Home › Forums › BulletProof Security Pro › Varnish Cache – login page protection, Brute Force Protection
Tagged: Brute Force, Cache, Login page, Varnish
- This topic has 2 replies, 3 voices, and was last updated 3 weeks, 1 day ago by Rahul.
-
AuthorPosts
-
AITpro AdminKeymaster
Contributed by Rafael
Varnish Cache and Securing wp-login.php for Security and Brute Force Protection
Running Varnish as a reverse proxy in front of Apache.The “BruteForce” htaccess code for blocking access by IP for wp-login.php may not work.
This is because Apache (web server) will see all that the requests are coming from the local host (127.0.0.1).
Two solutions are below, I personally use Solution 2 because I can just whitelist my Ip once and it will affect
all and new WP sites on my server. Plus Varnish can handles thousands of hits with little affect on server load.Solution 1 requires adding your IP to individual WP sites .htaccess. If you manage a large number of sites, it can be time consuming.
Solution 1:
Making .htaccess “brute force” protection work with Varnish
It will work if Varnish is setting the X-FORWARDED-FOR header.Part 1
Place this in your vcl_recv block of the default.vlc (Varnish Config).sub vcl_recv { if (req.restarts == 0) { if (req.http.X-Forwarded-For) { set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; } else { set req.http.X-Forwarded-For = client.ip; } } }
Part 2
Now place this in the .htaccess code of all your WP sites if needed.# Protect wp-login.php from Brute Force Login Attacks based on IP Address SetEnvIF X-FORWARDED-FOR "xxx.xxx.xxx.xxx" AllowIP order deny,allow deny from all Allow from env=AllowIP
Replace xxx.xxx.xxx.xxx with your IP.
Solution 2
Works globally and directly with Varnish to throw a 403 error by setting a IP
in the acl internal section of Varnish. My prefered method.Part 1
Place the code below in the vcl_recv section of your default.vlc.sub vcl_recv { # Bans access to wp-login and admin by IP if (req.url ~ "wp-(login|admin)" && !client.ip ~ internal) { # Varnish to throw a 403 error error 403 "File is missing! Please contact tech support?"; } }
Part 2
Your placing your IP in the acl internal block of the Varnish config.acl internal { "xxx.xxx.xxx.xxx"; }
Replace xxx.xxx.xxx.xxx with your IP.
*whitelisting multiple IP’s
acl internal { "xxx.xxx.xxx.xxx"; "xxx.xxx.xxx.xxx"; "xxx.xxx.xxx.xxx"; }
Testing Procedures
YourDomain.com/wp-login.php with your internet access IP.Now switch IP with either hidemyass. com or
use your cell phone with its internet (not connected to your wifi).wp-login.php should be blocked.
MaxParticipantThanks for contributing this Rafael =)
…thought I’d note that perhaps
# Protect wp-login.php from Brute Force Login Attacks based on IP Address SetEnvIF X-FORWARDED-FOR "xxx.xxx.xxx.xxx" AllowIP order deny,allow deny from all Allow from env=AllowIP
should be
# Protect wp-login.php from Brute Force Login Attacks based on IP Address SetEnvIF X-FORWARDED-FOR "xxx.xxx.xxx.xxx" AllowIP order allow,deny deny from all Allow from env=AllowIP
because
You would want to use Order Allow,Deny and NOT Order Deny,Allow
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#orderAllow,Deny
First, all Allow directives are evaluated. At least one must match, or the request is rejected.
Next, all Deny directives are evaluated. If any matches, the request is rejected.
Last, any requests which do not match an Allow or a Deny directive are denied by default.Deny,Allow
First, all Deny directives are evaluated. If any match, the request is denied unless
it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.( from this forum and https://wordpress.org/support/topic/whitelisting-ips-leads-to-403-errors-on-logout )
Cheers, Max
-
AuthorPosts
- You must be logged in to reply to this topic.