SecDefaultAction "log,deny,auditlog,phase:2,status:403" # http://www.atomicorp.com/ # Atomicorp (Gotroot.com) ModSecurity rules # Application Security Rules for modsec 2.9+ # # Created by Atomicorp (http://www.atomicorp.com) # Copyright 2005-2019 by Atomicorp, all rights reserved. # Redistribution is strictly prohibited in any form, including whole or in part. # # Distribution of this work or derivative of this work in any form is # prohibited unless prior written permission is obtained from the # copyright holder. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF # THE POSSIBILITY OF SUCH DAMAGE. # #---ASL-CONFIG-FILE--- # # Do not edit this file! # This file is generated and changes will be overwritten. # # If you need to make changes to the rules, please follow the procedure here: # http://www.atomicorp.com/wiki/index.php/Mod_security # #SecRule REQUEST_METHOD "^post$" #phase:2,pass,t:none,t:lowercase,nolog,skip:1 #SecAction phase:2,t:none,pass,nolog,skipAfter:END_BRUTE_IN #vbulletin #set a variable that someone tried to login #SecRule REQUEST_URI "/login\.php" # "pass,nolog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_vbulletin_login=yes,noauditlog,nolog,id:377400,rev:1,severity:2" #SecRule ARGS:do "^login$" #PHP logins #SecRule REQUEST_URI "/ucp\.php" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:mode "^login$" #wikimedia #"POST /wiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main_Page #SecRule ARGS:title "^special\:userlogin$" # "chain,pass,nolog,noauditlog,t:none,t:urlDecodeUni,t:lowercase,t:replaceNulls,t:compressWhiteSpace,setvar:tx.brute_phpbb_login=yes" #SecRule ARGS:action "^submitlogin$" chain #SecRule ARGS:type "^login$" #SecMarker END_BRUTE_IN SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,auditlog,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'" SecRule REQUEST_URI "/wp-login\.php" "t:none,t:urlDecodeUni,t:lowercase,chain" SecRule RESPONSE_STATUS "200" "t:none" SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with no user-agent or referrer, Bot attempting Wordpress Login',id:'377390',rev:3,severity:'2'" SecRule &REQUEST_HEADERS:Referer "@eq 0" "t:none,chain" SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "t:none" SecRule REQUEST_URI "/wp-login\.php" "phase:2,chain,t:none,t:utf8toUnicode,t:urlDecodeUni,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login with empty user-agent and referrer, possible bot',id:'377391',rev:4,severity:'2'" SecRule REQUEST_HEADERS:User-Agent "^$" "t:none,t:removeWhiteSpace,chain" SecRule REQUEST_HEADERS:Referer "^$" "t:none,t:removeWhiteSpace" #multi-auth blocking for wordpress xmlrpc #wp.getUsersBlogs SecRule REQUEST_URI "/xmlrpc\.php" "t:none,t:urlDecodeUni,t:lowercase,phase:2,id:345868,pass,nolog,noauditlog,chain,skip:1" SecRule REQUEST_METHOD "@streq POST" "t:none" SecAction "phase:2,id:323318,t:none,pass,nolog,noauditlog,skipAfter:END_XMLRPC_BRUTE_1" SecRule REQUEST_BODY|XML:/* "(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest).*(?:wp|blogger|m(?:w|t))\.(?:(?:g|s)et|new|edit|delete|suggest)" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377609',rev:4,severity:'2'" SecRule REQUEST_URI "^/xmlrpc.php\?for=jetpack" "phase:2,id:323338,t:none,t:lowercase,pass,log,skipAfter:END_XMLRPC_BRUTE_2" SecRule REQUEST_BODY|XML:/* "system\.multicall" "phase:2,t:none,log,auditlog,deny,status:403,msg:'Atomicorp.com WAF Rules - Bruteforce Login Failure Detection: WordPress Multiple Simultaneous Login Attempt Failure ',id:'377619',rev:2,severity:'2'" #wp.getUsersBlogs, wp.newPost, wp.editPost, wp.deletePost, wp.getPost, wp.getPosts, wp.newTerm, wp.editTerm, wp.deleteTerm, wp.getTerm, wp.getTerms, wp.getTaxonomy, wp.getTaxonomies, wp.getUser, wp.getUsers, wp.getProfile, wp.editProfile, wp.getPage, wp.getPages, wp.newPage, wp.deletePage, wp.editPage, wp.getPageList, wp.getAuthors, wp.getTags, wp.newCategory, wp.deleteCategory, wp.suggestCategories, wp.getComment, wp.getComments, wp.deleteComment, wp.editComment, wp.newComment, wp.getCommentStatusList, wp.getCommentCount, wp.getPostStatusList, wp.getPageStatusList, wp.getPageTemplates, wp.getOptions, wp.setOptions, wp.getMediaItem, wp.getMediaLibrary, wp.getPostFormats, wp.getPostType, wp.getPostTypes, wp.getRevisions, wp.restoreRevision, blogger.getUsersBlogs, blogger.getUserInfo, blogger.getPost, blogger.getRecentPosts, blogger.newPost, blogger.editPost, blogger.deletePost, mw.newPost, mw.editPost, mw.getPost, mw.getRecentPosts, mw.getCategories, mw.newMediaObject, mt.getRecentPostTitles, mt.getPostCategories, mt.setPostCategories # SecMarker END_XMLRPC_BRUTE_2 SecRule XML:/* "wp\.getUserBlogs.{,400}wp\.getUserBlogs.{,400}wp\.getUserBlogs" "phase:2,t:none,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377368',rev:2,severity:'2'" SecRule XML:/* "(?:wp\.getusersblogs|system\.multicall)" "phase:2,chain,t:none,t:lowercase,auditlog,deny,log,status:403,msg:'Atomicorp.com WAF Rules - Login Failure Detection: Multiple Wordpress Login Attempt Failure ',id:'377367',rev:2,severity:'2'" SecRule XML:/* "params" "t:none,t:lowercase,chain" SecRule XML:/* "(?:admin.{,400}admin|string.{,200}string.{,200}string.{,200}string)" "t:none,t:lowercase" SecMarker END_XMLRPC_BRUTE_1 SecRule SERVER_PORT "@streq 30000" "phase:4,id:339854,pass,t:none,nolog,noauditlog,skipAfter:END_BRUTE_OUT_1" SecRule RESPONSE_BODY "@pm incorrect passwort password wrong match valid unrecognized succeed re-type error sorry, messagestackerror error-msg blank usuario isadmin" "phase:4,id:333862,pass,t:none,nolog,noauditlog,skip:1" SecAction "phase:4,id:333318,t:none,pass,nolog,noauditlog,skipAfter:END_BRUTE_OUT" #Login Details Incorrect. Please try again. SecRule RESPONSE_BODY "
Login Details Incorrect\. Please try again\." "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: WHMCS login failure',id:'378410',rev:1,severity:'4',tag:'no_ar'" #Recaptcha invalid response #
Make sure to spell your username and password correctly, including upper/lowercase characters.
SecRule RESPONSE_BODY "That account could not be located. Check the username and re-type the password to try again.
The username or password you entered is incorrect. Please check the username, re-type the password, and try again.
SecRule RESPONSE_BODY "The username or password you entered is incorrect\. Please check the username" "phase:4,t:none,log,auditlog,ctl:auditLogParts=+E,pass,msg:'Atomicorp.com WAF Rules - Login Failure Detection: MODX password login failure ',id:'377311',rev:1,severity:'4',tag:'no_ar'" #moodle #