-1

In Apache access log, I'm seeing far too many entries containing:

POST /wp-login.php HTTP/1.1" 302

indicating successful logins (because status is 302) - but too many too quickly to be genuine (human) logins.

I want to see what's in their POST data, so I have mod_security 2.x installed, together with OWASP 3.1.0.

But I don't see any of these entries being caught by mod_security in modsec_audit.log

I do see other POST transactions in modsec_audit.log, so I think mod_security is working.

I'm wondering if the OWASP Wordpress Exclusion Rules are suppressing it and, if so, how to change those rules in a way which will log the POST data without denying genuine logins?

flymike
  • 935
  • 2
  • 9
  • 18
  • What is `SecAuditEngine` set to in your ModSecurity config? Typically ModSecurity only puts blocked requests into the audit log, not successful requests like 302s. – Barry Pollard Jul 16 '19 at 20:23
  • Thank you! Yes, SecAuditEngine is set to RelevantOnly. So, I think I need to configure it to On for transactions with POST to wp-login. I would appreciate a pointer to any document which will help me with that. I find the Reference Manual to be a little sparse. – flymike Jul 17 '19 at 02:47

1 Answers1

0

Typically ModSecurity only adds an audit log for requests that it blocks. This is because those requests are usually the ones you want more info on, to understand why it was blocked. Additionally you would not want your audit log to log every request as they are large entries and the log would get quite large on even a moderately used web server.

In this case the request was not blocked by ModSecurity and passed back the 302 request so I would not expect the request to be in the audit log in typically ModSecurity setups.

As discussed in the comments your SecAuditEngine config setting was set to RelevantOnly which is the typical setting following above logic. So the other POST entries you saw must be for POST requests that were ultimately blocked by ModSecurity. Change the SecAuditEngine value to On to log all transactions and you should see what you want. As I say this will log a lot of data so you probably only want it on for a short time. Alternatively you could write a rule to only turn on the AuditEngine for these transactions to reduce

SecRule REQUEST_URI “@beginswith /wp-login.php” \
“phase:2,id:1234,nolog,ctl:auditEngine=On,pass”

It should also be noted that this will log all POST params including the password (in pwd param). This is considered pretty bad form (even system administrators should not know passwords as they should be stored as one way hashes), so you should sanitise this argument to prevent it being logged into the audit log by setting this rule first:

SecRule ARGS_NAMES "pwd" "phase:5,id:1233,nolog,pass,sanitiseMatched,t:lowercase"
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92