Page 1 of 1
Custom regex not working
Posted: 17 Oct 2018, 09:58
by seco
Hello,
I'm using this regex to block wp-login.php POST requests on /etc/csf/regex.custom.pm:
Code: Select all
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
}
My CUSTOM2_LOG point to the access_log file in csf.conf correctly.
I restart csf after making the changes
Still POST requests working!!
How to make it work?
Regards,
Re: Custom regex not working
Posted: 24 Oct 2018, 15:18
by madeye
This one caught me out (see
viewtopic.php?f=6&t=11009)
The 4th parameter in the return statement is the number of times the rule can be triggered before the IP is blocked. If you change this to "1" then you should get blocked after the first request
Also I think you may need to restart lfd service as well as csf if you change the rules (not 100% sure about this though)
Re: Custom regex not working
Posted: 13 Nov 2018, 22:17
by alsmith
I'm trying to implement this also but not getting anything in csf.deny.
my regex.custom.pm
Code: Select all
# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}
in my csf.conf CUSTOM2_LOG
Code: Select all
CUSTOM2_LOG = "/home/*/access-logs/*"
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file
I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work? Is it supposed to place entry into csf.deny? It is my understanding it should.
Re: Custom regex not working
Posted: 13 Nov 2018, 23:20
by alsmith
I found the answer in this thread
viewtopic.php?t=9447
Code: Select all
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
}
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.
It would be nice to know which logfile (user) was getting hit.
Re: Custom regex not working
Posted: 16 Nov 2018, 04:45
by logout
Did you get this code working in the end?
May I ask the benefit of a custom rule on csf compared with widely used
mod_security rules to block wp-login brute force? Is there any advantage here or is it just another way to achieve the same goal?