that is more easy than you think, using the rule I gave:
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[\S+\] "POST /wp-login\.php \S+" 500/)) {
return ("Failed wp-login.php login from",$1,"wp-login.php","10","1");
}
From the readme:
# $1 = the offending IP address
# "5" = the trigger level for blocking (I have set it to 10 per your request)
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled (I didn't use this as I block any IP to all the ports and not just a few, but you can apply any ports that you want)
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled (I set this to 1, as in my servers I always block permanent)
Ok, as you see, this is easy to do and you don't have to set any script for counters, CSF will do it for you.
Now, you have to think on what you try to do, if you set to 10 failures and you have lets said 1,000 IPs attack (today one of my servers had about 700 different IPs attacking wordpress sites), then every IP will have 10 chances to find your password, that will be about 10,000 errors that your server will have to handle and the load in your server will be very high. I used to gave 3 chances and the load on my servers sometimes went to a load of 45. After I set the rules to only give 1 chance, the load in the servers went down to 1.5.
Also, you will have to be careful with the total IPs that you will be blocking as CSF.DENY will be filled very quickly.