Blocking Wordpress Login and xmlprc attacks with LFD
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hi
I am also trying to add this to the CSF/LFD but to be honest have no idea where to start. Can someone post a step by step "idiots" guide on how/where to put these pieces of code?
I don't know where to find csf.conf or where to disable LF_TRIGGER
I have contacted ConfigServer directly and they have advised they will not help me, even if I paid for their assistance.
Thanks in advance.
I am also trying to add this to the CSF/LFD but to be honest have no idea where to start. Can someone post a step by step "idiots" guide on how/where to put these pieces of code?
I don't know where to find csf.conf or where to disable LF_TRIGGER
I have contacted ConfigServer directly and they have advised they will not help me, even if I paid for their assistance.
Thanks in advance.
Re: Blocking Wordpress Login and xmlprc attacks with LFD
I'm trying to change the XMLRPC rule without success.
I use WordPress Android App, that makes a lot off POST requests to xmlrpc.php. The problem is that i have a dynamic IP and a allow workaround is not a solution for me.
The access log is something like this:
1.2.3.4 - - [24/Mar/2017:16:46:43 +0000] "POST /xmlrpc.php HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux; Android 7.1.1; Redmi Note 3 Build/N6F26U; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 wp-android/6.9.1"
So I'm trying to change the If function without success, to check if the log has "wp-android" written so the condition will return false.
I'm nooby at regex, so if someone can help me, I would appreciate.
Cheers
I use WordPress Android App, that makes a lot off POST requests to xmlrpc.php. The problem is that i have a dynamic IP and a allow workaround is not a solution for me.
The access log is something like this:
1.2.3.4 - - [24/Mar/2017:16:46:43 +0000] "POST /xmlrpc.php HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux; Android 7.1.1; Redmi Note 3 Build/N6F26U; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 wp-android/6.9.1"
So I'm trying to change the If function without success, to check if the log has "wp-android" written so the condition will return false.
I'm nooby at regex, so if someone can help me, I would appreciate.
Cheers
Re: Blocking Wordpress Login and xmlprc attacks with LFD
If you see the sticky about Custom Regex, you will read " All these REGEX are to be run in "regex.custom.pm", please check the readme file to know what is this.".CavemanSean wrote: ↑28 Nov 2016, 06:40 Hello there, I'm wanting to use this on my install of CSF as well, how-ever I'm not exactly sure how to set this up...
Cadmos wrote:I registered to answer you;
=- Tested on CentOS 6.7 -=
Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).
It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)
regex.custom.pmcsf.confCode: Select all
# XMLRPC if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) { return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1"); } # WP-LOGINS if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) { return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1"); }
Code: Select all
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
Now I know where the config file is and how to edit that, what I'm not sure of is where this regex.custom.pm file is (or do I make it? and if I do how do I tie this into CSF?)
I believe I figured it out...
modified /usr/local/csf/bin/regex.custom.pm and included that text in it (I just tossed it above
#############
#Do not edit byond this point
so I hope its working :\
The readme file is included in CSF on button "Firewall Information" and it says to add them in /usr/local/csf/bin/regex.custom.pm once you open that file, it has more instructions and examples on how to add your regex rules.
Sergio
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Just to comment that although this appears to be useful, it doesn't seem to work for me;
I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random logins 5 times to trigger the block. LFD accurately recorded the block like so:
(WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then:
As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine.
The block shows, but I was still able to login ... what could be going wrong here?
I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random logins 5 times to trigger the block. LFD accurately recorded the block like so:
(WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then:
As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine.
The block shows, but I was still able to login ... what could be going wrong here?
Re: Blocking Wordpress Login and xmlprc attacks with LFD
@FutherForward20
Do you have the file: /etc/apache2/logs/error_log in your server?
if you do, please do the following as root:
less /etc/apache2/logs/error_log | grep "77.zzz.zzz.100"
(change .zzz.zzz. for the real numbers of your VPN)
and post one of the lines of what you got, don't forget to set .zzz.zzz. again.
I will try to create a regex rule for you.
Sergio
Do you have the file: /etc/apache2/logs/error_log in your server?
if you do, please do the following as root:
less /etc/apache2/logs/error_log | grep "77.zzz.zzz.100"
(change .zzz.zzz. for the real numbers of your VPN)
and post one of the lines of what you got, don't forget to set .zzz.zzz. again.
