Wordpress Failed Login Frequency Setting?

Post Reply
consultant
Junior Member
Posts: 25
Joined: 24 Aug 2016, 04:49

Wordpress Failed Login Frequency Setting?

Post by consultant »

The /usr/local/csf/bin/regex.custom.pm file allows you to set up blocking for failed Wordpress login attempts, for example:

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
return ("Failed WordPress GET",$1,"WPLOGINGET","5","80,443,21,25,22,23","1");
}
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
return ("Failed WordPress POST",$1,"WPLOGINPOST","5","80,443,21,25,22,23","1");
}

However, the parameter ("5" in the above example) is the number of lines in the log that match the REGEX expression to trigger the block. I looked at the domain log (in dom logs where CUSTOM2_LOG points to) and for the domain in question, there appear to be about 27 days of data in the log. This means that if a user from the same IP address made a typo in their login 5 times in 27 days, they get blocked.

How do I make in so it's only triggered if there are 5 attempts in 24 hours, not for the entire log spanning 27 days?
Sergio
Junior Member
Posts: 1714
Joined: 12 Dec 2006, 14:56

Re: Wordpress Failed Login Frequency Setting?

Post by Sergio »

Hi.
Try to escape "[" and "]" like; "\[" and "\]" (but without the double quotes).

Normally CSF blocks the IP on the same hour not in a lot of days.
But just do a test escaping the brackets and you will see.

Here is one of my own favorite rules for you to see how the brackets are escaped:

Code: Select all


# BLOCKING ModSec Rules attacks by Sergio

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492)"\]/i)) {
		return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
	}

# NOTE: If you use the above rule in your server I don't assume any responsibility, use it at your own risk.

With this rule you can block any IP that triggers the listed mod_security ID number rule at the first attempt and the IP will be blocked permanently in the server.

I have just wrote a few MODSEC IDs as an example and for you to get the idea of the brackets that should be escaped but in that rule you can add a lot more IDs.

Then I have a CRON that runs hourly, that finds all the IPs of the same range that were blocked in a period of time and then the script creates a block to the full IP range ".0/24" if it exceeds what I have defined.

With CSF you can do a lot, I really like it.

Sergio
Post Reply