Hi,

I second this. I recently upgraded to client 1.9 and activated Brute Force protection rules. I analyzed the access logs of a specific account that was being brute-forced and this is what I found:

Before activating the Brute Force filter: 202.77.109.253 - - [12/Aug/2014:13:47:46 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:47 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:48 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:50 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-”

After activating it: 202.77.109.253 - - [12/Aug/2014:13:47:52 -0400] “POST /wp-login.php HTTP/1.0” 302 - “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:55 -0400] “POST /wp-login.php HTTP/1.0” 302 - “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:59 -0400] “POST /wp-login.php HTTP/1.0” 302 - “-” “-” 202.77.109.253 - - [12/Aug/2014:13:48:00 -0400] “POST /wp-login.php HTTP/1.0” 302 - “-” “-” 202.77.109.253 - - [12/Aug/2014:13:48:02 -0400] “POST /wp-login.php HTTP/1.0” 302 - “-” “-”

A few minutes later, requests go back to being handled just like they used to: 202.77.109.253 - - [12/Aug/2014:13:47:46 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:47 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:48 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-” 202.77.109.253 - - [12/Aug/2014:13:47:50 -0400] “POST /wp-login.php HTTP/1.0” 403 4092 “-” “-”

Upon inspecting the error logs: [Tue Aug 12 14:03:17.600548 2014] [:error] [pid 189538] [client 202.77.109.253] ModSecurity: collection_store: Failed to write to DBM file “/tmp/ip”: Invalid argument [hostname “HIDDENBYOP”] [uri “/wp-login.php”] [unique_id “U@pW5UPXD3oAAuRin6YAAAA@”] [Tue Aug 12 14:03:19.339073 2014] [:error] [pid 193338] [client 202.77.109.253] ModSecurity: collection_store: Failed to write to DBM file “/tmp/ip”: Invalid argument [hostname “HIDDENBYOP”] [uri “/wp-login.php”] [unique_id “U@pW50PXD3oAAvM6NlkAAAAr”]

So it looks to me like the actual protection is not working, and there’s something very buggy going on here.

Ideally it would be great if WAF would ban a particular IP in the firewall after X number of failed logins. I am using CSF and assume most other WAF users are too, so a seamless integration would be ideal. Either way, the number one priority should be to get these rules working correctly, as they clearly are not right now.