I will try to create a regex rule for you.
Sergio
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hi @sergio
Thank you for your offer to assist, I appreciate that. FYI I am running Centos server 7.8 and WHM /Cpanel v86. Also running Modsec OWASP CRS v3. I also (mostly) but not always have a htaccess basic auth set up for WordPress sites (just an extra layer of security).
For some reason I don't seem to be able to post in the forum - keep getting a forbidden message... look like the forum has blocked my IP 3 times too ;-( it's a mission getting the post updated !
edit1
Here's what I have in usr/local/csf/bin/regex.custom.pm
Here's what I have in etc/csf/csf.conf
In var/log/lfd.log
Edit 2
in etc / apache2 / logs / error_log
Edit 3
But I can still log into the site if I then try normally - and I can still load the front end of the site too. Could it be a cache issue?
Here is what I would like to happen: If someone hits wp-login (basic auth or not) or xmlrpc file more than 10 times in say 1 minute, they should be locked out for 15 minutes
Thank you for your offer to assist, I appreciate that. FYI I am running Centos server 7.8 and WHM /Cpanel v86. Also running Modsec OWASP CRS v3. I also (mostly) but not always have a htaccess basic auth set up for WordPress sites (just an extra layer of security).
For some reason I don't seem to be able to post in the forum - keep getting a forbidden message... look like the forum has blocked my IP 3 times too ;-( it's a mission getting the post updated !
edit1
Here's what I have in usr/local/csf/bin/regex.custom.pm
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","1");
}
Code: Select all
CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"
Code: Select all
Jun 11 12:32:42 dazz8 lfd[2904]: (htpasswd) Failed web page login from 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_HTACCESS]
Jun 11 12:32:42 dazz8 lfd[2994]: (PERMBLOCK) 77.zzz.zzz.13 (-) has had more than 4 temp blocks in the last 86400 secs - *Blocked in csf* [LF_HTACCESS]
Jun 11 12:32:42 dazz8 lfd[25288]: (WPLOGIN) WP Login Attack 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
Jun 11 12:32:42 dazz8 lfd[25288]: (WPLOGIN) WP Login Attack 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* port=443 [LF_CUSTOMTRIGGER]
in etc / apache2 / logs / error_log
Code: Select all
[Thu Jun 11 12:39:38.454047 2020] [auth_basic:error] [pid 4768] [client 77.zzz.zzz.13:0] AH01618: user not found: /wp-admin/j-s/password-strength-meter.min, referer: https://zzz.org.nz/wp-login.php
But I can still log into the site if I then try normally - and I can still load the front end of the site too. Could it be a cache issue?
Here is what I would like to happen: If someone hits wp-login (basic auth or not) or xmlrpc file more than 10 times in say 1 minute, they should be locked out for 15 minutes
Re: Blocking Wordpress Login and xmlprc attacks with LFD
I have tried to write here the regex rule that I wrote but the filter content has blocked my IPs I had to use 3 different connections.
Here is an image of the rule based on the info that you wrote above under EDIT 2:
The image will auto delete in 5 hours:
https://ibb.co/jGFwJvb
I have set the rule that at the first try the IP is blocked forever, you can change it to what is better for you, as how many errors and for how long.
Sergio
Disclaimer:
I don't assume any responsibility about what the above rule can do at your server, try it before you set in production.
Here is an image of the rule based on the info that you wrote above under EDIT 2:
The image will auto delete in 5 hours:
https://ibb.co/jGFwJvb
I have set the rule that at the first try the IP is blocked forever, you can change it to what is better for you, as how many errors and for how long.
Sergio
Disclaimer:
I don't assume any responsibility about what the above rule can do at your server, try it before you set in production.
-
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: Blocking Wordpress Login and xmlprc attacks with LFD
Hey Sergio
Thanks for your efforts - yes the blocking of IPs in this forum seems pretty harsh.
Also I never received notification of your post - so I was not able to get to this post sooner - I missed your 5hr deadline.
Could you please repost with a longer timeframe?
Heaps of thanks for your time
Thanks for your efforts - yes the blocking of IPs in this forum seems pretty harsh.
Also I never received notification of your post - so I was not able to get to this post sooner - I missed your 5hr deadline.
Could you please repost with a longer timeframe?
Heaps of thanks for your time