gistfile1.txt
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml
# Block brute force attempts using xmlrpc.php as the vector
# Increment our counter when the xmlrpc API indicates a failure
SecRule REQUEST_BODY “wp.getUsersBlogs” “id:13504,deny,chain,status:406,
phase:4,t:none,t:urlDecode,chain,deny,
msg:’xmlrpc.php call failures triggered temporary block'”
SecRule RESOURCE:xmlrpc_bf_block “@gt 0”
SecRule RESPONSE_BODY “faultString” “id:13505,nolog,
phase:4,t:none,t:urlDecode,
setvar:RESOURCE.xmlrpc_bf_counter=+1,
deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300”
SecRule RESOURCE:xmlrpc_bf_counter “@gt 2” “id:13506,nolog,
setvar:RESOURCE.xmlrpc_bf_block=1,
expirevar:RESOURCE.xmlrpc_bf_block=900,
setvar:RESOURCE.xmlrpc_bf_counter=0”
gistfile1.txt
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyLimitAction ProcessPartial
SecResponseBodyMimeType text/xml
<FilesMatch "xmlrpc.php">
# Block brute force attempts using xmlrpc.php as the vector
# Increment our counter when the xmlrpc API indicates a failure
SecRule REQUEST_BODY "wp.getUsersBlogs" "id:13504,deny,chain,status:406,
phase:4,t:none,t:urlDecode,chain,deny,
msg:'xmlrpc.php call failures triggered temporary block'"
SecRule RESOURCE:xmlrpc_bf_block "@gt 0"
SecRule RESPONSE_BODY "faultString" "id:13505,nolog,
phase:4,t:none,t:urlDecode,
setvar:RESOURCE.xmlrpc_bf_counter=+1,
deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300"
SecRule RESOURCE:xmlrpc_bf_counter "@gt 2" "id:13506,nolog,
setvar:RESOURCE.xmlrpc_bf_block=1,
expirevar:RESOURCE.xmlrpc_bf_block=900,
setvar:RESOURCE.xmlrpc_bf_counter=0"
</FilesMatch>
No comments yet.