Page 1 of 1
Please help with custom rule
Posted: 12 Nov 2022, 22:07
by luisfalcon
A little help here guys.
I created an extremely simple wordpress plugin that creates log of failed login attempts, this way I can target only a brute force attack and not a webmaster login into several sites in an hour for normal work (this is a server with more than a thousand wordpress sites)
I can make the log any way I want, but so far I am appending a timestamp and the ip of the failed login attempt remote host, as an example:
failed-logins.log
Code: Select all
2022-11-12 18:14:32 192.34.9.3
2022-11-12 18:15:35 170.45.32.2
2022-11-12 18:18:25 238.170.22.1
I don't need to filter these, because ALL of them are already a failed login, so, How would a CSF rule look like?
Also, if you have any suggestion on the log format, please let me hear them.
Re: Please help with custom rule
Posted: 13 Nov 2022, 14:26
by Sergio
The first thing to do is to add the log URL in csf configuration file at "CUSTOM1_LOG = "; once you have saved the exact url, per example /var/log/mylog, then you can proceed to create the REGEX rule and add it to /usr/local/csf/bin/
Once you have added the rule to that file, you have to restart LFD not the Firewall just LFD.
Inside the file /usr/local/csf/bin/ you will find an example of how to create the rule.
The rule that you want is very simple, so, something like this can be set:
Code: Select all
# SECMAS BLOCKING WP LOGGING
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s\S+\s(\S+)$/i)) {
return ("",$1,"SECMAS_WPBLOCK","1","1");
}
The last thing that you should check accordingly to the instructions inside /usr/local/csf/bin/ is rule part at the end that reads:
,"1","1");
as you have to set it accordingly on how you have set LF_SELECT in your CSF main FireWall.
Sergio
Re: Please help with custom rule
Posted: 17 Nov 2022, 05:59
by luisfalcon
It worked!, thank you!
Re: Please help with custom rule
Posted: 17 Nov 2022, 06:49
by luisfalcon
Thanks for all your help,
Honestly I tried to find the answer using regex101.com but couldn't.
What if I want to add more information to the log but I want csf to ignore it?
Maybe something like: ignore the rest of the line after the ip address
Something like this:
Code: Select all
2022-11-12 18:14:32 192.34.9.3 https://site1.com (the site url or any other info not related with csf but useful to have in the log)
2022-11-12 18:15:35 170.45.32.2 https://site2.com (or any other info not related with csf but useful to have in the log)
2022-11-12 18:18:25 238.170.22.1 https://www.site3.com (or any other info not related with csf but useful to have in the log)
Thanks in advance for your time.
Re: Please help with custom rule
Posted: 17 Nov 2022, 12:43
by Sergio
The rule that I wrote was very simple accordingly to the LOG lines that you wrote:
If you want to get more info from the LOG line that you create you have to tweak my rule, remembering that anything inside parenthesis "(" ")" will be saved as $1, $2, etc.
Example:
2022-11-12 18:14:32 192.34.9.3
https://site1.com (the site url or any other info not related with csf but useful to have in the log)
My rule could be modified to:
Code: Select all
/^\S+\s\S+\s(\S+)\shttps?:\/(\S+) /
then you should modify the part that is saved in the FireWall log to:
Code: Select all
return ("$2",$1,"SECMAS_WPBLOCK","1","1");
Then CSF log will show something like this:
192.34.9.3 # lfd (SECMAS_WPBLOCK) site1.com 192.34.9.3 (US/United States/): 1 in the last 3600 secs - Thu Nov 17 23:56:32 2022
The new full rule will be:
Code: Select all
# SECMAS BLOCKING WP LOGGING
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s\S+\s(\S+)\shttps?:\/(\S+) /i)) {
return ("$2",$1,"SECMAS_WPBLOCK","1","1");
}
Sergio
Re: Please help with custom rule
Posted: 25 Nov 2022, 05:19
by luisfalcon
Got it, thanks for your help
Re: Please help with custom rule
Posted: 25 Nov 2022, 14:06
by Sergio
your welcome
