Login Failure Daemon or Login Tracking?

[nobodyfamous]

Server Details;
OS: Ubuntu 12.04 LTS
Virtualmin/Webmin


I have a joomla site getting brute force attacks. Joomla brute force attack extensions can limit the login attempts, but the server is still loaded with calls to the blocked login. I'd rather block the IP via CSF.

I have an extension using the following code;

Code: Select all

error_log(sprintf($this->params->get('message'), $response['username']));

It writes to the logfile /var/log/virtualmin/********.ca_error_log lines like these

Code: Select all

[Tue Jan 28 09:35:40 2014] [warn] [client 37.9.170.46] mod_fcgid: stderr: user admin authentication failure
[Tue Jan 28 11:42:33 2014] [warn] [client 213.238.175.56] mod_fcgid: stderr: user admin authentication failure, referer: http://*********.ca/administrator/index.php?option=com_login

Can I get CSF to read that log, or should I edit the code to write to a different log?

I have more than 1 Joomla site to do this for.

[nobodyfamous]

I think CSF should be reading the error logs of all the sites. How do I get CSF to read/monitor extra logs? And better yet, with a wild card?

[nobodyfamous]

so I just added the log file to /var/csf/csf.syslogs and it is monitoring it, but how do I get it to pickup on the log lines

Code: Select all

[Mon Feb 03 10:04:49 2014] [warn] [client 99.192.110.216] mod_fcgid: stderr: user  authentication failure, referer: http://www.****.ca/administrator/index.php

[Sergio]

Server Details;
OS: Ubuntu 12.04 LTS
Virtualmin/Webmin


I have a joomla site getting brute force attacks. Joomla brute force attack extensions can limit the login attempts, but the server is still loaded with calls to the blocked login. I'd rather block the IP via CSF.

I have an extension using the following code;

Code: Select all

error_log(sprintf($this->params->get('message'), $response['username']));

It writes to the logfile /var/log/virtualmin/********.ca_error_log lines like these

Code: Select all

[Tue Jan 28 09:35:40 2014] [warn] [client 37.9.170.46] mod_fcgid: stderr: user admin authentication failure
[Tue Jan 28 11:42:33 2014] [warn] [client 213.238.175.56] mod_fcgid: stderr: user admin authentication failure, referer: http://*********.ca/administrator/index.php?option=com_login

Can I get CSF to read that log, or should I edit the code to write to a different log?

I have more than 1 Joomla site to do this for.

Yes, you can define the log that you want to monitor, check for the word "CUSTOM1_LOG" inside CSF configuration, follow the readme.txt to find out how to modify this.

Once you have defined the CUSTOM1_LOG, then you can create your own rule at /usr/local/csf/bin/regex.custom.pm, follow the instructions inside that file.

I have created my own rules using this and they work really great, the only caveat is that you need to know how to create regex rules. After creating your rules, you need to restart LSF not CSF and CSF will check if the regex is ok or not.

Sergio

[webjive]

I know this is an old thread but, we're having the same issue now. We've been mitigating DDOS attacks and the attackers have moved to the Joomla admin login where Comodo WAF is catching this but, just returns a 403 after that still allowing the attacker to use up Apache resources.

It would be great if someone knows of a tutorial somewhere or even some regex code that could be pasted looking for this in the error_log;

[Tue Nov 10 15:58:16 2015] [error] [client 195.206.253.146] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 5 at IP:multiple_username_count. [file "/var/cpanel/cwaf/rules/09_Bruteforce_Bruteforce.conf"] [line "79"] [id "230021"] [rev "3"] [msg "COMODO WAF: Multiple Username Violation: Too Many Usernames Submitted for Authentication."] [data "Current Username: admin"] [hostname "www.urotoday.com"] [uri "/administrator/index.php"] [unique_id "VkJoeDJhsosAADXeBgYAAAAU"]

I could then added this custom CSF log code to all our servers and put an end to this nonsense.

Thanks so much!

[nobodyfamous]

the mistress that is regex. . . I use this tool to work out my rules. http://www.regexr.com/

Paste in a few different lines of the error log you are looking for, than start playing with the regex and get it to match.

Start off by escaping "\" the reserved characters "[]." and then ranges etc. for things like IP addresses and dates etc.

[webjive]

Thanks!! This seems to do the trick

/\[file \"\/var\/cpanel\/cwaf\/rules\/09_Bruteforce_Bruteforce.conf\"\]/g

[webjive]

P.S.

Now, I'm scratching my head on this part of the CSF custom file

Example:
# if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
# }