wp-login.php ban : NCSA extended/combined log

[teo_matt]

Hello

Trying to do a custom regex at /usr/local/csf/bin/regex.custom.pm to ban wp-login.php fail

Using NCSA extended/combined log format = "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"

Example log entry (i only replaced external IP and name of the test site)_

Code: Select all

"151.11.222.111 - - [31/Jan/2021:08:35:51 +0000] "POST /wp-login.php HTTP/1.1" 200 2783 "https://myshinysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56"

Trying something like that (according what i saw in previous threads) :

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("wp-login.php WP ban",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
}

but CSF isnt doing bans so... there is something wrong in regex

Are you kind please, to help me in this goal ?

Thanks (and if you suggest me a book to learn regex you make me the happiest man in the world)

[sahostking]

I use the following on our cpanel servers. Not sure if it is the same for you but it definitely helps us and stops tons a day:

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","3600");
}

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","3600");
}

# WP-ATTACHMENTID
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?attachment_id=/)) {
return ("WP Attachment Attack",$1,"WPATTACHMENTATTACK","5","80,443","3600");
}

Also dont forget to set the location of the files to be monitors in csf.conf

Code: Select all

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
CUSTOM3_LOG = "/var/log/exim_rejectlog"

forgot to mention in the regex on top you can change the "3600" to anything you like - you can set yoours to 86400 even if you like for a 1 day ban.

[teo_matt]

Thanks for your reply, already done the part 2 ". But you just re-published what i already published :/
May i know which log format are you using right now ? Fact, if this regex works for you you are using a different log format. Custom or one of those ? :

Common Log Format (CLF)
Common Log Format with Virtual Host
NCSA extended/combined log format (it doesnt work, you dont use this one for sure)

[geekytone]

Hello,

Why not using ModSecurity to secure wp-login.php and xmlrpc.php? Once ModSecurity set, you can configure CSF to ban IP who trigger ModSecurity.

Currently in my servers:

Code: Select all

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:6

# Protection WP-LOGIN
<Locationmatch "/wp-login.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:7,msg:'ip address blocked for 5 minutes, more than 10 WordPress login attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:8"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:9"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

# Protection XML-RPC
<Locationmatch "/xmlrpc.php">
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:7,msg:'ip address blocked for 5 minutes, more than 10 WordPress XML RPC attempts in 3 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:8"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:9"
SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

[datona]

geekytone, where would all that coding go?