Custom REGEX rules for CSF.
Re: Custom REGEX rules for CSF.
see above post
Re: Custom REGEX rules for CSF.
Hello, I'm new on this forum, I'm using this custom regex to block failed logins to wordpress:
The problem is that it is also blocking users who have successfully logged in, here is the log:
How can update the code in order to prevent this issue?
Thank you.
Code: Select all
# Block IP if more than 10 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","86400");
}Code: Select all
Time: Thu Feb 15 22:36:46 2024 -0300
IP: 100.101.102.103 (Example Country/Example ISP/[invalid URL removed])
Failures: 10 (WPLOGIN)
Interval: 3600 seconds
Blocked: Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]
Log entries:
100.101.102.103 - - [15/Feb/2024:22:31:54 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:31:57 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:53 -0300] "GET /wp-login.php?action=logout&_wpnonce=fcc7219067 HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:54 -0300] "GET /wp-login.php?loggedout=true&wp_lang=es_ES HTTP/2.0" 200 9555 "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:42 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:45 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])%
Thank you.
Re: Custom REGEX rules for CSF.
Hi. This area is not to resolve doubts about REGEX rules, please use the regular forum.
When you move your question to that area I will answer it there, thank you.
Sergio
When you move your question to that area I will answer it there, thank you.
Sergio
-
sahostking
- Junior Member
- Posts: 45
- Joined: 29 May 2013, 19:07
- Location: Cape Town, South Africa
- Contact:
Re: Custom REGEX rules for CSF.
Use the following to block WordPress XMLRPC and WP-login attacks.
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Ensure you set CUSTOM2 to apache log files and CUSTOM3 to exim rejectlog file in csf.conf
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","3600");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","3600");
}
Re: Custom REGEX rules for CSF.
Hi, I'm trying to block the below entries in the apache error_log, LFD is detecting it, however it's ignoring it, I can't work out why?
The IP is not any any allow list, and I can't see any rgexex patterns in csf.logignore which might cause it be to ignored
*** EDIT ***
My bad ... I found the IP was included in a range in the allow list
Thanks
error_log
Here is my rule
lfd.log
Thanks
The IP is not any any allow list, and I can't see any rgexex patterns in csf.logignore which might cause it be to ignored
*** EDIT ***
My bad ... I found the IP was included in a range in the allow list
Thanks
error_log
Code: Select all
[Mon Mar 31 08:32:46.073831 2025] [access_compat:error] [pid 1480714:tid 1481028] [client 18.68.51.212:42884] AH01797: client denied by server configuration: /opt/bitnami/wordpress/xmlrpc.php, referer: https://blah/Code: Select all
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /\[access_compat:error\].*client denied by server configuration: .*xmlrpc\.php/)) {
$ip = $1 if ($line =~ /client (\d+\.\d+\.\d+\.\d+):\d+/);
if (checkip(\$ip)) {
return ("Blocked due to repeated xmlrpc.php access attempts","$ip","custom-rule-xmlrpc","5","80,443","3600")
} else {
return
}
}
Code: Select all
Mar 31 10:27:33 ip-172-26-15-192 lfd[1544742]: Blocked due to repeated xmlrpc.php access attempts 1.2.3.4 - ignored