Add userdomain to denyrule
Posted: 05 Apr 2017, 11:21
Hello!
I am trying to setup CSF on my VPS and love how powerful and versatile it is. I have been able to customize it a bit for my applications (Auto-bans, Wordpress logins, etc.), and it has been stopping a lot of naughty traffic thus far.
Although it is stopping all of these break in attempts, i am curious which users (or domains) generate the most hacking attempts. Would it be possible to mention the userdomain in the comment of the denyrule in deny.csf? Sometimes we have a false positive, cause users use incorrect credentials. Then we first have to ask the user to figure out what their WAN address is, and not every user is that tech-savvy. Or they reply with their internal IP (192.18.1.1). Anyway, getting of off-topic here.
For instance these rules:
AA.BB.CC.DD # lfd: (smtpauth) Failed SMTP AUTH login from AA.BB.CC.DD (US/United States/ISP): 5 in the last 3600 secs - Thu Mar 23 08:44:12 2017
11.22.33.44 # lfd: (XMLRPC) LFD - WP XMLPRC Attack 11.22.33.44 (IE/Ireland/ISP): 15 in the last 3600 secs - Thu Mar 23 09:17:13 2017
I would like to see which domain generated this error like this:
AA.BB.CC.DD # lfd: (smtpauth) Failed SMTP AUTH login from AA.BB.CC.DD (US/United States/ISP): 5 in the last 3600 secs - domainA.com - Thu Mar 23 08:44:12 2017
11.22.33.44 # lfd: (XMLRPC) LFD - WP XMLPRC Attack 11.22.33.44 (IE/Ireland/ISP): 15 in the last 3600 secs - domainB.eu - Thu Mar 23 09:17:13 2017
Would that be possible? If yes, how?
Kind regards,
John.
I am trying to setup CSF on my VPS and love how powerful and versatile it is. I have been able to customize it a bit for my applications (Auto-bans, Wordpress logins, etc.), and it has been stopping a lot of naughty traffic thus far.
Although it is stopping all of these break in attempts, i am curious which users (or domains) generate the most hacking attempts. Would it be possible to mention the userdomain in the comment of the denyrule in deny.csf? Sometimes we have a false positive, cause users use incorrect credentials. Then we first have to ask the user to figure out what their WAN address is, and not every user is that tech-savvy. Or they reply with their internal IP (192.18.1.1). Anyway, getting of off-topic here.
For instance these rules:
AA.BB.CC.DD # lfd: (smtpauth) Failed SMTP AUTH login from AA.BB.CC.DD (US/United States/ISP): 5 in the last 3600 secs - Thu Mar 23 08:44:12 2017
11.22.33.44 # lfd: (XMLRPC) LFD - WP XMLPRC Attack 11.22.33.44 (IE/Ireland/ISP): 15 in the last 3600 secs - Thu Mar 23 09:17:13 2017
I would like to see which domain generated this error like this:
AA.BB.CC.DD # lfd: (smtpauth) Failed SMTP AUTH login from AA.BB.CC.DD (US/United States/ISP): 5 in the last 3600 secs - domainA.com - Thu Mar 23 08:44:12 2017
11.22.33.44 # lfd: (XMLRPC) LFD - WP XMLPRC Attack 11.22.33.44 (IE/Ireland/ISP): 15 in the last 3600 secs - domainB.eu - Thu Mar 23 09:17:13 2017
Would that be possible? If yes, how?
Kind regards,
John.
