Page 1 of 1
regex.custom.pm for WordPress wp-login brute force
Posted: 16 Jun 2013, 15:57
by phpwebdev
Hello All,
I am trying to get LFD to monitor for WordPress brute-force attacks on my site. Here is what I have done so far but LFD is not triggering:
Code: Select all
CUSTOM1_LOG = "/var/log/httpd/MYDOMAIN.com_access_log"
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\] \"POST \/wp-login/)) {
return ("wp-login attempt from",$2,"wplogin","5","80","3600");
}
And here is the log entry I am trying to block on:
Code: Select all
58.11.173.48 - - [16/Jun/2013:07:14:18 -0700] "POST /wp-login.php HTTP/1.0" 200 5176 "MYDOMAIN/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; rv:19.0) Gecko/20100101 Firefox/19.0"
I might be missing something.
Re: regex.custom.pm for WordPress wp-login brute force
Posted: 27 Jun 2013, 22:38
by joethesysadmin
I accomplished this by using the "WP fail2ban" plugin (just the plugin, not the fail2ban scripts) to log the login attempt to
/var/log/messages via syslog. I then created the following regex using the
regex.pm entries as an example.
I put the following in
regex.custom.pm
Code: Select all
#Wordpress
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /Authentication failure for (\S+) from ([\d.]+)?/))
{
$ip = $2; $acc = $1; $ip =~ s/^::ffff://;
return ("Failed WordPress login from",$ip,"wordpresshackers","2","80,443","1");
}
In my example, you can see that I have created two variables (the
(\S+) and the
([\d.]+) bits) I can then format them however I like, and return them as
$1 and
$2. Your regex is not doing any of that.
Re: regex.custom.pm for WordPress wp-login brute force
Posted: 18 Nov 2014, 19:01
by verdonv
Hi,
Is there something I need to do to enable the custom regex? I have installed "WP fail2ban". I have verified that failed logins are being written to /var/log/messages. I have added the regex
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /Authentication failure for (\S+) from ([\d.]+)?/))
{
$ip = $2; $acc = $1; $ip =~ s/^::ffff://;
return ("Failed WordPress login from",$ip,"wordpresshackers","5","80,443","1");
}
to regex.custom.pm. I tested the regex at rubular DOT com and it seems to be working. I restarted CSF and LFD. It all looks like it should work, but attempts to trigger a ban with successive failed logins are not working. I'm not sure where to look for an error. Any help would be most appreciated.
Thks,
v
Re: regex.custom.pm for WordPress wp-login brute force
Posted: 27 Nov 2014, 19:18
by verdonv
Not sure what I was doing wrong the other day, but this is working now.
Re: regex.custom.pm for WordPress wp-login brute force
Posted: 07 Mar 2016, 18:09
by leisegang
i am on CentOS version 7
I cant get this to work.
I have installed the fail2ban wordpress plugin, but i cant see anything in my /var/log/messages log.
So i am not able to block all those attempts. Any help?