Apache mod_qos WordPress bruteforce mitigation

Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos

Install apache module and enable it

apt install libapache2-mod-qos
a2enmod unique_id qos setenvif

For global mitigation, edit your apache module config

/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                 120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                     100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  #QS_SrvMaxConnPerIP                                 50

  # allows a single IP addess to access the URI /wp-login.php not more
  # than 10 times within 2 minutes:
  SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
  QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
  SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
  QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>

Per Virtualhost mitigation apache config

<IfModule qos_module>
  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1

  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>

Have fun!

ubuntu 18.04 netplan source routing

Hi

Here a source routing example if you have multiple networks connected on your linux host and want every ip address reachable on the internet.

network:
   version: 2
   renderer: networkd
   ethernets:
     ens3:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [81.94.xx.xx/28, "2a01:xxx:xxxx:xx::xx/64"]
       gateway4: 81.94.xx.xx
       gateway6: 2a01:xxx:xxxx:xx::x
       nameservers:
         addresses: [1.0.0.1]
     ens6:
       dhcp4: no
       dhcp6: no
       accept-ra: no
       addresses: [195.16.xxx.111/25]
       routes:
         - to: 195.16.xxx.x/25
           via: 195.16.xxx.gw
           table: 102
         - to: 0.0.0.0/0
           via: 195.16.xxx.gw
           table: 102
       routing-policy:
         - from: 195.16.xxx.111
           table: 102
         - to: 195.16.xxx.111
           table: 102

Have fun!

freeradius 3.0 ubuntu 18.04 with daloradius mikrotik ikev2 eap-radius wireless

Hi

First of all setup your favorite php sql webserver


apt install php-db php-gd git freeradius freeradius-mysql

cd /var/www/web001/htdocs 
git clone https://github.com/lirantal/daloradius.git

We have to import the freeradius 3.0 mysql schema first. Daloradius does only have freeradius 2.0 compatible sql schemas.

cat /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql | mysql -u radius -p radius

Now we import the daloradius sql schema without freeradius 2.0 sql schemas

cat /var/www/web001/htdocs/daloradius/contrib/db/mysql-daloradius.sql | mysql -u radius -p radius

here my freeradius mysql setup

cd /etc/freeradius/3.0/mods-enabled
ln -s ../mods-available/sql

vim sql

driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "abcdefg"
radius_db = "radius"
read_clients = yes

here my changes to eap (eap for authenticating mikrotik wireless via wpa2 enterprise and mikrotik ikev2 eap radius)

vim /etc/freeradius/3.0/mods-enabled/eap

eap {
...
#ikev2 eap radius
default_eap_type = peap
...
}
tls-config tls-common {
private_key_file = path_to_your_ssl_private_key
certificate_file = path_to_your_ssl_certificate
ca_file = path_to_your_ssl_cabundle
}

I use rapidssl server certificate.

https://support.microsoft.com/en-ph/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls


here my changes to the “default” site

cd /etc/freeradius/3.0/sites-enabled
vim default

authorize {
...
auth_log
...
sql
}

accounting {
...
sql
...
}

session {
...
sql
...
}

post-auth {
...
reply_log
sql
...
}

session {
...
sql
...
}

here my bulk radius settings

cd /etc/freeradius/3.0

vim radiusd.conf

log {
...
auth = yes
...
auth_badpass = yes
...
}

https://wiki.freeradius.org/guide/SQL-HOWTO-for-freeradius-3.x-on-Debian-Ubuntu

you have to create a systemd override for the freeradius unit. otherwise freeradius won’t start correctly if mysql is not running.

systemctl edit freeradius

[Unit]
After=network.target mysql.service

setup daloradius config

vim /var/www/web001/htdocs/daloradius/library/daloradius.conf.php

CONFIG_DB_USER
CONFIG_DB_PASS
CONFIG_DB_NAME

Have fun!

cgroup ubuntu 18.04 howto

Install required packages

apt install cgroup-tools

copy cgred.conf from examples

cp /usr/share/doc/cgroup-tools/examples/cgred.conf /etc/

/etc/cgconfig.conf

group web2 {
cpu {
cpu.cfs_quota_us=10000;
}
memory {
memory.limit_in_bytes = 1024m;
}
}

cpu.cfs_quota_us = 10000 equals to 10% cpu usage
memory.limit_in_bytes = 1024 equals to 1G of system memory


/etc/cgrules.conf

#<user>    <controllers>           <destination>
web2 cpu,memory web2

This will limit every process of the user web2 to 10% CPU and 1G of memory.


For testing use this commands:

/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
/usr/sbin/cgrulesengd -vvv

check if cgroup’s are working properly

cat /sys/fs/cgroup/cpu/web2/tasks
cat /sys/fs/cgroup/memory/web2/tasks

Here my systemd service files, install them the usual systemd way

cgconfigparser.service

[Unit]
Description=cgroup config parser
After=network.target

[Service]
User=root
Group=root
ExecStart=/usr/sbin/cgconfigparser -l /etc/cgconfig.conf
Type=oneshot

[Install]
WantedBy=multi-user.target

cgrulesgend.service

[Unit]
Description=cgroup rules generator
After=network.target cgconfigparser.service

[Service]
User=root
Group=root
Type=forking
EnvironmentFile=-/etc/cgred.conf
ExecStart=/usr/sbin/cgrulesengd
Restart=on-failure

[Install]
WantedBy=multi-user.target

reload systemd and start services

systemctl daemon-reload
systemctl enable cgconfigparser
systemctl enable cgrulesgend
systemctl start cgconfigparser
systemctl start cgrulesgend

Have fun!