Brute Force Using WPScan about naxsi HOT 7 CLOSED

depends on the requests, you can try to check what logs generates and dump also the request parameters

from naxsi.

Thanks For you reply.

I want to block WPS to scan User and author from my wordpress

this is the access log from nginx.

and what are the exact rules of blocking naxsi based on WPS User Agent?

Thanks..

from naxsi.

First i would suggest to use these rules: https://github.com/wargio/naxsi/tree/main/naxsi_rules/blocking (and if you are not yet, please use my repository for naxsi since this one is abandoned.. i'm the only active developer)

second i guess i haven't yet added wpscan UA in the scanner list rule (i will make a MR after writing this here) but depending on what is in the request you should probably create custom rules, also because wp plugins are many so is kinda hard to keep track of all of them.

Anyway the rule for blocking the wpscan UA is simply MainRule id:1234567 "s:$UWA:8" "str:wpscan" "mz:$HEADERS_VAR:User-Agent" "msg:wpscan in user-agent";

Another suggestion is to have more data in the logs like request parameters in the post request, etc.. but you need to setup custom logs on nginx for that.

On my setup where i do use naxsi i have configured nginx to output json logs and send them to logstash which parses them and then logstash logs are sent to elastic search + kibana where i have a nice graph with details, etc..

Then what i do is look to the traffic and check what parameters looks suspicious and i create rules.
Most of the "bad traffic" can be simply blocked by adding bad user-agents rules in naxsi

from naxsi.

thanks for your response

i have used your repository and tried naxsi rules to block wps UA and set custom log in nginx.
The result in the error log nginx successfully blocked WPScan, I tried to enumerate author/user on wordpress even after WPScan UA was successfully blocked in the nginx log, user/author can still be found. what are the proper rules to block wpscan from enumerating author/user? then whether naxsi can block the IP address?

WPScan Log

Thanks

from naxsi.

i do not think there is much you can do there, if those apis are intended to be used by the blog.
If they are not, then you can just ban the api call with a rule.

from naxsi.

any suggestion or tutorial how to do that?

from naxsi.

MainRule id:123456789 "s:$UWA:8" "str:author" "mz:ARGS|NAME" "msg:block author enumeration";
could be something like that. these are well explained in the wiki:

• https://github.com/nbs-system/naxsi/wiki/rules-bnf
• https://github.com/nbs-system/naxsi/wiki/matchzones-bnf

from naxsi.