Login Failure Daemon or Login Tracking?

Post Reply
nobodyfamous
Junior Member
Posts: 13
Joined: 29 Dec 2013, 16:18

Login Failure Daemon or Login Tracking?

Post by nobodyfamous »

Server Details;
OS: Ubuntu 12.04 LTS
Virtualmin/Webmin


I have a joomla site getting brute force attacks. Joomla brute force attack extensions can limit the login attempts, but the server is still loaded with calls to the blocked login. I'd rather block the IP via CSF.

I have an extension using the following code;

Code: Select all

error_log(sprintf($this->params->get('message'), $response['username']));
It writes to the logfile /var/log/virtualmin/********.ca_error_log lines like these

Code: Select all

[Tue Jan 28 09:35:40 2014] [warn] [client 37.9.170.46] mod_fcgid: stderr: user admin authentication failure
[Tue Jan 28 11:42:33 2014] [warn] [client 213.238.175.56] mod_fcgid: stderr: user admin authentication failure, referer: http://*********.ca/administrator/index.php?option=com_login
Can I get CSF to read that log, or should I edit the code to write to a different log?

I have more than 1 Joomla site to do this for.
nobodyfamous
Junior Member
Posts: 13
Joined: 29 Dec 2013, 16:18

Re: Login Failure Daemon or Login Tracking?

Post by nobodyfamous »

I think CSF should be reading the error logs of all the sites. How do I get CSF to read/monitor extra logs? And better yet, with a wild card?
nobodyfamous
Junior Member
Posts: 13
Joined: 29 Dec 2013, 16:18

Re: Login Failure Daemon or Login Tracking?

Post by nobodyfamous »

so I just added the log file to /var/csf/csf.syslogs and it is monitoring it, but how do I get it to pickup on the log lines

Code: Select all

[Mon Feb 03 10:04:49 2014] [warn] [client 99.192.110.216] mod_fcgid: stderr: user  authentication failure, referer: http://www.****.ca/administrator/index.php
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Login Failure Daemon or Login Tracking?

Post by Sergio »

nobodyfamous wrote:Server Details;
OS: Ubuntu 12.04 LTS
Virtualmin/Webmin


I have a joomla site getting brute force attacks. Joomla brute force attack extensions can limit the login attempts, but the server is still loaded with calls to the blocked login. I'd rather block the IP via CSF.

I have an extension using the following code;

Code: Select all

error_log(sprintf($this->params->get('message'), $response['username']));
It writes to the logfile /var/log/virtualmin/********.ca_error_log lines like these

Code: Select all

[Tue Jan 28 09:35:40 2014] [warn] [client 37.9.170.46] mod_fcgid: stderr: user admin authentication failure
[Tue Jan 28 11:42:33 2014] [warn] [client 213.238.175.56] mod_fcgid: stderr: user admin authentication failure, referer: http://*********.ca/administrator/index.php?option=com_login
Can I get CSF to read that log, or should I edit the code to write to a different log?

I have more than 1 Joomla site to do this for.
Yes, you can define the log that you want to monitor, check for the word "CUSTOM1_LOG" inside CSF configuration, follow the readme.txt to find out how to modify this.

Once you have defined the CUSTOM1_LOG, then you can create your own rule at /usr/local/csf/bin/regex.custom.pm, follow the instructions inside that file.

I have created my own rules using this and they work really great, the only caveat is that you need to know how to create regex rules. After creating your rules, you need to restart LSF not CSF and CSF will check if the regex is ok or not.

Sergio
webjive
Junior Member
Posts: 11
Joined: 03 Aug 2012, 21:44

Re: Login Failure Daemon or Login Tracking?

Post by webjive »

I know this is an old thread but, we're having the same issue now. We've been mitigating DDOS attacks and the attackers have moved to the Joomla admin login where Comodo WAF is catching this but, just returns a 403 after that still allowing the attacker to use up Apache resources.

It would be great if someone knows of a tutorial somewhere or even some regex code that could be pasted looking for this in the error_log;

[Tue Nov 10 15:58:16 2015] [error] [client 195.206.253.146] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file "/var/cpanel/cwaf/rules/09_Bruteforce_Bruteforce.conf"] [line "79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication."] [data "Current Username: admin"] [hostname "www.urotoday.com"] [uri "/administrator/index.php"] [unique_id "VkJoeDJhsosAADXeBgYAAAAU"]

I could then added this custom CSF log code to all our servers and put an end to this nonsense.

Thanks so much!
nobodyfamous
Junior Member
Posts: 13
Joined: 29 Dec 2013, 16:18

Re: Login Failure Daemon or Login Tracking?

Post by nobodyfamous »

the mistress that is regex. . . I use this tool to work out my rules. http://www.regexr.com/

Paste in a few different lines of the error log you are looking for, than start playing with the regex and get it to match.

Start off by escaping "\" the reserved characters "[]." and then ranges etc. for things like IP addresses and dates etc.
webjive
Junior Member
Posts: 11
Joined: 03 Aug 2012, 21:44

Re: Login Failure Daemon or Login Tracking?

Post by webjive »

Thanks!! This seems to do the trick

/\[file \"\/var\/cpanel\/cwaf\/rules\/09_Bruteforce_Bruteforce.conf\"\]/g
webjive
Junior Member
Posts: 11
Joined: 03 Aug 2012, 21:44

Re: Login Failure Daemon or Login Tracking?

Post by webjive »

P.S.

Now, I'm scratching my head on this part of the CSF custom file

Example:
# if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
# }
Post Reply