nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Brute Force Using WPScan #620

Closed sahrulfatih closed 11 months ago

sahrulfatih commented 2 years ago

Hi, I'm trying to do a brute force attack on my wordpress site using WPScan and secure it using naxsi. What kind of rules are suitable for this kind of attack?

wargio commented 2 years ago

depends on the requests, you can try to check what logs generates and dump also the request parameters

sahrulfatih commented 2 years ago

Thanks For you reply.

I want to block WPS to scan User and author from my wordpress

this is the access log from nginx. image

and what are the exact rules of blocking naxsi based on WPS User Agent?

Thanks..

wargio commented 2 years ago

First i would suggest to use these rules: https://github.com/wargio/naxsi/tree/main/naxsi_rules/blocking (and if you are not yet, please use my repository for naxsi since this one is abandoned.. i'm the only active developer)

second i guess i haven't yet added wpscan UA in the scanner list rule (i will make a MR after writing this here) but depending on what is in the request you should probably create custom rules, also because wp plugins are many so is kinda hard to keep track of all of them.

Anyway the rule for blocking the wpscan UA is simply MainRule id:1234567 "s:$UWA:8" "str:wpscan" "mz:$HEADERS_VAR:User-Agent" "msg:wpscan in user-agent";

Another suggestion is to have more data in the logs like request parameters in the post request, etc.. but you need to setup custom logs on nginx for that.

On my setup where i do use naxsi i have configured nginx to output json logs and send them to logstash which parses them and then logstash logs are sent to elastic search + kibana where i have a nice graph with details, etc.. image

Then what i do is look to the traffic and check what parameters looks suspicious and i create rules. Most of the "bad traffic" can be simply blocked by adding bad user-agents rules in naxsi

sahrulfatih commented 2 years ago

thanks for your response

i have used your repository and tried naxsi rules to block wps UA and set custom log in nginx. The result in the error log nginx successfully blocked WPScan, I tried to enumerate author/user on wordpress even after WPScan UA was successfully blocked in the nginx log, user/author can still be found. what are the proper rules to block wpscan from enumerating author/user? then whether naxsi can block the IP address?

WPScan Log image

Thanks

wargio commented 2 years ago

i do not think there is much you can do there, if those apis are intended to be used by the blog. If they are not, then you can just ban the api call with a rule.

sahrulfatih commented 2 years ago

any suggestion or tutorial how to do that?

wargio commented 2 years ago

MainRule id:123456789 "s:$UWA:8" "str:author" "mz:ARGS|NAME" "msg:block author enumeration"; could be something like that. these are well explained in the wiki: