12_aslbrute not banning IP's

[webjive]

We purchased a yearly subscription for the ASL rules and our system is being hit hard daily by bots trying to brute force the Joomla admin. What's bothersome is that your rules aren't banning those ip's and they just keep pounding away.

Is there a way to tweak that rule to ban IP's for 30 days?

[hostingg]

sure just change the shun time in asl to 30 days

[webjive]

OK where do you do that?

[mikeshinn]

Thank you for the question, please see the documentation for this configuration setting in ASL:

https://www.atomicorp.com/wiki/index.ph ... _SHUN_TIME

The value is seconds, so 30 days would be 2592000.

[webjive]

OK, where are these settings for SHUN time? We're running the rules only with mod security. Thx

[mikeshinn]

Those settings are part of Atomic Secured Linux (ASL). Those rules require ASL to detect and block brute force attacks, as documented here:

https://www.atomicorp.com/wiki/index.ph ... brute.conf

[webjive]

Got it. The mod sec rules are limited without the full ASL?

[mikeshinn]

Its not a limitation in the rules, modsecurity just doesnt do this. Event tracking capabilities in modsecurity are very poor (and have performance issues), so we use an high speed engine to do this in ASL.

[webjive]

Thanks! What has kept us from going full ASL is when we tried to install it in the past, it made our production machine un-bootable and we had to perform an OS reload so, we're VERY skiddish on attempting to install ASL ourselves.

[mikeshinn]

We'd be happy to install ASL for you.

[webjive]

Getting close to a decision here on the full ASL suite. The attacks are coming in waves with peaks and valleys. Looks like its a low level DDOS on WP and Joomla for admin and some scraping to check for vulnerable files. Would the full ASL help with this? See attached image.

[mikeshinn]

Thank you for the question, ASL sure does protect against this. If you'd like help installing ASL, just shoot support an email.

[webjive]

Well, it's time to to the deed then! I need a pro to install and get this rolling. My only fear is for our large Joomla install base and what might get caught in the ASL rules. Good news is I'm sure there will be a way to exclude some domains from those rules like CSF mod_sec control? That's our environment now, lots of CSF tools. Modsec Control, CSF, etc. Has worked well until now but, the hackers of the world have found us.

I purchased the annual ASL rules for $99. Is this an upgrade to full ASL or an upgrade?

[mikeshinn]

My only fear is for our large Joomla install base and what might get caught in the ASL rules.

We use Joomla, so its very unlikely any of our rules you cause any issues with Joomla. If you havent had an issue with the modsec rules from us, then you'll be fine with ASL.

Good news is I'm sure there will be a way to exclude some domains from those rules like CSF mod_sec control?

Oh yeah, and then some. You can tweak each rule, its behavior, thresholds and more.

I purchased the annual ASL rules for $99. Is this an upgrade to full ASL or an upgrade?

If you purchased a rules license, thats just a license for the rules. Rules licenses do not include ASL. You can upgrade from a rules annual license to an ASL annual license for only $99.96.

[webjive]

Thanks! Once I pay that, will I get access to the support ticket system? Right now, I can't login to that.