SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.9+ # # Created by Atomicorp (http://www.atomicorp.com) # Copyright 2005-2019 by Atomicorp, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # #SecRule REQUEST_METHOD "^post$" #phase:2,pass,t:none,t:lowercase,nolog,skip:1 #SecAction phase:2,t:none,pass,nolog,skipAfter:END_BRUTE_IN #vbulletin #set a variable that someone tried to login #SecRule REQUEST_URI "/login\.php" # "pass,nolog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_vbulletin_login=yes,noauditlog,nolog,id:377400,rev:1,severity:2" #SecRule ARGS:do "^login$" #PHP logins #SecRule REQUEST_URI "/ucp\.php" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:mode "^login$" #wikimedia #"POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page #SecRule ARGS:title "^special\:userlogin$" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:action "^submitlogin$" chain #SecRule ARGS:type "^login$" #SecMarker END_BRUTE_IN SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'" SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule RESPONSE_STATUS "200" "t:none" SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with no user-agent or referrer, Bot attempting Wordpress Login',id:'377390',rev:3,severity:'2'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with empty user-agent and referrer, possible bot',id:'377391',rev:4,severity:'2'" SecRule REQUEST_HEADERS:User-Agent "^$" "t:none,t:removeWhiteSpace,chain" SecRule REQUEST_HEADERS:Referer "^$" "t:none,t:removeWhiteSpace" #multi-auth blocking for wordpress xmlrpc #wp.getUsersBlogs SecRule REQUEST_URI "/xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase,phase:2,id:345868,pass,nolog,noauditlog,chain,skip:1" SecRule REQUEST_METHOD "@streq POST" "t:none" SecAction "phase:2,id:323318,t:none,pass,nolog,noauditlog,skipAfter:END_XMLRPC_BRUTE_1" SecRule REQUEST_BODY|XML:/* "(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest)" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377609',rev:4,severity:'2'" SecRule REQUEST_URI "^/xmlrpc.php\?for=jetpack" "phase:2,id:323338,t:none,t:lowercase,pass,log,skipAfter:END_XMLRPC_BRUTE_2" SecRule REQUEST_BODY|XML:/* "system\.multicall" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377619',rev:2,severity:'2'" #wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories # SecMarker END_XMLRPC_BRUTE_2 SecRule XML:/* "wp\.getUserBlogs.{,400}wp\.getUserBlogs.{,400}wp\.getUserBlogs" "phase:2,t:none,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377368',rev:2,severity:'2'" SecRule XML:/* "(?:wp\.getusersblogs|system\.multicall)" "phase:2,chain,t:none,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377367',rev:2,severity:'2'" SecRule XML:/* "params" "t:none,t:lowercase,chain" SecRule XML:/* "(?:admin.{,400}admin|string.{,200}string.{,200}string.{,200}string)" "t:none,t:lowercase" SecMarker END_XMLRPC_BRUTE_1 SecRule SERVER_PORT "@streq 30000" "phase:4,id:339854,pass,t:none,nolog,noauditlog,skipAfter:END_BRUTE_OUT_1" SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" "phase:4,id:333862,pass,t:none,nolog,noauditlog,skip:1" SecAction "phase:4,id:333318,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT" #Login Details Incorrect. Please try again. SecRule RESPONSE_BODY "

Login Details Incorrect\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WHMCS login failure',id:'378410',rev:1,severity:'4',tag:'no_ar'" #Recaptcha invalid response # The visual confirmation code you submitted was incorrect #phpbb login failure SecRule RESPONSE_BODY ">The visual confirmation code you submitted was incorrect" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Recaptcha invalid code',id:'377410',rev:1,severity:'4',tag:'no_ar'" #phpbb login failure SecRule RESPONSE_BODY "You have entered an invalid username or password\. Please enter the correct details and" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: VBulletin Login Attempt Failure ',id:'377300',rev:1,severity:'4',tag:'no_ar'" #377301 #phpbb login failure #You have specified an incorrect password. Please check your password and try again. SecRule RESPONSE_BODY "You have specified an incorrect password\. Please check your password and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure ',id:'377301',rev:1,severity:'4',tag:'no_ar'" #mediawiki #Incorrect password entered. Please try again SecRule RESPONSE_BODY "Incorrect password entered\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wikimedia Login Attempt Failure ',id:'377302',rev:1,severity:'4',tag:'no_ar'" #sugarcrm SecRule RESPONSE_BODY "You must specify a valid username and password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Sugarcrm Administration system Login Attempt Failure ',id:'377303',rev:1,severity:'4',tag:'no_ar'" #joomla #Use a valid username and password to gain access to the Administrator Back-end SecRule RESPONSE_BODY "(?:

