Hi - this is my first post - but I have been an reader of this forum for a long time and learned a great deal.
I run a VPS with a number of low traffic, largely static Wordpress sites. It is Centos based and I use W3TC caching and a CDN to offload the server, which is very underutilized. I run Apache Forked with keep alive.
It is well configured - everything works smoothly - and CSF/LFD do a phenomenal job with the constant stream of probing - as well as outright attacks. With ONE exception... Bots or clients that hit the site with dozens or hundreds of requests for non-existent files. When this happens Wordpress happily tries to resolve the error with it's internal 404 response, which of course consumes a chunk of memory. The 404's get logged in Cpanel's "lastest users" log - but I never see them in the Apache error_log. CSF seems to ignore them and takes no action. CSF perfectly handles 404's outside WP - as well as every other rule I've given it to enforce.
Am I missing something? Is there a way to get CSF to recognize these WP 404's???
Thanks very much for any advice,
/ljj
CSF and Wordpress Practices
Re: CSF and Wordpress Practices
Let me ask a related question...
CSF/LFD looks at usr/local/apache/logs/error_log by default
error_log shows all 403's but NOT Wordpress 404's
access_log shows all 403's and 404's
But pointing at access_log does not seem to catch anything...
Am I missing something? I have googled for 2 weeks for an answer to this question....
Thank you,
/ljj
CSF/LFD looks at usr/local/apache/logs/error_log by default
error_log shows all 403's but NOT Wordpress 404's
access_log shows all 403's and 404's
But pointing at access_log does not seem to catch anything...
Am I missing something? I have googled for 2 weeks for an answer to this question....
Thank you,
/ljj
Re: CSF and Wordpress Practices
Can you post a sample of the WP 404 error log lines?
Re: CSF and Wordpress Practices
Here's one:
xxx.xxx.xxx.xxx - - [17/Oct/2015:08:56:05 -0400] "GET /foo.foo HTTP/1.1" 404 8684
xxx.xxx.xxx.xxx - - [17/Oct/2015:08:56:05 -0400] "GET /foo.foo HTTP/1.1" 404 8684
Re: CSF and Wordpress Practices
After looking at the loginline404 and loginline403 functions in regex.pm it looks like the LF_APACHE_404 and LF_APACHE_404 regex were never designed to stop application based 404 or 403 errors.
I suggest you open a bug report and maybe Chirpy will update the regex to handle these.
Until this get fixed you could add the following rules to /etc/csf/regex.custom.pm to block anyone for one hour who has over 100 - 404 or 403 errors. (make sure to restart LFD after you add them).
I hope this helps
I suggest you open a bug report and maybe Chirpy will update the regex to handle these.
Until this get fixed you could add the following rules to /etc/csf/regex.custom.pm to block anyone for one hour who has over 100 - 404 or 403 errors. (make sure to restart LFD after you add them).
Code: Select all
# 404 error
if (($globlogs{LF_HTACCESS}{$lgfile}) and ($line =~ /(\S+).*] "GET .*" 404/)) {
return ("Application 404 error from",$1,"app404","100","80,443","3600");
}
# 403 error
if (($globlogs{LF_HTACCESS}{$lgfile}) and ($line =~ /(\S+).*] "GET .*" 403/)) {
return ("Application 403 error from",$1,"app403","100","80,443","3600");
}
Re: CSF and Wordpress Practices
Awesome... I also changed the location of htaccess to the access_log instead of error_log
Thanks very much....
/ljj
Thanks very much....
/ljj