hello all -
i have a crontab script that runs every two minutes scanning logfiles for brute-force wordpress login attempts. if i find more than 40 in a one minute period, my script issues the following command something like:
csf --deny 111.222.333.444 ;
this seems to do the same thing as the "Quick Deny" button.
is there a command line equivalent of the "Quick Ignore" button? i am thinking this pesky IP number needs to be put into both places because the "csf --deny" command does not seem to be doing anything (or maybe i misunderstand what it is doing)
also, is there a limit to the number of IP numbers i can block?
thank you all.
automating blocking of IP numbers
-
edwardsmarkf
- Junior Member
- Posts: 32
- Joined: 05 Oct 2013, 16:32
-
edwardsmarkf
- Junior Member
- Posts: 32
- Joined: 05 Oct 2013, 16:32
Re: automating blocking of IP numbers
i am very tempted to do something like:
echo "$IP_NBR" >>/etc/csf/csf.ignore ;
csf --restart ;
echo "$IP_NBR" >>/etc/csf/csf.ignore ;
csf --restart ;
Re: automating blocking of IP numbers
You don't need to do an script for that, use regex.custom.pm and create a regex that traps that IPs and CSF will block that IPs automatically for you.
What logs are you looking for the offending IPs?
What OS and modsecurity rules are you using?
What logs are you looking for the offending IPs?
What OS and modsecurity rules are you using?
-
edwardsmarkf
- Junior Member
- Posts: 32
- Joined: 05 Oct 2013, 16:32
Re: automating blocking of IP numbers
hello sergio -
/etc/httpd/conf.d/mod_qos.conf:
QS_LocRequestLimitMatch ^/wp-login.php 3
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
i am looking in the /var/log/virtualmin directory for the *.com_access_log files. currently i am using "logtail" but your suggestion looks to be far more effective.What logs are you looking for the offending IPs?
Linux 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/LinuxWhat OS and modsecurity rules are you using?
/etc/httpd/conf.d/mod_qos.conf:
QS_LocRequestLimitMatch ^/wp-login.php 3
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
this is very interesting. do you by any chance have an example of one to block the wordpress wp-login.php script?use regex.custom.pm and create a regex that traps that IPs and CSF will block that IPs automatically for you.
-
edwardsmarkf
- Junior Member
- Posts: 32
- Joined: 05 Oct 2013, 16:32
Re: automating blocking of IP numbers
Well mod_qos will not help with this, I like how Mod_Security handles this attacks better.
That is why I asked you what ModSecurity rules are you using, because you can create a regex that looks for modsecurity rule numbers and not just for wordpress login failures.
That is why I asked you what ModSecurity rules are you using, because you can create a regex that looks for modsecurity rule numbers and not just for wordpress login failures.