ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

automating blocking of IP numbers

https://mail.forum.configserver.com/viewtopic.php?t=7683

Page 1 of 1

automating blocking of IP numbers

Posted: 03 Apr 2014, 02:28
by edwardsmarkf
hello all -

i have a crontab script that runs every two minutes scanning logfiles for brute-force wordpress login attempts. if i find more than 40 in a one minute period, my script issues the following command something like:

csf --deny 111.222.333.444 ;

this seems to do the same thing as the "Quick Deny" button.

is there a command line equivalent of the "Quick Ignore" button? i am thinking this pesky IP number needs to be put into both places because the "csf --deny" command does not seem to be doing anything (or maybe i misunderstand what it is doing)

also, is there a limit to the number of IP numbers i can block?

thank you all.

Re: automating blocking of IP numbers

Posted: 03 Apr 2014, 03:05
by edwardsmarkf
i am very tempted to do something like:

echo "$IP_NBR" >>/etc/csf/csf.ignore ;
csf --restart ;

Re: automating blocking of IP numbers

Posted: 03 Apr 2014, 03:27
by Sergio
You don't need to do an script for that, use regex.custom.pm and create a regex that traps that IPs and CSF will block that IPs automatically for you.

What logs are you looking for the offending IPs?
What OS and modsecurity rules are you using?

Re: automating blocking of IP numbers

Posted: 03 Apr 2014, 06:21
by edwardsmarkf
hello sergio -
What logs are you looking for the offending IPs?
i am looking in the /var/log/virtualmin directory for the *.com_access_log files. currently i am using "logtail" but your suggestion looks to be far more effective.
What OS and modsecurity rules are you using?
Linux 2.6.32-431.11.2.el6.x86_64 #1 SMP Tue Mar 25 19:59:55 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

/etc/httpd/conf.d/mod_qos.conf:

QS_LocRequestLimitMatch ^/wp-login.php 3
QS_LocRequestPerSecLimitMatch ^/wp-login.php 1
use regex.custom.pm and create a regex that traps that IPs and CSF will block that IPs automatically for you.
this is very interesting. do you by any chance have an example of one to block the wordpress wp-login.php script?

Re: automating blocking of IP numbers

Posted: 03 Apr 2014, 15:06
by edwardsmarkf
reposting question at:

viewtopic.php?f=6&t=7685&p=22304#p22304

Re: automating blocking of IP numbers

Posted: 03 Apr 2014, 15:26
by Sergio
Well mod_qos will not help with this, I like how Mod_Security handles this attacks better.

That is why I asked you what ModSecurity rules are you using, because you can create a regex that looks for modsecurity rule numbers and not just for wordpress login failures.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited