Block WordPress wp-login.php attempts with CSF?

asmithjr

Well-Known Member
Jun 13, 2003
510
5
168
I'm working to block IP's that flood wp-login.php attempts by using CSF regex.custom.pm
Code:
# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
   return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}
in the /etc/csf/csf.conf I modified the line CUSTOM2_LOG =
Code:
CUSTOM2_LOG = "/home/*/access-logs/*"
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file

I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work?
 

asmithjr

Well-Known Member
Jun 13, 2003
510
5
168
I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Code:
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.
 

asmithjr

Well-Known Member
Jun 13, 2003
510
5
168
as a further update I decided to separate the GET and POST so I can monitor better.
Code:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress GET",$1,"WPLOGINGET","3","80,443,21,25,22,23","1");
   }
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress POST",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1");
   }
Now I can see which were using which method and so far no US entries in my csf.deny file. Oh boy 135 entries.
 
  • Like
Reactions: cPanelLauren

Waqass

Member
Jun 18, 2016
8
1
3
Pakistan
cPanel Access Level
Root Administrator
I recently faced the wrath of brute forcing on wp-login. For the time being I contained them be reducing maximum connection per ip setting to 20 and blocking the ips reaching CT_Limit for one day. This has managed to solve the problem but I fear many legitimate users will be suffering. I tried your option and tested the wp-login page five times myself but nothing happened. The output log tail -f /var/log/lfd.log is as follow:
Code:
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Also the ip appearing above is of my server whereas my pc ip is something else from which I was accessing the website. Any guide will be appreciated.
 
Last edited by a moderator:

Waqass

Member
Jun 18, 2016
8
1
3
Pakistan
cPanel Access Level
Root Administrator
I am using Engi
Hello @Waqass

Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx?
I am using Engintron for Cpanel. so yes I am using nginx. Maybe its causing issues as my server ip is being reported instead of real ips :S
 
  • Like
Reactions: cPanelLauren

fuzzylogic

Well-Known Member
Nov 8, 2014
136
78
28
cPanel Access Level
Root Administrator
Hello @Waqass
To diagnose the problem I would need to see...
  1. Which (of the 3 posted here) lfd custom regex rules you are using.
  2. Sample log lines from one of the access_log files you are monitoring. (full lines from end to end)
    Anonymize but identify source ip and server ip/proxy ip if they both occur in the log line.
You have already demonstrated that your CUSTOM2_LOG has been successfully added by posting the /var/log/lfd.log output.
You have also demonstrated that the custom regex matches the access_log lines you are targeting.
The only failure appears to be with the capture of the source ip to backreference $1