Block WordPress wp-login.php attempts with CSF?
I'm working to block IP's that flood wp-login.php attempts by using CSF regex.custom.pm
in the /etc/csf/csf.conf I modified the line CUSTOM2_LOG =
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file. I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file I made sure my IP is not in /etc/csf/csf.allow Has anyone been able to get this to work?
# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}
in the /etc/csf/csf.conf I modified the line CUSTOM2_LOG =
CUSTOM2_LOG = "/home/*/access-logs/*"
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file. I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file I made sure my IP is not in /etc/csf/csf.allow Has anyone been able to get this to work?
-
I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum # WP-LOGINS if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) { return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1"); }
Notice the \w*(?GET|POST) vs the POST difference. Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny. It would be nice to know which logfile (user) was getting hit.0 -
Hi @asmithjr I'm glad to see you were able to find the resolution for your issue and thanks for letting us know what fixed it for you! 0 -
as a further update I decided to separate the GET and POST so I can monitor better. if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) { return ("Failed Wordpress GET",$1,"WPLOGINGET","3","80,443,21,25,22,23","1"); } if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) { return ("Failed Wordpress POST",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1"); }
Now I can see which were using which method and so far no US entries in my csf.deny file. Oh boy 135 entries.0 -
I recently faced the wrath of brute forcing on wp-login. For the time being I contained them be reducing maximum connection per ip setting to 20 and blocking the ips reaching CT_Limit for one day. This has managed to solve the problem but I fear many legitimate users will be suffering. I tried your option and tested the wp-login page five times myself but nothing happened. The output log tail -f /var/log/lfd.log is as follow: Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Also the ip appearing above is of my server whereas my pc ip is something else from which I was accessing the website. Any guide will be appreciated.0 -
Hello @Waqass Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx? 0 -
I am using Engi Hello @Waqass Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx?
I am using Engintron for Cpanel. so yes I am using nginx. Maybe its causing issues as my server ip is being reported instead of real ips :S0 -
Hello @Waqass To diagnose the problem I would need to see... - Which (of the 3 posted here) lfd custom regex rules you are using.
- Sample log lines from one of the access_log files you are monitoring. (full lines from end to end) Anonymize but identify source ip and server ip/proxy ip if they both occur in the log line.
0 -
The only "issue" with these is that they don't really look for failures, they look for accesses. If (for example) your customer simply refreshes the page a few times and then tries to log in, they get blocked. Not trying to diss this at all, you just need to understand it's looking for access vs failure. 0 -
Really helpfull info. Thanks ffeingol. I implemented this with CSFirewall one week ago and since then I didnt received any complaint from my real clients. It only blocked attempts from rare countries, so I guess its working, but totally true what you say. Thanks for the info ffeingol, I know understand better how this works. 0 -
I found the answer in this thread
Notice the \w*(?GET|POST) vs the POST difference. Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny. It would be nice to know which logfile (user) was getting hit.
Good day! I do the same, but it doesnt' work. I just don't know where I do wrong0 -
Good day! I do the same, but it doesnt' work. I just don't know where I do wrong
Try to follow this guide. Its simple and it works perfectly. geekytuts - block-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel0 -
[QUOTE="::Gomez::, post: 2750133, member: 16522"> Try to follow this guide. Its simple and it works perfectly. geekytuts - block-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel
I guidede that topic, then try to login about 10 times, but IP wasn't blocked..0 -
Some things to make sure. 1) Make sure CSF firewall is ON, and without the testing mode. 2) Make sure you dont have your country on CSF / Firewall configuration / cc_ignore 3) Make sure LFD process is running. you can check that on CSF / INFO TAB (on the top of the page) and then LFD status. Its also important that, when you add the custom rule on "/usr/local/csf/bin/regex.custom.pm " you add it without blank spaces lines on the top. I attach an image of how I made it work. After making any change on that file restart CSF. Let me know if it worked. 0 -
I found the answer in this thread
Notice the \w*(?GET|POST) vs the POST difference. Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny. It would be nice to know which logfile (user) was getting hit.
