gistfile1.txt

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml


# Block brute force attempts using xmlrpc.php as the vector
# Increment our counter when the xmlrpc API indicates a failure
SecRule REQUEST_BODY “wp.getUsersBlogs” “id:13504,deny,chain,status:406,
phase:4,t:none,t:urlDecode,chain,deny,
msg:’xmlrpc.php call failures triggered temporary block'”
SecRule RESOURCE:xmlrpc_bf_block “@gt 0”

SecRule RESPONSE_BODY “faultString” “id:13505,nolog,
phase:4,t:none,t:urlDecode,
setvar:RESOURCE.xmlrpc_bf_counter=+1,
deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300”

SecRule RESOURCE:xmlrpc_bf_counter “@gt 2” “id:13506,nolog,
setvar:RESOURCE.xmlrpc_bf_block=1,
expirevar:RESOURCE.xmlrpc_bf_block=900,
setvar:RESOURCE.xmlrpc_bf_counter=0”

gistfile1.txt

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml

<FilesMatch "xmlrpc.php">
    # Block brute force attempts using xmlrpc.php as the vector
    # Increment our counter when the xmlrpc API indicates a failure
    SecRule REQUEST_BODY "wp.getUsersBlogs" "id:13504,deny,chain,status:406,
        phase:4,t:none,t:urlDecode,chain,deny,
        msg:'xmlrpc.php call failures triggered temporary block'"
    SecRule RESOURCE:xmlrpc_bf_block "@gt 0"

    SecRule RESPONSE_BODY "faultString" "id:13505,nolog,
        phase:4,t:none,t:urlDecode,
        setvar:RESOURCE.xmlrpc_bf_counter=+1,
        deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300"

    SecRule RESOURCE:xmlrpc_bf_counter "@gt 2" "id:13506,nolog,
        setvar:RESOURCE.xmlrpc_bf_block=1,
        expirevar:RESOURCE.xmlrpc_bf_block=900,
        setvar:RESOURCE.xmlrpc_bf_counter=0"
</FilesMatch>
No comments yet.

Leave a Reply