These instructions are for a standard cPanel install but will work on any server with mod_security, it's just that the paths and file names might be different.
edit /usr/local/apache/conf/modsec2.user.conf and add:
Quote:
<LocationMatch "/wp-login.php"> SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:313371 SecAction "phase:5,deprecatevar:ip.counter=2/30,pass,nolog,id:313372" SecRule IP:COUNTER "@gt 1" "phase:2,pause:3000,deny,status:406,setenv:RATELIMITED,skip:1,log,id:313373" SecAction "phase:2,pass,setvar:ip.counter=+1,nolog,id:313374" </LocationMatch> |
edit /usr/local/apache/conf/modsec2.conf and add:
Quote:
SecDataDir /usr/local/apache/logs/modsec |
mkdir /usr/local/apache/logs/modsec
chown root:nobody /usr/local/apache/logs/modsec
Important Note:
Make sure you have a proper ErrorDocument 406 setup in the the Apache httpd.conf or mod_security config. For example:
ErrorDocument 406 "Not Acceptable" (on cpanel, you dont have to do this)
When a bot or a user tries to brute force wp-login.php they will receive a simple plain text page saying Not Acceptable instead of being redirected to a WordPress error page which will consume valuable CPU resources. This will help cut down on the load issues even further.
taken from: http://www.webhostingtalk.com/showpost.php?p=8639061&postcount=42
=======================================
Additional rules taken from: http://www.webhostingtalk.com/showpost.php?p=9180012&postcount=2
#Wordpress Brute Force detection SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134 <Locationmatch "/wp-login.php"> # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed. SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </locationmatch>
SecResponseBodyAccess on <Locationmatch "/administrator/index.php"> # Setup brute force detection. # React if block flag has been set. SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'" # Count brutes: SecRule RESPONSE_BODY "Username and password do not match" "phase:4,t:none,nolog,chain,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000237" SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0" </locationmatch>