Using HTTP redirects for mitigating vulnerability scans and bruteforce attacks


Using HTTP redirects for mitigating attacks

I like Wordfence, it gets the job done and works fine the way I see it.

I’m cheap and/or lazy so I just use the free version of it (yep, I’ll probably upgrade to Premium someday but for some reason I just haven’t)

I started thinking about how it actually works.
If a vulnerability scan is performed (if you have the WAF, Wordfence Application Firewall, enabled that is) or a brute force attempt is made against your /wp-login-page, there are rules that determine things such as “how many invalid login attempts during how long”.

Based on those rules, the IP address is presented with a 503 error or 403 error. The client isn’t allowed to access for instance the /wp-admin page for a specified period of time.
All of this works fine from out of the box with Wordfence so they’ve done the hard work i.e writing the engine to detect the stuff.

And while at it , you might also want to have a look at using Wordfence for blocking XMLRPC traffic (here’s an article about why you should btw)
It’s simply done by adding the line /xmlrcp.php into the blocking part of Wordfence)

block XMLRPC attack wordfence

HTTP 503 , 403

The pages presented to the client when a block rule is triggered are found under /wp-content/plugins/wordfence/vendor/wordfence/wf-waf/src/views
and they’re called
403.php, 403-blacklist.php, 403-roadblock.php, 503.php and 503-blockout-php.

Mitigating vulnerability scans

When a specific rule is triggered, one of these files is used as a redirect page (or landing page if you will) .

First of all, if you’re going to f**k around with this, please do so at your own risk and make sure you have access to your system to be able to reset any changes.
Also, make backups of any files you change.
This is a good way to do things at all times btw.

Redirecting attacks

As a test, I changed all of the .php-files to simply redirect to https://www.google.com and then triggered a response by using an invalid username (I have mine set to immediately block if someone tries to use an invalid username) and, behold., it worked.

Next time I tried to browse to /wp-admin I got redirected to Google for as long as the rule says so.

This way , a vulnerability scan will render the attacking client to be redirected to where-ever I want so my idea is to simply get rid of the attecker, saving bandwidth and preventing them from finding something I’ve missed. It’s NOT a foolproof method but a fun experiment and it might be useful in some scenarios.

As a second test I redirected the client to http://127.0.0.1 instead (127.0.0.1 is the clients own local system basically saying “Dear browser, please open up the website located locally on my computer“) and that also worked fine.
For now , I have it set to redirect to a contact form on my page but I were to see loads and loads of unwanted traffic etc,
I could simply redirect it to wherever.

Added: had an idea, what if setting up a specific page to where one redirects the blacklisted traffic and from that redirect the trafic to a second one pointing back to the first one?
In effect having the attacker stuck in in inifinite loop.
Haven’t tried it but in theory it should work .
Hey, you only have as fun a as you make ít 🙂

“Code” used

The “code” I used was simply a standard redirect (Just Google “PHP and redirect” , copy code and paste it into one or all of the files I mentioned)

Anyhoo, I’m sure whatever changes I do to these files will be overwritten the next time Wordfence is updated so in order to keep it the way I want to , I need to copy my files back whenver an update is made.

I’m fairly sure I could sit down and code some and have the client IP address put into the servers firewall instead (probably using something like
<?php
exec(‘netsh advfirewall firewall add rule name=”Wordpress Blocked IP″ dir=in action=deny’, $IP);
exit();
?>
or any number of fun thingies. (yes, in this case, it’s a Windows server but it could be any kind of server I guess)

This would imitate brute force protection such as Fail2Ban on SSH etc
The sky’s the limit, right?
I’m sure one could do a lot of fun things if one’s up for it but , as stated earlier, I’m lazy 🙂

The redirect method will only protect your server on the http/s level.
f you also have other services runnning such as FTP,RDP etc they won’t be protected by a simple redirect on http/s only.
There’s other ways to accoomplish that and I’m happy to help you out.
Just drop me an email or get in contact through the form to the right or below.