Bruteforce Wordpress

c0r3dump3d · July 9, 2018, 1:03pm

Hi, I’m trying to implement a Wordpress bruteforce protection at haproxy level, version 1.5.18 in CentOS 7. I’m folowing the manual https://www.haproxy.com/blog/wordpress-cms-brute-force-protection-with-haproxy/ but I’m not able to make it work.
In the frontend section I have:

    tcp-request inspect-delay 10s
    tcp-request content accept if HTTP

    acl wp_login path_beg -i /wp-login.php
    acl flagged_as_abuser        sc1_get_gpc0 gt 0
    stick-table type binary len 20 size 500 store gpc0
    tcp-request content track-sc1  base32+src if METH_POST wp_login
    http-request deny  if flagged_as_abuser

In the backend section I have:

    tcp-request inspect-delay 10s
    tcp-request content accept if HTTP
    acl wp_login path_beg -i /wp-login.php
    stick-table type binary len 20 size 500 store gpc0,http_req_rate(5s)
    tcp-request content track-sc2  base32+src if METH_POST wp_login
    stick store-request base32+src            if METH_POST wp_login
    acl bruteforce_detection  sc2_http_req_rate gt 5
    acl flag_bruteforce       sc1_inc_gpc0      gt 0
    http-request deny if bruteforce_detection flag_bruteforce

Whe I show the table in the backend I see that the http_req_rate always has zero value:

   # table: webphp56_servers, type: binary, size:500, used:6
   0x5578f86675e4: key=3AAE35AFC1C9E0C1000000000000000000000000 use=0 exp=0 server_id=10    gpc0=0 http_req_rate(5000)=0
   0x5578f8907874: key=4C6CF94FBB10374B000000000000000000000000 use=0 exp=0 server_id=10 gpc0=0 http_req_rate(5000)=0
  0x5578f8a994f4: key=CE6B86EB8ACC472F000000000000000000000000 use=0 exp=0 server_id=7 gpc0=0 http_req_rate(5000)=0

What am I doing wrong?

Thank you in advance.

c0r3dump3d · July 10, 2018, 11:26am

Hi, I have found one possible solution using other proposals again from haproxy blog (https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/) and from (https://gist.github.com/jeremyj/e964a951634f1997daea) with some minor modifications:

In the frontend section you must to put:

acl wp_login path_end -i /wp-login.php
stick-table type ip size 1m expire 60s store gpc0,http_req_rate(10s)
tcp-request content track-sc1 src if METH_POST wp_login
tcp-request content reject if { src_get_gpc0 gt 0 }
http-request deny if { src_get_gpc0 gt 0 }

In the backend section the confguration is:

acl abuse src_http_req_rate(web_http) ge 5
acl flag_abuser src_inc_gpc0(web_http) ge 0
http-request deny if abuse flag_abuser

In this case I consider an abuser 5 login attemps in 10 seconds.

if it can be useful to someone else an I have put this solution in a github:

Topic		Replies	Views
Haproxy 1.8 sc0_get_gpc0 activate acl from bad request count Help!	1	1061	January 11, 2018
HAProxy rate limit questions Help!	0	575	September 29, 2019
ACL trouble, only works if I negate the ACL in the if statement Help!	5	477	October 26, 2021
HAProxy Ratelimit using stick table Help!	1	510	January 2, 2019
User Authentication Help!	1	271	April 2, 2022

Bruteforce Wordpress

Related Topics