I run several hosting servers and recently I have experienced a lot of bruteforce attacks against joomla-based websites. Attackers seem to try a bruteforce against administrator/index.php page.
I usually lock away IPs when they try to bruteforce WordPress logins with the following ruleset:
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">
SecRule ip:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:ip.bf_block=1,expirevar:ip.bf_block=300,setvar:ip.bf_counter=0"
</Locationmatch>
But I can't find a similar rule for Joomla!, since response status is "303 see other" both with valid password and invalid password.
Any help? Thanks in advance!
Best Answer
So, here's my answer.
By ispecting the return headers I noticed that Joomla! backend returns some HTTP headers when login is correct, and doesn't return them when login is invalid.
e.g., the P3P header is returned after a successful login, so I just look for its length being
> 0: