filtering the error_log for wordpress login faiures
I get ALOT of notifications like this in my /usr/local/apache/logs/error_log.
Is there a way for me to parse my apache log file which detects a wordpress login failure and produces a list of domain names that have been attacked? It would be brilliant if I could get the username of the site that has been attacked because these attacks could also be on add on domains etc. Perhaps some kind of ssh command or bash script I can run in SSH? The idea would be to apply some brute force prevention on accounts that are being attacked..
[Thu Oct 17 09:04:37 2013] [error] [client 109.108.142.158] ModSecurity: [file "/usr/local/apache/modsecurity.d/12_asl_brute.conf"> [line "61"> [id "377360"> [rev "2"> [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "> [severity "WARNING"> [tag "no_ar"> Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "somedomainname.org.uk"> [uri "/wp-login.php"> [unique_id "Ul@aFW1Lp9kAABxrMboAAAAT">
Is there a way for me to parse my apache log file which detects a wordpress login failure and produces a list of domain names that have been attacked? It would be brilliant if I could get the username of the site that has been attacked because these attacks could also be on add on domains etc. Perhaps some kind of ssh command or bash script I can run in SSH? The idea would be to apply some brute force prevention on accounts that are being attacked..
-
Hello :) You can find a list of access attempts blocked by Mod_Security at: "WHM Home " Plugins " Mod_Security" You can also find entries in: /usr/local/apache/logs/modsec_audit.log Or, if you only are seeking to obtain a list of the "hostname" entry in your Apache error log, you could develop a bash script that parses the domain name from those lines. The username of the account could then be obtained by comparing it to the /etc/userdomains file, or utilizing the /scripts/whoowns command. Thank you. 0
Please sign in to leave a comment.
Comments
1 comment