Block WordPress wp-login.php attempts with CSF?

asmithjr

Well-Known Member
Jun 13, 2003
516
8
168
I'm working to block IP's that flood wp-login.php attempts by using CSF regex.custom.pm
Code:
# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
   return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}
in the /etc/csf/csf.conf I modified the line CUSTOM2_LOG =
Code:
CUSTOM2_LOG = "/home/*/access-logs/*"
I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file

I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work?
 

asmithjr

Well-Known Member
Jun 13, 2003
516
8
168
I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Code:
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.
 

asmithjr

Well-Known Member
Jun 13, 2003
516
8
168
as a further update I decided to separate the GET and POST so I can monitor better.
Code:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress GET",$1,"WPLOGINGET","3","80,443,21,25,22,23","1");
   }
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress POST",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1");
   }
Now I can see which were using which method and so far no US entries in my csf.deny file. Oh boy 135 entries.
 
  • Like
Reactions: cPanelLauren

Waqass

Member
Jun 18, 2016
9
1
53
Pakistan
cPanel Access Level
Root Administrator
I recently faced the wrath of brute forcing on wp-login. For the time being I contained them be reducing maximum connection per ip setting to 20 and blocking the ips reaching CT_Limit for one day. This has managed to solve the problem but I fear many legitimate users will be suffering. I tried your option and tested the wp-login page five times myself but nothing happened. The output log tail -f /var/log/lfd.log is as follow:
Code:
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Also the ip appearing above is of my server whereas my pc ip is something else from which I was accessing the website. Any guide will be appreciated.
 
Last edited by a moderator:

Waqass

Member
Jun 18, 2016
9
1
53
Pakistan
cPanel Access Level
Root Administrator
I am using Engi
Hello @Waqass

Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx?
I am using Engintron for Cpanel. so yes I am using nginx. Maybe its causing issues as my server ip is being reported instead of real ips :S
 
  • Like
Reactions: cPanelLauren

fuzzylogic

Well-Known Member
Nov 8, 2014
154
95
78
cPanel Access Level
Root Administrator
Hello @Waqass
To diagnose the problem I would need to see...
  1. Which (of the 3 posted here) lfd custom regex rules you are using.
  2. Sample log lines from one of the access_log files you are monitoring. (full lines from end to end)
    Anonymize but identify source ip and server ip/proxy ip if they both occur in the log line.
You have already demonstrated that your CUSTOM2_LOG has been successfully added by posting the /var/log/lfd.log output.
You have also demonstrated that the custom regex matches the access_log lines you are targeting.
The only failure appears to be with the capture of the source ip to backreference $1
 

::Gomez::

Active Member
Oct 13, 2003
31
3
158
Argentina
cPanel Access Level
Root Administrator
Twitter

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
944
423
363
cPanel Access Level
DataCenter Provider
The only "issue" with these is that they don't really look for failures, they look for accesses. If (for example) your customer simply refreshes the page a few times and then tries to log in, they get blocked.

Not trying to diss this at all, you just need to understand it's looking for access vs failure.
 

::Gomez::

Active Member
Oct 13, 2003
31
3
158
Argentina
cPanel Access Level
Root Administrator
Twitter
Really helpfull info. Thanks ffeingol. I implemented this with CSFirewall one week ago and since then I didnt received any complaint from my real clients. It only blocked attempts from rare countries, so I guess its working, but totally true what you say.


Thanks for the info ffeingol, I know understand better how this works.
 

Usif Nasirov

Active Member
Jun 11, 2016
29
4
53
Baku
cPanel Access Level
Reseller Owner
I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Code:
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.

Good day!
I do the same, but it doesnt' work. I just don't know where I do wrong
 

::Gomez::

Active Member
Oct 13, 2003
31
3
158
Argentina
cPanel Access Level
Root Administrator
Twitter
Some things to make sure.

1) Make sure CSF firewall is ON, and without the testing mode.
2) Make sure you dont have your country on CSF / Firewall configuration / cc_ignore
3) Make sure LFD process is running. you can check that on CSF / INFO TAB (on the top of the page) and then LFD status.


Its also important that, when you add the custom rule on "/usr/local/csf/bin/regex.custom.pm " you add it without blank spaces lines on the top. I attach an image of how I made it work.

After making any change on that file restart CSF.


Let me know if it worked.
 

Attachments

webstyler

Well-Known Member
Nov 20, 2003
486
4
168
I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum
Code:
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }
Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.
Hello

How to insert "in the log" the account involved instead "you ban comment" ?

Thanks
 

asmithjr

Well-Known Member
Jun 13, 2003
516
8
168
I believe this will work as it works for me.
Code:
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress GET $lgfile",$1,"WPLOGINGET","3","80,443,21,25,22,23","1");
   }
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress POST $lgfile",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1");
   }
Code:
104.248.22.250 # lfd: (WPLOGINGET) Failed Wordpress GET /home/nsdc70/access-logs/******.com-ssl_log 104.248.22.250 (DE/Germany/-): 3 in the last 3600 secs - Tue Jun  2 02:46:33 2020
I put ***** in my log example above to hist the domain name but as you see I now can see what log the message is from.
I hope this helps.
 

WorkinOnIt

Well-Known Member
Aug 3, 2016
312
54
78
UK
cPanel Access Level
Root Administrator
Just to comment that although this appears to be useful, it doesn't seem to work for me;

I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random loginsd 5 times to trigger the block. LFD accurately recorded the block like so:

(WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then:

As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine.

The block shows, but I was still able to login ... what could be going wrong here?