wp-login.php訪問日誌中的洪水

Question

我注意到，在我的訪問日誌中，這些記錄氾濫。我不確定這是否是暴力攻擊，因爲IP地址是我服務器的IP。

我怎樣才能確定發生了什麼？

185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:04 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 
185.124.86.73 - - [27/Dec/2016:06:39:05 +0300] "POST /wp-login.php HTTP/1.0" 500 - "-" "-" 

Answer 1

解決方案是創建一個mod_security規則來阻止這樣的違規IP地址。

1. 在/ usr/local/apache/conf/modsec_rules中創建文件名「wpbrute.conf」並添加以下內容。

SecRule REQUEST_LINE 「POST WP-登錄。」 「通，initcol：IP =％{REMOTE_ADDR}，SETVAR：ip.maxlimit = + 1，deprecatevar：ip.maxlimit = 1/600，nolog，id：35011「 SecRule IP：MAXLIMIT」@gt 10「」log，deny，id：350111，msg：'wp-bruteforce： 否認％{REMOTE_ADDR}（％{ip.maxlimit}連接嘗試） 」」

打開文件/usr/local/apache/conf/modsec2.user.conf和添加包括如下路徑並保存該文件。

包括/usr/local/apache/conf/modsec_rules/wpbrute.conf

現在所有的攻擊到「WP-login.php中」應當停止