@Hoggins wrote:
Hello !
I have already posted this on the mailing-list, but maybe it's easier to discuss my issue here. Here's the thing :
Hi folks !
I'm trying to follow instructions found here :
on how to protect some WordPress sites against blind and repetitive
login attempts, but I can't seem to make it effective.Would your mind commenting on my config to help me why it's not working ?
It's only the protection part that is not working : the rest of the
service is ok, and has always been. It's just that I recently added the
recipe found on HAProxy blog, and I get no result.My peers definition :
peers mypeers peer machine1.fqdn haproxy-1:1024 peer machine2.fqdn haproxy-2:1024 peer machine3.fqdn haproxy-3:1024My frontend definition :
frontend wordpress-frontend bind X.X.X.X:80 bind Y.Y.Y.Y:80 mode http tcp-request inspect-delay 10s tcp-request content accept if HTTP # <==== despite what was written on the blog post, HAProxy refused to let "tcp-request" without "content" keyword. I guess this is expected. acl wp_login path_beg -i /wp-login.php acl flagged_as_abuser sc1_get_gpc0 gt 0 stick-table type binary len 20 size 500 store gpc0 peers mypeers tcp-request content track-sc1 base32+src if METH_POST wp_login use_backend bk_login_abusers if flagged_as_abuser default_backend wordpress-http-backendMy backend definition :
backend wordpress-http-backend tcp-request inspect-delay 10s tcp-request content accept if HTTP # brute force protection acl wp_login path_beg -i /wp-login.php stick-table type binary len 20 size 500 store http_req_rate(20s) peers mypeers tcp-request content track-sc2 base32+src if METH_POST wp_login stick store-request base32+src if METH_POST wp_login acl bruteforce_detection sc2_http_req_rate gt 2 # <===== adjusted to "2" to see if I got anything better. No luck. acl flag_bruteforce sc1_inc_gpc0 gt 0 http-request deny if bruteforce_detection flag_bruteforce balance roundrobin option http-server-close option forwardfor option httpchk GET /haproxy-check.php HTTP/1.1\r\nHost:\ backend.address.fqdn http-check expect string ALLOK http-check disable-on-404 server web-1 web-1:80 check slowstart 5000ms server web-2 web-2:80 check slowstart 5000ms server web-3 web-3:80 check slowstart 5000ms server sorry-1 webfront-1:50000 check backup server sorry-2 webfront-2:50000 check backupMy sandbox backend :
backend bk_login_abusers mode http log global option httplog timeout tarpit 1s http-request tarpit errorfile 500 /etc/haproxy/errorfiles/wp_fake_login.http errorfile 503 /etc/haproxy/errorfiles/wp_fake_login.httpFinally, the contents of the stick tables :
# table: wordpress-frontend, type: binary, size:500, used:0 # table: wordpress-http-backend, type: binary, size:500, used:6 0xe71b10: key=410B34765BD290FF000000000000000000000000 use=0 exp=0 server_id=2 http_req_rate(20000)=0 0xe4abd0: key=410B3476B2891330000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0 0xdb7e50: key=B77846E1A2F88FA1000000000000000000000000 use=0 exp=0 server_id=2 http_req_rate(20000)=0 0xe4fd00: key=BA68E942D972C985000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0 0xdb7f00: key=C45BC90B5BC80C04000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0 0xdb7da0: key=F58B492055EE71FC000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0I tested with cURL and querying a lot on the /wp-login.php address with
POST requests (more than twice per 20s, for sure), but the counters
don't raise.I'm open to new ideas on how to solve my case, and mistakes in my config.
Thanks !
Hoggins!
Posts: 1
Participants: 1