Change Mod Security Rule for Deny ( 401 Status Page )

Question

I Used a mod security rule for deny wp login attept.

<LocationMatch /wp-login.php>
SecRule REQUEST_METHOD "@streq POST" \
"phase:5,chain,t:none,auditlog,pass,msg:'Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'"
SecRule RESPONSE_STATUS "200"  "t:none"
</LocationMatch>

i want this rule Block Access And show 401 Status.

Can u help me ?

Answer 1

You can block with adding "deny,status:401" to your rule:

<LocationMatch /wp-login.php>
SecRule REQUEST_METHOD "@streq POST" \
"phase:5,chain,t:none,auditlog,deny,status:401,msg:'Login Failure Detection: Wordpress Login Attempt Failure ',id:'377360',rev:2,severity:'4',tag:'no_ar'"
SecRule RESPONSE_STATUS "200"  "t:none"
</LocationMatch>

More detail here:

• https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#deny
• https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#status

However I'm confused as to why you would want to do this for above rule. This matches any POST method which is also successful (status 200), not any one that fails? Presumably you'd only want to block a failed attempt?