Block WordPress wp-login.php attempts with CSF?

[asmithjr]

I'm working to block IP's that flood wp-login.php attempts by using CSF regex.custom.pm

# DETECT AND BLOCK wp-login.php POST DOS attacks (requires: CUSTOM2_LOG = "/home/*/access-logs/*" in csf.conf)
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
   return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
}

in the /etc/csf/csf.conf I modified the line CUSTOM2_LOG =

CUSTOM2_LOG = "/home/*/access-logs/*"

I restarted csf with csf -r then tried accessing a wordpress site wp-login.php more than 5 times. I still get to the wp-login.php on the website and DO NOT see any entry in /etc/csf/csf.deny file.
I DO see 12 failed attempts in my /home/user/access-logs/domain-ssl_log file

I made sure my IP is not in /etc/csf/csf.allow
Has anyone been able to get this to work?

 

[asmithjr]

I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum

 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }

Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.

 

[cPanelLauren]

Hi @asmithjr

I'm glad to see you were able to find the resolution for your issue and thanks for letting us know what fixed it for you!

 

[asmithjr]

as a further update I decided to separate the GET and POST so I can monitor better.

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress GET",$1,"WPLOGINGET","3","80,443,21,25,22,23","1");
   }
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress POST",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1");
   }

Now I can see which were using which method and so far no US entries in my csf.deny file. Oh boy 135 entries.

 

[Waqass]

I recently faced the wrath of brute forcing on wp-login. For the time being I contained them be reducing maximum connection per ip setting to 20 and blocking the ips reaching CT_Limit for one day. This has managed to solve the problem but I fear many legitimate users will be suffering. I tried your option and tested the wp-login page five times myself but nothing happened. The output log tail -f /var/log/lfd.log is as follow:

Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress GET 142.54.xxx.xxx - ignored
Apr 27 09:47:53 server lfd[2481826]: Failed Wordpress POST 142.54.xxx.xxx - ignored

Also the ip appearing above is of my server whereas my pc ip is something else from which I was accessing the website. Any guide will be appreciated.

 

[cPanelLauren]

Hello @Waqass

Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx?

 

[Waqass]

I am using Engi

Hello @Waqass

Unless these were occurring at the same time as the login failures they aren't necessarily related. Are you using anything like CloudFlare or Nginx?

I am using Engintron for Cpanel. so yes I am using nginx. Maybe its causing issues as my server ip is being reported instead of real ips :S

 

[fuzzylogic]

Hello @Waqass
To diagnose the problem I would need to see...

1. Which (of the 3 posted here) lfd custom regex rules you are using.
2. Sample log lines from one of the access_log files you are monitoring. (full lines from end to end)
   Anonymize but identify source ip and server ip/proxy ip if they both occur in the log line.

You have already demonstrated that your CUSTOM2_LOG has been successfully added by posting the /var/log/lfd.log output.
You have also demonstrated that the custom regex matches the access_log lines you are targeting.
The only failure appears to be with the capture of the source ip to backreference $1

 

[::Gomez::]

Here is a guide, to block all WP-LOGIN and XMLRPC attack attempts with ConfigServerFirewall. It only takes 5 minutes to complete.

Block wp-login and xmlrpc brute force attacks with CSF / cPanel » www.geekytuts.net

Another great counter attack to "flooders" on your Wordpress installations. This time with CSF firewall. Here is great way to block abusers with CSF firewall. This is how.

www.geekytuts.net

 

[ffeingol]

The only "issue" with these is that they don't really look for failures, they look for accesses. If (for example) your customer simply refreshes the page a few times and then tries to log in, they get blocked.

Not trying to diss this at all, you just need to understand it's looking for access vs failure.

 

[::Gomez::]

Really helpfull info. Thanks ffeingol. I implemented this with CSFirewall one week ago and since then I didnt received any complaint from my real clients. It only blocked attempts from rare countries, so I guess its working, but totally true what you say.


Thanks for the info ffeingol, I know understand better how this works.

 

[Usif Nasirov]

I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }

Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.

Good day!
I do the same, but it doesnt' work. I just don't know where I do wrong

 

[::Gomez::]

Good day!
I do the same, but it doesnt' work. I just don't know where I do wrong

Try to follow this guide. Its simple and it works perfectly.

geekytuts - block-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel

 

[Usif Nasirov]

Try to follow this guide. Its simple and it works perfectly.

geekytuts - block-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel

I guidede that topic, then try to login about 10 times, but IP wasn't blocked..

 

[::Gomez::]

Some things to make sure.

1) Make sure CSF firewall is ON, and without the testing mode.
2) Make sure you dont have your country on CSF / Firewall configuration / cc_ignore
3) Make sure LFD process is running. you can check that on CSF / INFO TAB (on the top of the page) and then LFD status.


Its also important that, when you add the custom rule on "/usr/local/csf/bin/regex.custom.pm " you add it without blank spaces lines on the top. I attach an image of how I made it work.

After making any change on that file restart CSF.


Let me know if it worked.

 

[webstyler]

I found the answer in this thread Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
   return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
   }

Notice the \w*(?GET|POST) vs the POST difference.
Well my test would not show in the csf.deny but as soon as I restarted csf after saving this I saw entries come in the csf.deny.

It would be nice to know which logfile (user) was getting hit.

Hello

How to insert "in the log" the account involved instead "you ban comment" ?

Thanks

 

[asmithjr]

I believe this will work as it works for me.

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress GET $lgfile",$1,"WPLOGINGET","3","80,443,21,25,22,23","1");
   }
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
   return ("Failed Wordpress POST $lgfile",$1,"WPLOGINPOST","3","80,443,21,25,22,23","1");
   }

104.248.22.250 # lfd: (WPLOGINGET) Failed Wordpress GET /home/nsdc70/access-logs/******.com-ssl_log 104.248.22.250 (DE/Germany/-): 3 in the last 3600 secs - Tue Jun  2 02:46:33 2020

I put ***** in my log example above to hist the domain name but as you see I now can see what log the message is from.
I hope this helps.

 

[WorkinOnIt]

Just to comment that although this appears to be useful, it doesn't seem to work for me;

I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random loginsd 5 times to trigger the block. LFD accurately recorded the block like so:

(WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]

And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then:

As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine.

The block shows, but I was still able to login ... what could be going wrong here?

 

[::Gomez::]

are you sure that the IP didnt change?

 

[masterross]

Hi, guys,
Google bots also accessing the login:

Will this rule affect the crawlers too?