I'm watching the logs at the moment and there's an attack on a particular site which began -- well, I can't easily tell but way longer than 20 minutes ago - with no shunning happening.
The access_log for domain.tld looks like this (and goes on "forever"):
Code: Select all
50.17.243.253 - - [26/Jan/2015:12:06:29 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:30 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:30 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:31 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:31 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:32 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:33 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:33 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:34 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:34 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:35 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:35 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:36 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:36 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:37 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:37 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
Code: Select all
HTTP 403 Forbidden. This is not a WAF event, the web server has refused to complete the transaction
Back to domain.tld, the error_log shows this:
Code: Select all
[Mon Jan 26 11:41:14 2015] [error] [client 50.17.243.253] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYn2Vw-goIAADbVg5UAAAAT"]
[Mon Jan 26 11:56:16 2015] [error] [client 50.17.243.253] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYFw-goIAAFF@1xkAAAAC"]
[Mon Jan 26 11:56:16 2015] [error] [client 50.17.243.253] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYFw-goIAAFOzMKcAAAAF"]
[Mon Jan 26 11:56:17 2015] [error] [client 50.17.243.253] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYVw-goIAAFRBUq8AAAAH"]
[Mon Jan 26 11:56:17 2015] [error] [client 50.17.243.253] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYVw-goIAAFQ9TqgAAAAD"]
[Mon Jan 26 11:58:14 2015] [error] [client 93.54.82.15] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr1lw-goIAAFbFLC4AAAAB"]
[Mon Jan 26 11:58:15 2015] [error] [client 78.5.200.146] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr11w-goIAAFXJD7EAAAAO"]
[Mon Jan 26 11:58:20 2015] [error] [client 93.61.77.214] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr3Fw-goIAAFWcBZEAAAAI"]
[Mon Jan 26 11:58:23 2015] [error] [client 62.94.198.178] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr3lw-goIAAFfJQf0AAAAD"]
[Mon Jan 26 11:58:24 2015] [error] [client 78.7.113.246] ModSecurity: [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr31w-goIAAFWWgf4AAAAE"]
But no events since 11:58:24 are logged.
So I'm really quite confused.