  • Username and password do not match|Use a valid username and password to gain access to the Administrator Back-end|Nombre de usuario y contraseƱa no encontrados|Usuario no existe|Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Joomla Administration Login Attempt Failure ',id:'377304',rev:5,severity:'4',tag:'no_ar'" #wordpress #
    ERROR: The password you entered for the username admin is incorrect. Lost your password?
    SecRule RESPONSE_BODY "E(?:rror|RROR)\: The password you entered for the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377305',rev:2,severity:'4',tag:'no_ar'" #Newer versions of WP SecRule RESPONSE_BODY "E(?:rror|RROR)\: Incorrect password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377605',rev:2,severity:'4',tag:'no_ar'" #Multiple WP xmlrpc brute force SecRule RESPONSE_BODY|XML:/* "faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password.{,100}faultString.{,32}Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377679',rev:2,severity:'2'" SecRule RESPONSE_BODY|XML:/* "isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean.{,100}isAdmin.{,100}boolean" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377689',rev:2,severity:'2'" #Newer versions of WP XMLRPC API SecRule RESPONSE_BODY|XML:/* "(?:|faultString.{,128})Incorrect username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WordPress Login Attempt Failure ',id:'377625',rev:3,severity:'4',tag:'no_ar'" #Newer versions of WP XMLRPC API SecRule RESPONSE_BODY "server error. requested method wp\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules: Potential WordPress Method Probe Detected ',id:'377626',rev:3,severity:'4',tag:'no_ar'" #wordpress #
    ERROR: Invalid username. Lost your password?
    SecRule RESPONSE_BODY "E(?:rror|RROR): (?:Invalid|Unknown) username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress invalid username failure ',id:'377306',rev:2,severity:'4',tag:'no_ar'" #Drupal SecRule RESPONSE_BODY "Sorry, unrecognized username or password" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Drupal invalid username or password failure ',id:'377308',rev:2,severity:'4',tag:'no_ar'" #typo3 #

    Your login attempt did not succeed

    #

    Make sure to spell your username and password correctly, including upper/lowercase characters.

    SecRule RESPONSE_BODY "

    Your login attempt did not succeed

    " "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Typo3 invalid username or password failure ',id:'377309',rev:1,severity:'4',tag:'no_ar'" #modx #

    That account could not be located. Check the username and re-type the password to try again.

    SecRule RESPONSE_BODY ">That account could not be located\. Check the username and re-type the password to try again\.

    " "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX invalid username failure ',id:'377310',rev:1,severity:'4',tag:'no_ar'" #

    The username or password you entered is incorrect. Please check the username, re-type the password, and try again.

