Page 1 of 4

Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 17 Apr 2016, 11:09
by mediacloudgroup
Hi - we're needing some assistance to get these type of attacks blocked automatically with a custom regex- say 10 login attempts in 12 hours to mitigate slow logins and permanently banned and added to block list where we can remove them if needed in case of customer false attempts. We've tried a few things including fail2ban although it would be great if LFD can scan the logs and ban them automatically without plugins, etc. Access logs are located under /usr/local/apache/domlogs/* so we would need a wildcard type scanning of the logs. The log is a domain name. Not sure of the impact in performance as there are over 140 sites on this server. Recommendations and advice is most welcome. thanks.

Example from the access logs we would like to block:

1.0.170.246 - - [17/Apr/2016:08:10:43 +0800] "POST /wp-login.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.91 Safari/537.36"
1.0.170.246 - - [17/Apr/2016:08:10:59 +0800] "GET /wp-login.php HTTP/1.0" 200 3624 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.91 Safari/537.36"
1.0.170.246 - - [17/Apr/2016:09:54:33 +0800] "POST /wp-login.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4"
1.0.170.246 - - [17/Apr/2016:09:54:40 +0800] "GET /wp-login.php HTTP/1.0" 200 3686 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4"
185.106.92.160 - - [17/Apr/2016:15:10:27 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:11:35 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:12:02 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:13:42 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:14:41 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:14:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 18 Apr 2016, 04:10
by mediacloudgroup
I've been playing with a few examples - would these work?

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*wp-login; {
return ("WP Login Attack",$1,"SecmasWPLOGIN","10","1");
}

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*xmlrpc; {
return ("WP XMLRPC Attack",$1,"SecmasWPXMLRPC","10","1");
}

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 18 Apr 2016, 04:11
by mediacloudgroup
Also would my custom log path work like this?

/usr/local/apache/domlogs/*

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 24 Apr 2016, 23:46
by Cadmos
I registered to answer you;

=- Tested on CentOS 6.7 -=

Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)

regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf

Code: Select all

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 27 Apr 2016, 02:37
by mediacloudgroup
Thank you very much. We've implemented that now and we're monitoring. Also we want to block these and appreciate your help:

178.32.12.113 - - [27/Apr/2016:09:21:43 +0800] "GET /?attachment_id=637 HTTP/1.0" 301 - "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit$
178.32.12.113 - - [27/Apr/2016:09:21:46 +0800] "GET /?attachment_id=637 HTTP/1.0" 200 6975589 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) Apple$
192.162.27.79 - - [27/Apr/2016:09:22:50 +0800] "GET /?attachment_id=574 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0 $
192.162.27.79 - - [27/Apr/2016:09:22:53 +0800] "GET /?attachment_id=574 HTTP/1.0" 200 7978481 "http://www./" "Mozill$
107.172.195.72 - - [27/Apr/2016:09:23:13 +0800] "GET /?attachment_id=262 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0$
107.172.195.72 - - [27/Apr/2016:09:23:16 +0800] "GET /?attachment_id=262 HTTP/1.0" 200 2351004 "http://www./" "Mozil$
172.245.245.23 - - [27/Apr/2016:09:23:25 +0800] "GET /?attachment_id=575 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0 (Windows $
172.245.245.23 - - [27/Apr/2016:09:23:28 +0800] "GET /?attachment_id=575 HTTP/1.0" 200 7523020 "http://www./" "Mozilla/5.0 (Wi$

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 27 Apr 2016, 03:34
by mediacloudgroup
This is working very nicely - thanks for your help. Looking forward to the attachment_id block.

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 19 Nov 2016, 04:41
by DaNgErOuS
Cadmos wrote:I registered to answer you;


regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf

Code: Select all

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Hi
when i add custom regex i see this error with lfd stoping

Starting lfd:/usr/local/csf/bin/regex.custom.pm did not return a true value at /usr/local/csf/lib/ConfigServer/RegexMain.pm line 45.
Compilation failed in require at /usr/sbin/lfd line 26.
BEGIN failed--compilation aborted at /usr/sbin/lfd line 26.

what is the problem ?
thanks

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 20 Nov 2016, 01:00
by mediacloudgroup
Working for us - just make sure that the code has copied across/formatted properly. We have this implemented on a number of servers. Here is our formatted code:

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443,21,25,22,23","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /))$
return ("WP Login Attack",$1,"WPLOGIN","10","80,443,21,25,22,23","1");
}

# WP-ATTACHMENTID
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?attachment_id=/)) {
return ("WP Attachment Attack",$1,"WPATTACHMENTATTACK","5","80,443,21,25,22,23","1");
}

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 23 Nov 2016, 10:33
by saraedward
Also would my custom log path work like this?
Moderated Message:
Please do not put signatures in posts or you risk being banned for spamming

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Posted: 28 Nov 2016, 06:40
by CavemanSean
Hello there, I'm wanting to use this on my install of CSF as well, how-ever I'm not exactly sure how to set this up...
Cadmos wrote:I registered to answer you;

=- Tested on CentOS 6.7 -=

Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)

regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf

Code: Select all

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Now I know where the config file is and how to edit that, what I'm not sure of is where this regex.custom.pm file is (or do I make it? and if I do how do I tie this into CSF?)


I believe I figured it out...
modified /usr/local/csf/bin/regex.custom.pm and included that text in it (I just tossed it above
#############
#Do not edit byond this point

so I hope its working :\