iniApp
/
modsecurity-waf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
modsecurity-waf/nginx-waf/13_asl_brute_enhanced.conf

40 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

SecDefaultAction "log,deny,auditlog,phase:2,status:403"
# http://www.atomicorp.com/
# Atomicorp (Gotroot.com) ModSecurity rules
# Application Security Rules for modsec 2.5+
#
# Created by Atomicorp (http://www.atomicorp.com)
# Copyright 2005-2016 by Atomicorp, all rights reserved.
# Redistribution is strictly prohibited in any form, including whole or in part.
#
# Distribution of this work or derivative of this work in any form is
# prohibited unless prior written permission is obtained from the
# copyright holder.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
# THE POSSIBILITY OF SUCH DAMAGE.
#
#---ASL-CONFIG-FILE---
#
# Do not edit this file!
# This file is generated and changes will be overwritten.
#
# If you need to make changes to the rules, please follow the procedure here:
# http://www.atomicorp.com/wiki/index.php/Mod_security
#
#Wordpress login probes
SecRule REQUEST_FILENAME "/wp-login\.php" "chain,phase:2,severity:2,id:307368,t:none,t:lowercase,t:urlDecodeUni,deny,log,auditlog,status:403,msg:'Atomicorp.com WAF Rules - Login Brute Force: Possible Wordpress Authentication Probes detected .',logdata:'Number of probes in 60 seconds: %{ip.login_probe} '"
SecRule REQUEST_METHOD "@streq GET" "t:none,chain,setvar:ip.login_probe=+1,expirevar:ip.login_probe=60"
SecRule IP:LOGIN_PROBE "@gt 10"
Reference in New Issue View Git Blame Copy Permalink