Captcha down?
Forum
For more information on the latest vulnerability (CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, and CVE-2019-11091),
please refer to our blog post
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. Morten
  2. Tuesday, 14 March 2017
  3.  Subscribe via email
Hello,

I had impression that the captcha system was locally on our hosting server?
I tested with a brute force attack on wordpress and after the upgrade it's just loading all the time. In the end it shows error. See attachment.
Attachments (1)
Rate this post:
  1. 14.03.2017 14:03:22
  2. # 1
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Imunify360 is loaded and running:
service imunify360 status
Redirecting to /bin/systemctl status imunify360.service
● imunify360.service - Imunify360 agent
Loaded: loaded (/usr/lib/systemd/system/imunify360.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-03-14 15:34:05 CET; 5min ago
Process: 114458 ExecStart=/usr/bin/imunify360-agent start --daemon --pidfile /var/run/imunify360.pid (code=exited, status=0/SUCCESS)
Main PID: 114478 (imunify360-agen)
CGroup: /system.slice/imunify360.service
└─114478 /opt/alt/python35/bin/python3 /usr/bin/imunify360-agent start --daemon --pidfile /var/run/imunify360.pid

But if I restart I will pass trough to the website again. And if I refresh I see that IP is blocked in CSF.
Still some bugs there...
  1. 14.03.2017 15:03:27
  2. # 2
Oleksiy S Accepted Answer
Posts: 0
Joined: 26.06.2019
0
Votes
Undo
Please expect the fix for this bug (jira id DEF-1152) to be released today.

Could you please attach output of
# imunify360-agent doctor
command so we can follow up if our guess regarding this bug is correct.

Thank you,
Imunify developer
  1. 15.03.2017 00:03:46
  2. # 3
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Key: AGSSbjYPaIQIHC5dCv.b0ab343e-87f1-4d94-859f-a22de6194b67
  1. 15.03.2017 10:03:01
  2. # 4
Oleksiy S Accepted Answer
Posts: 0
Joined: 26.06.2019
0
Votes
Undo
> I tested with a brute force attack on wordpress and after the upgrade the captcha just loading all the time. In the end it shows error. See attachment.

Hi Morten,

Please update to Imunify 1.1.4-9 recent bugfix release. The issue with captcha shall be fixed now.

Thank you,
Imunify developer
  1. 15.03.2017 14:03:14
  2. # 5
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Using: 1.1.4-9.el7

I tested again on a domain with WP and did a brute force. Got blocked by CSF/LFD because that has less retries before I got blocked. So I turned off CSF/LFD and in the end I got message:
405: Method Not Allowed

No captcha to remove the greylist at all.
But if I change URL from http://domain.tld/wp-login.php to domain.tld in browser I get the captcha screen.
  1. 15.03.2017 15:03:07
  2. # 6
Oleksiy S Accepted Answer
Posts: 0
Joined: 26.06.2019
0
Votes
Undo
Morten,

Could you please list here ModSecurity settings from command? -
# whmapi1 modsec_get_settings | grep -A20 SecRuleEngine

Thank you,
Imunify developer
  1. 15.03.2017 20:03:55
  2. # 7
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
directive: SecRuleEngine
engine: 1
name: Rules Engine
radio_options:
-
name: Process the rules.
option: 'On'
-
name: Do not process the rules.
option: 'Off'
-
name: Process the rules in verbose mode, but do not execute disruptive actions.
option: DetectionOnly
setting_id: 2
state: DetectionOnly
type: radio
url: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secruleengine
-
default: 'Off'
description: Disables backend compression while leaving the frontend compression enabled.
directive: SecDisableBackendCompression
  1. 16.03.2017 10:03:33
  2. # 8
Oleksiy Shchukin Accepted Answer
Posts: 20
Joined: 16.03.2017
0
Votes
Undo
Hi Morten,

Using: 1.1.4-9.el7

I tested again on a domain with WP and did a brute force. Got blocked by CSF/LFD because that has less retries before I got blocked. So I turned off CSF/LFD and in the end I got message:
405: Method Not Allowed

No captcha to remove the greylist at all.
But if I change URL from domain.tld/wp-login.php to domain.tld in browser I get the captcha screen.


