WordPress Failed Logon

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
User avatar
innovot
Forum User
Forum User
Posts: 12
Joined: Mon Dec 17, 2012 1:20 pm
Location: UK

WordPress Failed Logon

Unread post by innovot »

Hello:

we have the purchased rule set and attempting to configure with LiteSpeed. We have installed WPsyslog2 onto one of our sites and made a bad logon attempt. It was correctly written to syslog with the following

Code: Select all

Nov 12 09:20:52 ws1 core[8661]: [XXX.XXX.XXX.XXX na] http://www.somesite.com Info: User authentication failed. User name: badperson
but no OSSEC rule triggered. We have looked at the decoder 50-asl-wordpress-decoder.xml but that suggests each line should start with a program name of WPsyslog

Code: Select all

<decoder name="wordpress">
  <program_name>^WPsyslog</program_name>
  <prematch>^[</prematch>
  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) </regex>
  <order>srcip</order>
</decoder>
What are we doing wrong please ?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WordPress Failed Logon

Unread post by mikeshinn »

Brute force detection and shunning isnt accomplished using that plugin. Its done with modsecurity. Unfortunately litespeed doesnt support the brute force detection rules, because they dont do output detection. If you use ASL however, you can protect Litespeed with our WAF and brute force detection will work just fine.

Otherwise, we recommend you open a case with litespeed about supporting output scanning in their modsecurity like implementation.
User avatar
innovot
Forum User
Forum User
Posts: 12
Joined: Mon Dec 17, 2012 1:20 pm
Location: UK

Re: WordPress Failed Logon

Unread post by innovot »

Thanks Mike. I believe we shall switch back to Apache 2.4 if we cannot use those features.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WordPress Failed Logon

Unread post by mikeshinn »

Just enable a local WAF in ASL on ports 80 and 443, this puts a fully functional WAF in front of Litespeed. Then you can use output rules with litespeed (or any webserver or HTTP/HTTPS based service for that matter) to your hearts content.

https://www.atomicorp.com/wiki/index.php/ASL_WAF#local
User avatar
innovot
Forum User
Forum User
Posts: 12
Joined: Mon Dec 17, 2012 1:20 pm
Location: UK

Re: WordPress Failed Logon

Unread post by innovot »

Mike: does ASL have a single GUI with distributed agents when installed on multiple servers ? or does each have its own GUI.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: WordPress Failed Logon

Unread post by mikeshinn »

Thank you for the question. ASL is designed like cpanel, Plesk and other control panels so there is a control panel for each server.

If you want to put a single ASL instance in front of a bunch of servers, we also off a traditional WAF appliance version of ASL for this purpose.
User avatar
innovot
Forum User
Forum User
Posts: 12
Joined: Mon Dec 17, 2012 1:20 pm
Location: UK

Re: WordPress Failed Logon

Unread post by innovot »

Mike:

would you be able to PM details of your WAF solutions please.

Thank you.
Post Reply