Skip to content

Instantly share code, notes, and snippets.

@fritexvz

fritexvz/WordPress and Suricata.md

Created May 15, 2020 20:21
Show Gist options
  • Save fritexvz/d78bf730ca368fa8dbafc5cc8f67c881 to your computer and use it in GitHub Desktop.
Save fritexvz/d78bf730ca368fa8dbafc5cc8f67c881 to your computer and use it in GitHub Desktop.
Download ZIP
Protecting WordPress with Suricata
Raw
confirm-traffic.sh
#!/bin/bash
tcpdump -i lo "port 80"
Raw
eve.json
{"timestamp":"2015-05-12T18:32:12.517610","flow_id":140038890378208,"event_type":"alert","src_ip":"xxx.xxx.xxx.xxx","src_port":42816,"dest_ip":"127.0.0.1","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2006446,"rev":11,"signature":"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT","category":"Web Application Attack","severity":1,"tx_id":0},"stream":1}
Raw
internal-server.conf
server {
listen localhost:80 default_server;
# WordPress installation root directory
root /usr/share/nginx/html;
# Index files
index index.php;
# Make nginx play nice with WordPress permanent links
location / {
try_files $uri $uri/ /index.php?$args;
}
# Pass the requests to PHP
location ~ \.php$ {
(...)
}
}
Raw
nftables.rules
#!/usr/sbin/nft -f
table ip filter {
# Firewall
chain firewall-input {
type filter hook input priority 0;
(...)
}
chain firewall-output {
type filter hook output priority 0;
(...)
}
# IPS
chain ips-input {
type filter hook input priority 10;
# Queue input packets to Suricata
counter queue num 0-1 fanout, bypass
}
chain ips-output {
type filter hook output priority 10;
# Queue output packets to Suricata
counter queue num 0-1 fanout, bypass
}
}
Raw
reverse-proxy.conf
# Replace the following
location ~ \.php$ {
(...)
}
# With
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost;
}
Raw
sql-injection.txt
https://external.domain/?p=')) UNION SELECT 1--
Raw
suricata.conf
# Make Suricata listen for packets in the Netfilter queues
OPTIONS="-q 0 -q 1 "
Raw
suricata.yaml
# Activate workers run mode
runmode: workers
# Enable EVE logging with X-Forward-For support
- eve-log:
enabled: yes
# ...
types:
- alert:
# ...
xff:
enabled: yes
# Two operation modes are available, "extra-data" and "overwrite".
mode: overwrite
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
# Disable Netfilter queue fail open
nfq:
fail-open: no
# Configure CPU affinity
threading:
# ...
set-cpu-affinity: yes
# Tune cpu affinity of suricata threads. Each family of threads can be bound
# on specific CPUs.
cpu-affinity:
- management-cpu-set:
cpu: [ 0, 1 ] # include only these cpus in affinity settings
mode: "balanced"
prio:
default: "high"
# ...
- detect-cpu-set:
cpu: [ 0, 1 ]
mode: "exclusive" # run detect threads in these cpus
# Use explicitely 3 threads and don't compute number by using
# detect-thread-ratio variable:
# threads: 3
prio:
# low: [ 0 ]
# medium: [ "1-2" ]
# high: [ 3 ]
default: "high"
# Edit the HOME_NET to contain the localhost address
vars:
# ...
address-groups:
HOME_NET: "[127.0.0.1,(...)]"
# Edit the host OS policy to contain the localhost address
host-os-policy:
# ...
linux: [127.0.0.1]
Raw
WordPress and Suricata.md

There aren’t any silver bullets that will protect a WordPress installation against every single attack, but adding a full featured IDPS solution like Suricata, is a good step in protecting not only that “all too many times vulnerable” WordPress installation but also other services like SSH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment