Session cookies are randomly generated strings and at times you get this pattern in such an identifier. A fresh installation of core rules will typically have some false alarms. Step 2: Getting an Overview The character of the application, the paranoia level and the amount of traffic all influence the amount of false positives you get in your logs. In fact, a limit of 5 is really strong first critical alert blocks a request , but for sites with less security needs, a limit of 10 might just be good enough. It's caused by submitting a single parameter multiple times. Time to reduce the anomaly threshold to 50, let it rest a bit and then examine the logs for the third batch.
There is no easy answer. The other way is to lock wp-login. In many installations I have seen, this was the end of the story. Of course we will probably have to redo it everytime WordPress gets updated. By registering you'll gain: - Full Posting Privileges. Each time, a login attempt is made, it requires a connection to the database and an attempt to query the login details and match them against the data in the user profile.
This is usually done because argument foo often causes this rule to fire incorrectly. Unfortunately this can also leave your WordPress customers without access to their sites, if they for instance hit their WordPress admin dashboard and hit refresh 5 times. You can assign your custom rules id's from the 1-99999 range. In some special cases, namely at higher paranoia levels, there can be thousands of them. Newsletter Did you enjoy this tutorial? The firewall has three different modes, so you could activate and disable it with simply a click or set it to detection mode, so it shall maintain a log of all attacks, but it shall not do anything to prevent them. So this might be a situation where it makes sense to disable a whole class of rules.
The next one will look into setting up a reverse proxy. And, in fact, the password field is not a typical target of an attack. In the previous tutorial, we have seen that writing these kind of rules is cumbersome. It takes a bit of experience to make the right choice and very often, multiple approaches can be suitable. Or you can concentrate on the rules that are triggered most often.
And this is not an exceptional effect. What you need is a real set of false alarms. React if block flag has been set. So it may not work on your system to just copy that file. We have successfully fought all the false positives of a content management system with peculiar parameter formats and a ModSecurity rule set pushed to insanely paranoid levels.
It would be nice to have a script do the work for us. You should write up your re-install note, more completely, as an answer to your own question, wait a bit for commentary on it, and then consider closing the question with your answer as the correct way to solve the real problem. This boils down to a run-time exclusion rule. Let's get an overview of the situation: Let's look at the example logs! Common attack string for mysql, oracle and others. And sounds like you've gone back to old version when you manually reinstalled ModSecurity.
That's more than 40 critical alerts on a single request a critical alert gives 5 points, 40 critical alerts will thus score 200. But then this is an exercise, so we will keep it simple: Let's kick this rule out completely. The problem with this encoding is that session cookies can sometimes contain this pattern. The risk is that a false positive raises an alarm, the wrong customer's browser is blocked, a phone call to the manager ensues and you are forced to switch off the Web Application Firewall. The rules which we use on our servers are a combination between commercial ones we get from a security company and custom ones which are added by our staff to improve the protection of any web applications hosted on our end.
We could look at this in great detail and check out all the different parameters triggering this rule. We have now reached the end of the block consisting of three ModSecurity tutorials. Actually, anything above 100 is now gone. This is a hexadecimal encoding which can point to an exploit being used. Yes it does, but we need to keep things in perspective. The codes should be randomly generated using php code that allows you to write text to an image, again no mysql is used, 3 after x attempts, we no longer even allow them to try to enter this code and they are redirected to an html file with instructions as to what to do if they are legit. When testing the difference, the rule with the exclamation mark gives me the results I want by not applying that Rule Id when that argument is present.
But in practice, this won't work outside of the rarest of cases. It's still the same traffic, but with fewer alerts again thanks to the rule exclusions. What rules are behind these remaining alerts? It sounds like the right answer and will help future visitors. Or looking forward a bit, we can expect other funny passwords to trigger all sorts of rules on the password field. Much easier to check for the actual module, as long as you build httpd 2. Our next goal is the group of requests with a score of 60.