Logging/notification on mod_security blocks


#1

Today one of my legit users (nice guy, not tech savvy) forgot his WordPress password and tried the wrong one a bunch of times, only to find himself firewalled.

At first I thought it was my WP security plugin, but it said “No active blocks.” Took a long process of hunting, trial and error to realize he was blocked by all of DreamHost, not just his domain. But my control panel didn’t provide any record of active blocks, or indication that DH even does automatic blocking.

Finally filed a ticket and, after a few exchanges, discovered that DH uses mod_security to scan WP sites for brute force attempts and firewall them. I love that they do that, but with no logging or notification of any kind, it makes troubleshooting exceptionally hard - I’d call it “ghost busting.”

What should have been a simple 5-minute task turned into an hour of fruitless hunting. Very annoying.

Please provide a control panel interface to see (and possibly lift) active IP blocks, and/or to note the time at which they’ll lift themselves.


#2

Update: A subsequent response from support reveals that we DO have some access to logging for mod_security blocks. Get the ip of the blocked user, then:

grep [ip addr] /home/yourusername/logs/domain.com/http/error.log

and you’ll see hits for the mod_sec rules that were triggered for that user. Doesn’t tell you how long the block will last and doesn’t let you unblock, but at least there’s some info there.


#3

Do you have any idea how many times he tried before this behavior was triggered? This is interesting…and new to me.

I would/will definitely remind users about that “forgot password?” link. It works well in WordPress.


#4

He didn’t tell me, but the logs I later found showed mod_security appearing to count to 10, so that seems to be the threshold.

And yes, I did remind him to use the Forgot Password feature next time.


#5

10 seems reasonable. Definitely telling my users about this. Thanks for the heads-up.