Unfortunately, I cannot reproduce this bug in my test env. Could you please open helpdesk request and upload imunify doctor key from this command -
# imunify360-agent doctor

Thank you for the feedback,
  1. 20.03.2017 13:03:19
  2. # 9
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
I will do some more testing, but I used Opera with built in vpn to test this. I will also test Chrome and other browsers as I may think it will work fine in Chrome only...
  1. 20.03.2017 14:03:53
  2. # 10
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
I tested on a new server where I installed IM360.
First I tested with CWAF and CSF/LFD enabled. I got blocked by CSF after around 30 attempts and lost connection to server.

Then I disabled CSF/LFD and started brute force on customers WP login page again. After 120 logins I gave up! I notice them in CWAF in WHM, but I cannot find any trace of the IP in IM360 :(

I used Chrome to test with.
  1. 20.03.2017 15:03:28
  2. # 11
Nikolay Accepted Answer
Posts: 8
Joined: 10.03.2017
0
Votes
Undo
Can you send the support "imunify360-agent doctor"?

--
imunify360 dev team
  1. 20.03.2017 15:03:09
  2. # 12
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Sure, here it is:
Key: AGSSUKajNN0hg71rhR.f1a213e6-3a9b-4595-9e81-933ddc4292f5

I tried brute force from a vpn with ip:
82.103.128.158
  1. 20.03.2017 15:03:36
  2. # 13
Nikolay Accepted Answer
Posts: 8
Joined: 10.03.2017
0
Votes
Undo
I don't see imunify360 mod security ruleset. Can you enable it in "Home »Security Center »ModSecurity™ Vendors » Manage Vendors"?
Link to ruleset
  1. 20.03.2017 15:03:03
  2. # 14
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
I don't see imunify360 mod security ruleset. Can you enable it in "Home »Security Center »ModSecurity™ Vendors » Manage Vendors"?
Link to ruleset


Hmmm... So you will be providing mod_security rules?
We use to use CWAF as mod_security rules and in the future use IM360 for firewall so IM360 can block those request that are triggered by CWAF!?
  1. 20.03.2017 16:03:42
  2. # 15
Nikolay Accepted Answer
Posts: 8
Joined: 10.03.2017
0
Votes
Undo
Currently, imunify360 without csf/lfd integration is not blocking WAF requests. Though we have rule in IM360 ruleset for many WP login attempts and it should block the IP.

We planned to add blocking alerts from WAF in the future, but not in the next release.

--
imunify360 dev team
  1. 21.03.2017 10:03:11
  2. # 16
Morten Accepted Answer
Posts: 99
Joined: 16.04.2014
0
Votes
Undo
Currently, imunify360 without csf/lfd integration is not blocking WAF requests. Though we have rule in IM360 ruleset for many WP login attempts and it should block the IP.

We planned to add blocking alerts from WAF in the future, but not in the next release.

--
imunify360 dev team


Well, customers got captcha site when they triggered WAF rules from OWASP that was installed with IM360. So you did block the requests (greylist). But that is only when CSF/LFD is enabled?

Blocking alerts are not needed since this whole process should be automatic both for server admins and customers when they can use captcha.

Could you list the ruleset and rules you are implementing/using?
The most important rules you should have as CWAF has is:
xmlrpc.php attacks (brute force) for WordPress
wp-login.php attacks (brute force) for WordPress
administrator.php attacks (brute force) for Joomla
There should also be a similar rule for Drupal, but cannot remember url.
  1. 21.03.2017 10:03:28
  2. # 17
Nikolay Accepted Answer
Posts: 8
Joined: 10.03.2017
0
Votes
Undo
Well, customers got captcha site when they triggered WAF rules from OWASP that was installed with IM360. So you did block the requests (greylist). But that is only when CSF/LFD is enabled?

Yes.


Could you list the ruleset and rules you are implementing/using?
The most important rules you should have as CWAF has is:
xmlrpc.php attacks (brute force) for WordPress
wp-login.php attacks (brute force) for WordPress
administrator.php attacks (brute force) for Joomla
There should also be a similar rule for Drupal, but cannot remember url.

Now we are blocking IP only for "wp-login.php attacks (brute force) for WordPress" from ModSecurity if csf/lfd is disabled and I360 ruleset is enabled.

--
imunify360 dev team
  1. 24.03.2017 11:03:50
  2. # 18
Dmitriy Accepted Answer
Posts: 0
Joined: 26.06.2019
0
Votes
Undo

Then I disabled CSF/LFD and started brute force on customers WP login page again.


In this case try refreshing page using ctrl+shift+f5/ctrl+shift+R. It leads to appearing captcha.
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.