virtualmin PRO and mod_qos

hello -

this morning i started to see this message in my error log file:

[Tue Sep 15 09:38:33 2015] [error] mod_qos(034): access denied, QS_SrvMinDataRate rule (enforce keep-alive), c=xxx.xxx.xxx.xxx

previously when i was using the free version of virtuamin, i had my mod_qos set up like this:

/etc/httpd/conf.d/mod_qos.conf:

<IfModule mod_qos.c>
    QS_LocRequestLimitMatch ^/wp-login.php 3
    QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
    # handles connections from up to 100000 different IPs
    QS_ClientEntries 100000
    # will allow only 50 connections per IP
    QS_SrvMaxConnPerIP 20
    # maximum number of active TCP connections is limited to 256
    MaxClients              256
    # disables keep-alive when 70% of the TCP connections are occupied:
    QS_SrvMaxConnClose      70%
   # minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
    QS_SrvMinDataRate       150 1200
    # and limit request header and body (carefull, that limits uploads and post requests too):
    # LimitRequestFields      30
    # QS_LimitRequestBody     102400


        ## 2014-03-27 added as per forum post:
        ## http://sourceforge.net/p/mod-qos/discussion/697421/thread/057e5cd5/
    SetEnvIf Request_URI /wp-login.php QS_Limit
    QS_ClientEventLimitCount 20 300
</IfModule>

since then, i upgraded to PRO so i could take advantage of the wonderful “Maximum number of processes” and have it set to nine.

the problem was with wordpress as it was attracting a lot of windbreak attempts.

my question: now that i have "max ## of processes’ set in the pro version, should my mod_qos be adjusted? is it wise to use both mod_qos and ‘max number of processes’ ? i believe i had it set a bit too extreme at the time to fend off the attacks.

thank you.

Howdy,

Well, I’m not sure what the optimal settings are… you can certainly use both options though. They solve slightly different problems.

You can still have a brute force attacl on the WordPress login if Virtualmin is limiting the max processes.

Virtualmin’s limits are more there to keep one user from being able to use up all the server’s resources.

It looks like the QoS settings you have are more specifically designed to protect particular components.

-Eric

For bruteforce attacks on login page there is great and simple solution, the name of the addon is WP fail2ban what will log login attempts to …/secure (on Centos) and comes with f2b filter ready to use. Tested and can confirm that it works great, no more problems with flood on login page.

thank you all very much. note that the most obvious WP solution is any plugin that changes the wp-login name, but unfortunately you cant always get away with doing that.

fail2ban - very interesting discovery. anybody else used it?

There are several security software you can use on your linux server e.g. f2b, csf, apf, etc. Even some of them have in part similar function they are not the same. I find it that fail2ban best suit my needs as it comes handy in preventing bruteforce attacks on services like email, ssh, ftp and so on. But you can extend this protection on game servers, wordpress and other software.

I cant say if is better then other security software or if is best solution for you, but for what i needed it was the best option. Before i was using it on Centos 6 and now 7 and never had any problems.

But to stick with the subject - for bruteforce attempts on WP login page i find it great. Its better than any other solution as most of them come in some form of addons. Tested many of them and each one have one big flaw and that is their dependency on WP, Apache, MySQL… what doesnt help too much. Actually all the attacks are hitting your WP before they are blocked and the consumption of your resources can still reach “nice” amounts. With f2b is different as the bad IP’s will be blocked with iptables and never see your WP. Some resources like bandwidth still will be used but at much lower levels than if you leave all the attacks on your WP regardless if then some addon will block them or not.

Just to mention in case other people will read this topic, this is what i saw several times on first hand. Fresh server with IP’s what was dormant for quite some time, e.g. not dedicated to any server for months if not more, it took less than 48 hours to get daily bruteforce attempts on SSH more than 80-100, on FTP was almost immediately over 100 and WP 20-25+ depends on the domain name and how old was the domain. Now imagine what is going on once your IP(s) get propagated and your server is active for weeks/months. I will not be surprised to see several hundreds (or thousands) bruteforce attacks spread all over different ports/login pages.

Just two examples so you can see how this actually looks:

Email
maillog:
Sep 15 22:52:39 XXXXXXXXX postfix/smtpd[8304]: warning: 212-129-15-231.rev.poneytelecom.eu[212.129.15.231]: SASL LOGIN authentication failed: authentication failure

fail2ban:
2015-09-15 22:52:39,856 fail2ban.filter [30873]: INFO [postfix-sasl] Found 212.129.15.231
2015-09-15 22:52:40,313 fail2ban.actions [30873]: NOTICE [postfix-sasl] Ban 212.129.15.231

Wordpress:
secure:
Sep 15 23:06:06 XXXXXXXXX wordpress(www.MYDOMAIN.com)[4032]: Authentication failure for test from 78.61.241.53

fail2ban:
2015-09-15 23:06:06,956 fail2ban.filter [30873]: INFO [wordpress] Found 78.61.241.53
2015-09-15 23:06:07,113 fail2ban.actions [30873]: NOTICE [wordpress] Ban 78.61.241.53

Note: I made several changes in postfix to make several checks on incoming request including rbl checks. Test user doesnt exist but its great example how bruteforce works on WP, trying to guess username and psw.

Well this is it hope it helps you. Maybe someone else have experience with other security software so he can share his story.

I wanted to mention that Webmin comes with Fail2ban support now.

Documentation for setting it up is here:

https://www.virtualmin.com/documentation/security/fail2ban