The /usr/local/csf/bin/regex.custom.pm file allows you to set up blocking for failed Wordpress login attempts, for example:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
return ("Failed WordPress GET",$1,"WPLOGINGET","5","80,443,21,25,22,23","1");
}
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
return ("Failed WordPress POST",$1,"WPLOGINPOST","5","80,443,21,25,22,23","1");
}
However, the parameter ("5" in the above example) is the number of lines in the log that match the REGEX expression to trigger the block. I looked at the domain log (in dom logs where CUSTOM2_LOG points to) and for the domain in question, there appear to be about 27 days of data in the log. This means that if a user from the same IP address made a typo in their login 5 times in 27 days, they get blocked.
How do I make in so it's only triggered if there are 5 attempts in 24 hours, not for the entire log spanning 27 days?
Wordpress Failed Login Frequency Setting?
-
- Junior Member
- Posts: 25
- Joined: 24 Aug 2016, 04:49
Re: Wordpress Failed Login Frequency Setting?
Hi.
Try to escape "[" and "]" like; "\[" and "\]" (but without the double quotes).
Normally CSF blocks the IP on the same hour not in a lot of days.
But just do a test escaping the brackets and you will see.
Here is one of my own favorite rules for you to see how the brackets are escaped:
With this rule you can block any IP that triggers the listed mod_security ID number rule at the first attempt and the IP will be blocked permanently in the server.
I have just wrote a few MODSEC IDs as an example and for you to get the idea of the brackets that should be escaped but in that rule you can add a lot more IDs.
Then I have a CRON that runs hourly, that finds all the IPs of the same range that were blocked in a period of time and then the script creates a block to the full IP range ".0/24" if it exceeds what I have defined.
With CSF you can do a lot, I really like it.
Sergio
Try to escape "[" and "]" like; "\[" and "\]" (but without the double quotes).
Normally CSF blocks the IP on the same hour not in a lot of days.
But just do a test escaping the brackets and you will see.
Here is one of my own favorite rules for you to see how the brackets are escaped:
Code: Select all
# BLOCKING ModSec Rules attacks by Sergio
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492)"\]/i)) {
return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
}
# NOTE: If you use the above rule in your server I don't assume any responsibility, use it at your own risk.
I have just wrote a few MODSEC IDs as an example and for you to get the idea of the brackets that should be escaped but in that rule you can add a lot more IDs.
Then I have a CRON that runs hourly, that finds all the IPs of the same range that were blocked in a period of time and then the script creates a block to the full IP range ".0/24" if it exceeds what I have defined.
With CSF you can do a lot, I really like it.
Sergio