Custom regex not working

[seco]

Hello,

I'm using this regex to block wp-login.php POST requests on /etc/csf/regex.custom.pm:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
    return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
}

My CUSTOM2_LOG point to the access_log file in csf.conf correctly.
I restart csf after making the changes

Code: Select all

csf -r

Still POST requests working!!
How to make it work?

Regards,

[madeye]

This one caught me out (see viewtopic.php?f=6&t=11009)

The 4th parameter in the return statement is the number of times the rule can be triggered before the IP is blocked. If you change this to "1" then you should get blocked after the first request

Also I think you may need to restart lfd service as well as csf if you change the rules (not 100% sure about this though)

[alsmith]

I'm trying to implement this also but not getting anything in csf.deny.

my regex.custom.pm

Code: Select all

# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
   return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}

in my csf.conf CUSTOM2_LOG

Code: Select all

CUSTOM2_LOG = "/home/*/access-logs/*"

I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file

I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work? Is it supposed to place entry into csf.deny? It is my understanding it should.

[alsmith]

I found the answer in this thread viewtopic.php?t=9447

Code: Select all

 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }

Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.

[logout]

Did you get this code working in the end?
May I ask the benefit of a custom rule on csf compared with widely used
mod_security rules to block wp-login brute force? Is there any advantage here or is it just another way to achieve the same goal?