Re: Custom REGEX rules for CSF.
Posted: 05 Apr 2024, 07:56
Use the following to block WordPress XMLRPC and WP-login attacks.
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","3600");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","3600");
}