Joomla Brute Force Attacks

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
coolmike
New Forum User
New Forum User
Posts: 1
Joined: Thu Jul 17, 2014 10:26 am
Location: Switzerland

Joomla Brute Force Attacks

Unread post by coolmike »

Hi

We are using the realtime rules on our servers. Since a few days we have a lot of brute force attacks on our joomla installations. Unfortunately the realtime rules are not helping us. I tried it now with rules I found in the net:

Code: Select all

<Location /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
But it looks like this rule is detecting working customers inside the joomla administrator also as attack.

Is there a working rule which helps against this joomla brute force attacks?

Unfortunately switching to ASL is not an option for us.

Regards
Michael
Post Reply