SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.5+ # # Created by Atomicorp (http://www.atomicorp.com) # Copyright 2016 by Atomicorp, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security #Commercial rules timers #XMLRPC rate limiting timer #SecAction "phase:2,id:311220,nolog,noauditlog,pass,deprecatevar:ip.count_x=1/20" #Limit exceeded blocks SecRule IP:COUNT_X "@gt 5" "chain,phase:2,severity:2,id:311221,rev:2,deny,status:403,log,auditlog,msg:'Atomicorp WAF Rules : XMLRPC - Ratelimiting calls/possible attack'" SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase" SecRule REQUEST_URI "/wp-login\.php\?action=logout" "phase:2,chain,id:339318,t:none,t:urlDecodeUni,t:lowercase,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT_EN" SecRule REQUEST_METHOD "GET" "t:none" SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5" "chain,phase:2,id:377370,rev:3,t:none,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Multiple Wordpress Authentication Failures from the same IP.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'" SecRule REQUEST_FILENAME "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase" #SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" #phase:4,id:343892,pass,t:none,nolog,noauditlog,skip:1 SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,id:377366,rev:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} '" SecRule REQUEST_METHOD "@streq POST" "t:none,chain" SecRule RESPONSE_BODY "E(?:rror|RROR)\: ?(?:The password you entered for the username|Incorrect password|(?:Invalid|Unknown) username)" "t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,log,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} ',id:'377369',rev:2,severity:'4',tag:'no_ar',setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule RESPONSE_STATUS "200" "t:none" SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,id:377365,rev:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Admin Authentication Failure',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'" SecRule REQUEST_METHOD "@streq POST" "t:none,chain" SecRule ARGS:log "admin" "chain,t:none,t:lowercase,t:urlDecodeUni" SecRule RESPONSE_BODY "E(?:rror|RROR)\: ?(?:The password you entered for the username|Incorrect password|(?:Invalid|Unknown) username)" "t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" SecMarker END_BRUTE_OUT_EN #XMLRPC code block #SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase" #detect old XMLRPC attacks and increment timer for litespeed systems SecRule RESPONSE_BODY "fault(?:Code|String)" "chain,phase:4,severity:2,id:311222,pass,t:none,log,auditlog,status:200,msg:'Atomicorp.com WAF Rules - Login Detection: WordPress XMLRPC Failure',setvar:ip.count_x=+1,expirevar:ip.count_x=60" SecRule REQUEST_FILENAME "/xmlrpc" "t:none,t:urlDecodeUni,t:lowercase"