Hello How to insert "in the log" the account involved instead "you ban comment" ? Thanks0 -
I believe this will work as it works for me. if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) { return ("Failed Wordpress GET $lgfile",$1,"WPLOGINGET","3","80,443,21,25,22,23","1"); } if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) { return ("Failed Wordpress POST $lgfile",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1"); }
104.248.22.250 # lfd: (WPLOGINGET) Failed Wordpress GET /home/nsdc70/access-logs/******.com-ssl_log 104.248.22.250 (DE/Germany/-): 3 in the last 3600 secs - Tue Jun 2 02:46:33 2020
I put ***** in my log example above to hist the domain name but as you see I now can see what log the message is from. I hope this helps.0 -
Just to comment that although this appears to be useful, it doesn't seem to work for me; I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random loginsd 5 times to trigger the block. LFD accurately recorded the block like so: [QUOTE] (WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then: As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine. The block shows, but I was still able to login ... what could be going wrong here?0 -
are you sure that the IP didnt change? 0 -
Hi, guys, Google bots also accessing the login: Will this rule affect the crawlers too? 0 -
Yes, this will affect crawlers too. The only thing you can do to prevent this is setting cc_ignore with the country where crawrler comes from. For google I guess its US.. but this will decrease security and efficiency of csf. 0 -
I guess you can also whitelist the hostname of google crawler on csf but I am not familiar with that. 0 -
Thx mate, Do you know how to adjust rule that to ban immediately the IP who access both POST /wp-login.php and POST /xmlrpc.php ? because attackers most of the cases check both files. thanks 0 -
@masterross You really don't want to block them immediately or your customers won't be able to log into their WordPress back end. In this part of the code: return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
The "5" is the number of accesses to that URL.0 -
I want immediately to block the IP [COLOR=rgb(184, 49, 47)]only if it accesses both files (wp-login.php and xmlrpc.php ) within 5min for example. Check my log: 146.185.163.81 - - [29/Jun/2020:19:40:45 +0300] "GET /wp-login.php HTTP/1.1" 200 3321 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 146.185.163.81 - - [29/Jun/2020:19:40:45 +0300] "POST /wp-login.php HTTP/1.1" 200 3416 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 146.185.163.81 - - [29/Jun/2020:19:40:46 +0300] "POST /xmlrpc.php HTTP/1.1" 503 6059 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 76.68.31.187 - - [29/Jun/2020:19:49:25 +0300] "POST /xmlrpc.php HTTP/1.1" 503 21988 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 76.68.31.187 - - [29/Jun/2020:19:49:25 +0300] "POST /wp-login.php HTTP/1.1" 200 12231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 27.121.190.62 - - [29/Jun/2020:20:08:31 +0300] "POST /xmlrpc.php HTTP/1.1" 503 21988 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 27.121.190.62 - - [29/Jun/2020:20:08:33 +0300] "POST /wp-login.php HTTP/1.1" 200 12231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 202.28.250.66 - - [29/Jun/2020:20:11:54 +0300] "GET /wp-login.php HTTP/1.1" 200 3300 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 202.28.250.66 - - [29/Jun/2020:20:11:55 +0300] "POST /wp-login.php HTTP/1.1" 200 3392 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 202.28.250.66 - - [29/Jun/2020:20:11:56 +0300] "POST /xmlrpc.php HTTP/1.1" 503 6050 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
So this rule won't affect any real user.0 -
@masterross I'm sure that there is some way you could make that work, but as far as I'm aware it processes each log line independently, so there is nothing built into CSF/LFD to do what you want. 0 -
The question is can I use AND operand in IF clause: if (($globlogs{CUSTOM11_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/xmlrpc\.php.*" /) AND ($globlogs{CUSTOM11_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) { return ("WP XMLPRC Attack",$1,"XMLRPC","1","80,443","3600"); }0 -
Yes, you can (anything that you can do in Perl you can do) but as I said, I highly doubt this will work. The custom module (as I understand it) gets passed one Apache log line at a time so it will never match that condition (as you can't have two different URL's on one log line). You'd prob. be better off asking this level of detail on the ConfigServer forum instead of the cPanel forum. 0 -
It doesnt work :) But i realized that I dont need it. I just block the IP who test xmlrpc.php BTW do you know how blacklists work? I activate 2 of them and I see the list are filled with IPs but where they are used? 0 -
I tried all this and it doesn't work. I have wp default login page URL changed and if you go to mysite.com/wp-login.php you will get a 404 error, this can be the cause of why it doesn't work? 0 -
It doesnt work :) But i realized that I dont need it. I just block the IP who test xmlrpc.php BTW do you know how blacklists work? I activate 2 of them and I see the list are filled with IPs but where they are used?
How to block the IP who test xmlrpc.php using csf lfd or with other way? thanks0
Please sign in to leave a comment.
Comments
30 comments