    SecRule RESPONSE_BODY "The username or password you entered is incorrect\. Please check the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX password login failure ',id:'377311',rev:1,severity:'4',tag:'no_ar'" #moodle #
    Invalid login, please try again
    SecRule RESPONSE_BODY ">Invalid login, please try again" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Moodle login failure ',id:'377312',rev:1,severity:'4',tag:'no_ar'" #Plesk #You have entered incorrect username or password. SecRule RESPONSE_BODY "You have entered incorrect username or password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Plesk login failure ',id:'377313',rev:1,severity:'4',tag:'no_ar'" #oscommerce customer login #Error: No match for E-Mail Address and/or Password. SecRule RESPONSE_BODY "Error\: No match for E-Mail Address and/or Password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce customer login failure ',id:'377314',rev:1,severity:'4',tag:'no_ar'" #oscommerce admin login SecRule RESPONSE_BODY "(?:Error\: Identification of the store administrator failed\.|Invalid administrator login attempt\.)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Oscommerce admin login failure ',id:'377315',rev:2,severity:'4',tag:'no_ar'" #zencart customer login #Error: Sorry, there is no match for that email address and/or password.You entered the wrong username or password. SecRule RESPONSE_BODY "messageStackError\">You entered the wrong username or password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ZenCart admin login failure ',id:'377316',rev:1,severity:'4',tag:'no_ar'" #dokuwiki #
    Sorry, username or password was wrong.
    SecRule RESPONSE_BODY "
    Sorry, username or password was wrong\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Dokuwiki login failure ',id:'377317',rev:1,severity:'4',tag:'no_ar'" # magento customer # Please enter a valid email address. For example johndoe@domain.com. #SecRule RESPONSE_BODY "Please enter a valid email address\. For example johndoe@domain.com\." # "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento customer login failure ',id:'377318',rev:1,severity:'4'" # magento admin #
    • Invalid Username or Password. SecRule RESPONSE_BODY "
      • Invalid Username or Password\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Magento admin login failure ',id:'377319',rev:1,severity:'4',tag:'no_ar'" # prestashop invalid password #
      • Invalid password
      • SecRule RESPONSE_BODY "
      • Invalid password
      • " "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid password)',id:'377320',rev:1,severity:'4',tag:'no_ar'" # prestashop invalid email #
        1. Employee does not exist or password is incorrect.
        2. SecRule RESPONSE_BODY "
        3. Employee does not exist or password is incorrect\.
        4. " "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (invalid email)',id:'377321',rev:1,severity:'4',tag:'no_ar'" # prestashop blank password #
          1. Password is blank
          2. SecRule RESPONSE_BODY "
          3. Password is blank
          4. " "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Prestashop login failure (blank password)',id:'377322',rev:1,severity:'4',tag:'no_ar'" #phpbb login failure #You have specified an incorrect password. Please check your password and try again. SecRule RESPONSE_BODY "You have specified an incorrect username\. Please check your username and try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: PHPBB Login Attempt Failure - Incorrect Username ',id:'377326',rev:1,severity:'4',tag:'no_ar'" #377324 is next SecMarker END_BRUTE_OUT_1 #ASL bruteforce SecRule RESPONSE_BODY "(?:Invalid username or password|class=\"td_login_fail\">Invalid username or password)" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: ASL GUI invalid username or password failure ',id:'377307',rev:3,severity:'4',tag:'no_ar'" SecRule REQUEST_URI "^/login/\?login_only=1" "t:none,t:urlDecodeUni,t:lowercase,phase:5,id:335897,pass,nolog,noauditlog,skip:1" SecAction "phase:5,id:333319,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT" #Cpanel SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Cpanel WHM Login Attempt Failure ',id:'377363',rev:2,severity:'4',tag:'no_ar'" SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule RESPONSE_STATUS "401" "t:none" #successful cpanel root login SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Detection: Cpanel WHM root Login succeeded ',id:'377364',rev:2,severity:'5',tag:'no_ar'" SecRule REQUEST_URI "^/login/\?login_only=1" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule ARGS:user "root" "chain,t:none,t:urlDecodeUni,t:lowercase" SecRule RESPONSE_STATUS "200" "t:none" #SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377365,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Admin Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt}'" # SecRule REQUEST_METHOD "@streq POST" "t:none,chain" # SecRule ARGS:log "admin" "chain,t:none,t:lowercase,t:urlDecodeUni" # SecRule RESPONSE_STATUS "200" "chain,t:none" # SecRule RESPONSE_BODY "@contains Error:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" # SecRule IP:FAILED_AUTH_ATTEMPT "@gt 5" # #SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:4,severity:2,id:377366,t:none,t:lowercase,t:urlDecodeUni,deny,status:403,msg:'Atomicorp.com WAF Rules - Login Detection: Wordpress Authentication Failure Violation.',logdata:'Number of Authentication Failures in 60 seconds: %{ip.failed_auth_attempt} '" # SecRule REQUEST_METHOD "@streq POST" "t:none,chain" # SecRule RESPONSE_STATUS "200" "chain,t:none" # SecRule RESPONSE_BODY "@contains Error:Incorrect password." "chain,t:none,setvar:ip.failed_auth_attempt=+1,expirevar:ip.failed_auth_attempt=60" # SecRule IP:FAILED_AUTH_ATTEMPT "@gt 10" SecMarker END_BRUTE_OUT #Wordpress login probes SecRule REQUEST_URI "wp-login\.php" "chain,phase:2,id:307367,severity:2,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Brute Force: Wordpress Authentication Probes detected .',logdata:'Number of probes in 60 seconds: %{ip.login_probe} '" SecRule REQUEST_METHOD "@streq HEAD" "t:none,chain,setvar:ip.login_probe=+1,expirevar:ip.login_probe=60" SecRule IP:LOGIN_PROBE "@gt 5" #cpanel login probes SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "chain,phase:2,severity:2,id:317368,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules: WHMCS brute force probe blocked.'" SecRule REQUEST_METHOD "@streq HEAD" "t:none" #Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) #SecRule REQUEST_HEADERS:User-Agent "MSIE 7\.0" #"chain,phase:2,log,deny,auditlog,t:none,id:354322,rev:3,severity:4,msg:'Atomicorp.com WAF Rules: Cpanel brute force attack detected'" #SecRule REQUEST_URI "(?:dologin|clientarea)\.php" "t:none,t:lowercase"