Custom regex not working

Post Reply
seco
Junior Member
Posts: 13
Joined: 01 Apr 2015, 19:57

Custom regex not working

Post by seco »

Hello,

I'm using this regex to block wp-login.php POST requests on /etc/csf/regex.custom.pm:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
    return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
}
My CUSTOM2_LOG point to the access_log file in csf.conf correctly.
I restart csf after making the changes

Code: Select all

csf -r
Still POST requests working!!
How to make it work?

Regards,
madeye
Junior Member
Posts: 3
Joined: 24 Oct 2018, 11:31

Re: Custom regex not working

Post by madeye »

This one caught me out (see viewtopic.php?f=6&t=11009)

The 4th parameter in the return statement is the number of times the rule can be triggered before the IP is blocked. If you change this to "1" then you should get blocked after the first request

Also I think you may need to restart lfd service as well as csf if you change the rules (not 100% sure about this though)
alsmith
Junior Member
Posts: 24
Joined: 10 Dec 2006, 13:13

Re: Custom regex not working

Post by alsmith »

I'm trying to implement this also but not getting anything in csf.deny.

my regex.custom.pm

Code: Select all

# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
   return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}
in my csf.conf CUSTOM2_LOG

Code: Select all

CUSTOM2_LOG = "/home/*/access-logs/*"
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file

I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work? Is it supposed to place entry into csf.deny? It is my understanding it should.
alsmith
Junior Member
Posts: 24
Joined: 10 Dec 2006, 13:13

Re: Custom regex not working

Post by alsmith »

I found the answer in this thread viewtopic.php?t=9447

Code: Select all

 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.
logout
Junior Member
Posts: 14
Joined: 17 Jul 2017, 01:51

Re: Custom regex not working

Post by logout »

Did you get this code working in the end?
May I ask the benefit of a custom rule on csf compared with widely used
mod_security rules to block wp-login brute force? Is there any advantage here or is it just another way to achieve the same goal?
Post Reply