Wordpress-android: Bug: application triggers modsecurity rule

Created on 10 Mar 2020  路  4Comments  路  Source: wordpress-mobile/WordPress-Android

Expected behavior

Connection to self-hosted wordpress instance is not blocked by the security plugin (ModSecurity).

Actual behavior

First time, I connect to my self-hosted instance with the app, the connection works fine. But when I try to post a new blogpost (draft), the connection times out (the application is trying to upload, but does not finish). Checking the logs of the website, I found the following entries:

error_gotowanie_php.log:[Tue Mar 10 18:20:31.037061 2020] [:error] [pid 4291] [client 90.92.138.186:56956] [client 90.92.138.186] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 20 at IP:bf_counter. [file "/etc/httpd/conf.modules.d/10-mod_security.conf"] [line "92"] [id "10033"] [msg "90.92.138.186 dropped in iptables/ip6tables for 10 minutes because of suspected brute-force attack."] [hostname "gotowanie.telenczuk.pl"] [uri "/xmlrpc.php"] [unique_id "XmfabnHkKlCquUpAPDY8AgAAAAU"]
...
error_gotowanie_php.log:[Tue Mar 10 18:20:31.108362 2020] [:error] [pid 4291] [client 90.92.138.186:56974] [client 90.92.138.186] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 3 at IP:bfb_counter. [file "/etc/httpd/conf.modules.d/10-mod_security.conf"] [line "89"] [id "10032"] [msg "90.92.138.186 dropped in iptables/ip6tables for multiple attacks."] [hostname "gotowanie.telenczuk.pl"] [uri "/xmlrpc.php"] [unique_id "Xmfab3HkKlCquUpAPDY8BgAAAAU"]

Steps to reproduce the behavior

As above.

Tested on Samsung SM-G930T, Android 8.0, WPAndroid 14.2
General [Type] Question
Source
picture btel

All 4 comments

Here are some further details from my provider (webfaction):

It looks like it was blocked due to excess connections to a Wordpress app, in this case the xmlrpc.php URI. If an IP hits that more than 20 times in 1 minute it is blocked in iptables for 10 minutes. If an IP is blocked 3 times in 3 hours it is dropped permanently in iptables.

We don't permit whitelists or changes to this, you will need to work within the limits to avoid this in the future.

btel picture btel on 11 Mar 2020
1

Hello! I'm not super familiar with how to configure ModSecurity rules in depth, but I do know that xmlrpc.php may be accessed quite heavily as part of normal usage by the app to a server it is authenticated to. Let me find out a bit more about that though. Because it sounds to me like the web server is configured too strictly for the usage the app expects to be able to do.

[UPDATE: edited for clarity. I didn't take into account the 2nd comment before鈥攕orry about that!!]

(internal reference: p1586886724013600-slack-platform9-private and p1586900786218500-slack-mobile-gutenberg)

designsimply picture designsimply on 14 Apr 2020

Related to https://github.com/wordpress-mobile/WordPress-Android/issues/4494

We can't limit the number of XMLRPC requests on our side, this would make the app unusable.

maxme picture maxme on 15 Apr 2020

Thanks for help!

btel picture btel on 15 Apr 2020
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

maxme picture maxme  路  3Comments
prtksxna picture prtksxna  路  3Comments
develric picture develric  路  3Comments
designsimply picture designsimply  路  3Comments
mzorz picture mzorz  路  3Comments