod/core.html#location

For all origin (non-proxy) requests, the URL to be matched is a URL-path of the form /path/. No scheme, hostname, port, or query string may be included.

stormy

1:29 pm on Aug 8, 2014 (gmt 0)

10+ Year Member

Exactly, because it doesn't see the query string, it matches whether there's a query string or not.

I'm looking for a match only when there's no query string.

lucy24

6:36 pm on Aug 8, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Does mod_security include an option for looking at the query string? It's a third-party mod that can only be used in config, so even among people who speak Apache, they may not know all that much about it.

Under what circumstances would there be even one legitimate external request for /administrator/index.php, with or without query?

stormy

6:54 pm on Aug 8, 2014 (gmt 0)

10+ Year Member

This is basic Apache stuff, and basic regular expression stuff. Anyone that knows about Apache (or about regular expressions) should be able to answer my question.

I'm sorry that, basic as it is, I don't know enough about it though! :) Also, maybe this is the wrong forum.

Under what circumstances would there be even one legitimate external request for /administrator/index.php, with or without query?

All the time, since it's the login page to Joomla.

lucy24

1:51 am on Aug 9, 2014 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

it's the login page to Joomla

Oh, yuk. You mean login for everyone? That is, all the people who want to read and/or comment on the content? A login for the site administrator is an entirely different matter.

This is basic Apache stuff, and basic regular expression stuff. Anyone that knows about Apache (or about regular expressions) should be able to answer my question.

You are mistaken on both counts.

stormy

10:11 am on Aug 9, 2014 (gmt 0)

10+ Year Member

I'll retreat to my hole then :)