regex.custom.pm for WordPress wp-login brute force

[phpwebdev]

Hello All,

I am trying to get LFD to monitor for WordPress brute-force attacks on my site. Here is what I have done so far but LFD is not triggering:

Code: Select all

CUSTOM1_LOG = "/var/log/httpd/MYDOMAIN.com_access_log"

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\] \"POST \/wp-login/)) {
                return ("wp-login attempt from",$2,"wplogin","5","80","3600");
        }

And here is the log entry I am trying to block on:

Code: Select all

58.11.173.48 - - [16/Jun/2013:07:14:18 -0700] "POST /wp-login.php HTTP/1.0" 200 5176 "MYDOMAIN/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"

I might be missing something.

[joethesysadmin]

I accomplished this by using the "WP fail2ban" plugin (just the plugin, not the fail2ban scripts) to log the login attempt to /var/log/messages via syslog. I then created the following regex using the regex.pm entries as an example.

I put the following in regex.custom.pm

Code: Select all

#Wordpress
	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /Authentication failure for (\S+) from ([\d.]+)?/))
	{
		$ip = $2; $acc = $1; $ip =~ s/^::ffff://;
		return ("Failed WordPress login from",$ip,"wordpresshackers","2","80,443","1");
	}

In my example, you can see that I have created two variables (the (\S+) and the ([\d.]+) bits) I can then format them however I like, and return them as $1 and $2. Your regex is not doing any of that.

[verdonv]

Hi,

Is there something I need to do to enable the custom regex? I have installed "WP fail2ban". I have verified that failed logins are being written to /var/log/messages. I have added the regex

Code: Select all

   if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /Authentication failure for (\S+) from ([\d.]+)?/))
   {
      $ip = $2; $acc = $1; $ip =~ s/^::ffff://;
      return ("Failed WordPress login from",$ip,"wordpresshackers","5","80,443","1");
   }

to regex.custom.pm. I tested the regex at rubular DOT com and it seems to be working. I restarted CSF and LFD. It all looks like it should work, but attempts to trigger a ban with successive failed logins are not working. I'm not sure where to look for an error. Any help would be most appreciated.

Thks,
v

[verdonv]

Not sure what I was doing wrong the other day, but this is working now.

[leisegang]

i am on CentOS version 7
I cant get this to work.

I have installed the fail2ban wordpress plugin, but i cant see anything in my /var/log/messages log.

So i am not able to block all those attempts. Any help?