newbie using regex.custom.pm

edwardsmarkf
Junior Member
Posts: 32
Joined: 05 Oct 2013, 16:32

newbie using regex.custom.pm

Post by edwardsmarkf »

hello all -

Sergio was kind enough to introduce me to regex.custom.pm. i need to block access to the wordpress file wp-login.php.

here is what i am proposing to do:

1) file /etc/httpd/conf/httpd.conf

change:
CUSTOM2_LOG = "/var/log/messages"
to:
CUSTOM2_LOG = "/var/log/virtualmin/marksdomain.com_access_log"

2) file /usr/local/csf/bin/regex.custom.pm

add:

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /wp-login.php/)) {
  return ("Failed wp-login.php login from",$1,"wp-login.php","5","80,8080","1");
}
any thoughts, tips or suggestions?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: newbie using regex.custom.pm

Post by Sergio »

That rule will not work as you are not specifying where the passing argument (IP) is. Regex has to be a little bit more elaborated than that, wish it could be that simple :)

Paste 3 log lines and I will try to elaborate a new rule for you.
edwardsmarkf
Junior Member
Posts: 32
Joined: 05 Oct 2013, 16:32

Re: newbie using regex.custom.pm

Post by edwardsmarkf »

sergio - once again, i thank you for helping me.

here is a good example of my log file!

62.60.138.142 - - [30/Mar/2014:03:58:32 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
62.60.138.142 - - [30/Mar/2014:03:58:32 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
62.60.138.142 - - [30/Mar/2014:03:58:33 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
80.72.38.195 - - [30/Mar/2014:03:58:33 -0400] "GET /wp-login.php?action=register HTTP/1.1" 403 214 "http://lori.comptonpesltrainers.com/" "Mozilla/5.0 (Macintosh;
Intel Mac OS X 10_8_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"
62.60.138.142 - - [30/Mar/2014:03:58:33 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
62.60.138.142 - - [30/Mar/2014:03:58:33 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
62.60.138.142 - - [30/Mar/2014:03:58:34 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
62.60.138.142 - - [30/Mar/2014:03:58:34 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: newbie using regex.custom.pm

Post by Sergio »

all of them doesn't include the offending IP, we need logs that has the IP in it.

Try to search on the /var/log/messages
ItsJustMe
Junior Member
Posts: 8
Joined: 03 Apr 2014, 22:21

Re: newbie using regex.custom.pm

Post by ItsJustMe »

Isn't the IP the very first word? 62.60.138.142.

Does it need to be in a specific format?
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: newbie using regex.custom.pm

Post by Sergio »

I thought it was your servers IP, sorry, then the regex rule will be like this:

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST /wp-login\.php \S+" 500/)) {
  return ("Failed wp-login.php login from",$1,"wp-login.php","1","1");
}
this rule will block any IP with a wrong login at the first attempt.

After you wrote the rule to the regex.custom.pm restart only LFD not CSF as it is not necessary, if restarting LFD shows an error, go and delete the rule and check where it could be the error reported by LFD, don't left the rule or LFD will stop working.
edwardsmarkf
Junior Member
Posts: 32
Joined: 05 Oct 2013, 16:32

Re: newbie using regex.custom.pm

Post by edwardsmarkf »

sergio - and once again, i sincerely thank you!

two questions:
1) i see from the documentation that i pretended to read that we are limited to 10 log files. any chance this might be increased in the future?

2) is there a way to set some sort of counter, so it only happens after the tenth time?
maybe something like:

Code: Select all

use feature 'state';
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST /wp-login\.php \S+" 500/)) {
    state $sergio_counter = 0;
    if  ( $sergio_counter > 10 )  {
      return ("Failed wp-login.php login from",$1,"wp-login.php","1","1");
    } else {
      $sergio_counter++;
    }
}
i am guessing here. my perl is rusty as i switched to PHP.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: newbie using regex.custom.pm

Post by Sergio »

that is more easy than you think, using the rule I gave:

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST /wp-login\.php \S+" 500/)) {
  return ("Failed wp-login.php login from",$1,"wp-login.php","10","1");
}
From the readme:
# $1 = the offending IP address
# "5" = the trigger level for blocking (I have set it to 10 per your request)
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled (I didn't use this as I block any IP to all the ports and not just a few, but you can apply any ports that you want)
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled (I set this to 1, as in my servers I always block permanent)

Ok, as you see, this is easy to do and you don't have to set any script for counters, CSF will do it for you.

Now, you have to think on what you try to do, if you set to 10 failures and you have lets said 1,000 IPs attack (today one of my servers had about 700 different IPs attacking wordpress sites), then every IP will have 10 chances to find your password, that will be about 10,000 errors that your server will have to handle and the load in your server will be very high. I used to gave 3 chances and the load on my servers sometimes went to a load of 45. After I set the rules to only give 1 chance, the load in the servers went down to 1.5.

Also, you will have to be careful with the total IPs that you will be blocking as CSF.DENY will be filled very quickly.
edwardsmarkf
Junior Member
Posts: 32
Joined: 05 Oct 2013, 16:32

Re: newbie using regex.custom.pm

Post by edwardsmarkf »

a couple more questions (sorry!)

1) the instructions say "the trigger level for blocking" - i take it this means the number of "failures"?

2) your example gave the following:

Code: Select all

$1,"wp-login.php","10","1"
it appears the "1" will be interpreted as a port number? don't we need to specify the port numbers?

update: i now have this syntax:

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST \/wp-login\.php \S+" 500/)) {
  return ("Failed wp-login.php login from",$1,"wp-login.php","1","80","10");
}
i ran into a problem trying to have the forward-slash character inside of the regex - it needed to be backslash-quoted, or i probably could have used the question-mark character for the beginning and ending regex markers.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: newbie using regex.custom.pm

Post by Sergio »

edwardsmarkf wrote:a couple more questions (sorry!)

1) the instructions say "the trigger level for blocking" - i take it this means the number of "failures"?

2) your example gave the following:

Code: Select all

$1,"wp-login.php","10","1"
it appears the "1" will be interpreted as a port number? don't we need to specify the port numbers?
10 are the number of failures and I set 1, as in my rules I always make a permanent block and I don't set ports, I mean when the IP is blocked it can't access any port in my server. You can set like you did "10","80","1" if you just want to block it for 1 hour, then you go with "10","80","3600"
update: i now have this syntax:

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST \/wp-login\.php \S+" 500/)) {
  return ("Failed wp-login.php login from",$1,"wp-login.php","1","80","10");
}
Here you are defining: "1","80","10" = 1 failure, block port 80 for 10 seconds.
i ran into a problem trying to have the forward-slash character inside of the regex - it needed to be backslash-quoted, or i probably could have used the question-mark character for the beginning and ending regex markers.
Just copy and paste this new rule:

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST \/wp-login\.php \S+" 500/))  {
		return ("Failed wordpress login",$1,"WordPressFail","10","80","1");
	}
If LFD gives an error, please post it here.
Post Reply