HEX
Server: Apache
System: Linux opal14.opalstack.com 3.10.0-1160.108.1.el7.x86_64 #1 SMP Thu Jan 25 16:17:31 UTC 2024 x86_64
User: curbgloabal_opal (1234)
PHP: 8.1.29
Disabled: exec,passthru,shell_exec,system
$ pwd: /etc/httpd/modsecurity.d/activated_rules/
Upload Files
File: //etc/httpd/modsecurity.d/activated_rules/opalstack_bruteforce_xmlrpc.conf
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:6

<LocationMatch "/(xmlrpc|wp-login|wp-comments-post)\.php$">
    # Block IPs for 300 seconds if they perform more than 10 POSTs with non-302 responses within 180 seconds
    SecRule REQUEST_METHOD "^POST$" "chain,t:none,nolog,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10010"
        SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    SecRule RESPONSE_STATUS "^302" "t:none,nolog,setvar:ip.bf_counter=0,id:10011"
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:10012,msg:'ip address %{IP.KEY} blocked for 300 seconds: more than 10 non-302 xmlrpc.php POSTs in 180 seconds.'"
</LocationMatch>

<LocationMatch "/(xmlrpc|wp-login)\.php$">
    # Block IPs for 300 seconds if they perform a POST with greater than a 10k request body
    SecRule REQUEST_METHOD "^POST$" "chain,t:none,nolog,id:10020"
        SecRule REQUEST_BODY_LENGTH "@gt 10240" "t:none,log,setvar:user.big_block=1,expirevar:user.big_block=300"
    SecRule user:big_block "@gt 0" "deny,status:401,log,id:10021,msg:'ip address %{IP.KEY} blocked for 300 seconds: >10k POST to xmlrpc.php.'"
</LocationMatch>
@ Telegram