Custom REGEX rules for CSF.
Re: Custom REGEX rules for CSF.
see above post
Re: Custom REGEX rules for CSF.
Hello, I'm new on this forum, I'm using this custom regex to block failed logins to wordpress:
The problem is that it is also blocking users who have successfully logged in, here is the log:
How can update the code in order to prevent this issue?
Thank you.
Code: Select all
# Block IP if more than 10 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","86400");
}Code: Select all
Time: Thu Feb 15 22:36:46 2024 -0300
IP: 100.101.102.103 (Example Country/Example ISP/[invalid URL removed])
Failures: 10 (WPLOGIN)
Interval: 3600 seconds
Blocked: Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]
Log entries:
100.101.102.103 - - [15/Feb/2024:22:31:54 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:31:57 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:53 -0300] "GET /wp-login.php?action=logout&_wpnonce=fcc7219067 HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:54 -0300] "GET /wp-login.php?loggedout=true&wp_lang=es_ES HTTP/2.0" 200 9555 "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:42 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:45 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])%
Thank you.
Re: Custom REGEX rules for CSF.
Hi. This area is not to resolve doubts about REGEX rules, please use the regular forum.
When you move your question to that area I will answer it there, thank you.
Sergio
When you move your question to that area I will answer it there, thank you.
Sergio
-
sahostking
- Junior Member
- Posts: 45
- Joined: 29 May 2013, 19:07
- Location: Cape Town, South Africa
- Contact:
Re: Custom REGEX rules for CSF.
Use the following to block WordPress XMLRPC and WP-login attacks.
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","3600");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","3600");
}