Block WordPress wp-login.php attempts with CSF?

masterross

Well-Known Member
Apr 7, 2004
56
3
158
Thx mate,

Do you know how to adjust rule that to ban immediately the IP who access both POST /wp-login.php and POST /xmlrpc.php ?
because attackers most of the cases check both files.

thanks
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
362
73
328
cPanel Access Level
DataCenter Provider
@masterross You really don't want to block them immediately or your customers won't be able to log into their WordPress back end.

In this part of the code:

Code:
return ("Failed Wordpress login from",$1,"wordpress","5","80,443","3600");
The "5" is the number of accesses to that URL.
 

masterross

Well-Known Member
Apr 7, 2004
56
3
158
I want immediately to block the IP only if it accesses both files (wp-login.php and xmlrpc.php ) within 5min for example.
Check my log:

Code:
146.185.163.81 - - [29/Jun/2020:19:40:45 +0300] "GET /wp-login.php HTTP/1.1" 200 3321 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
146.185.163.81 - - [29/Jun/2020:19:40:45 +0300] "POST /wp-login.php HTTP/1.1" 200 3416 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
146.185.163.81 - - [29/Jun/2020:19:40:46 +0300] "POST /xmlrpc.php HTTP/1.1" 503 6059 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

76.68.31.187 - - [29/Jun/2020:19:49:25 +0300] "POST /xmlrpc.php HTTP/1.1" 503 21988 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
76.68.31.187 - - [29/Jun/2020:19:49:25 +0300] "POST /wp-login.php HTTP/1.1" 200 12231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

27.121.190.62 - - [29/Jun/2020:20:08:31 +0300] "POST /xmlrpc.php HTTP/1.1" 503 21988 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
27.121.190.62 - - [29/Jun/2020:20:08:33 +0300] "POST /wp-login.php HTTP/1.1" 200 12231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

202.28.250.66 - - [29/Jun/2020:20:11:54 +0300] "GET /wp-login.php HTTP/1.1" 200 3300 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
202.28.250.66 - - [29/Jun/2020:20:11:55 +0300] "POST /wp-login.php HTTP/1.1" 200 3392 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
202.28.250.66 - - [29/Jun/2020:20:11:56 +0300] "POST /xmlrpc.php HTTP/1.1" 503 6050 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
So this rule won't affect any real user.
 

masterross

Well-Known Member
Apr 7, 2004
56
3
158
The question is can I use AND operand in IF clause:

Code:
if (($globlogs{CUSTOM11_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/xmlrpc\.php.*" /) AND ($globlogs{CUSTOM11_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:POST) \/wp-login\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","1","80,443","3600");
}
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
362
73
328
cPanel Access Level
DataCenter Provider
Yes, you can (anything that you can do in Perl you can do) but as I said, I highly doubt this will work. The custom module (as I understand it) gets passed one Apache log line at a time so it will never match that condition (as you can't have two different URL's on one log line). You'd prob. be better off asking this level of detail on the ConfigServer forum instead of the cPanel forum.
 

masterross

Well-Known Member
Apr 7, 2004
56
3
158
It doesnt work :)
But i realized that I dont need it.
I just block the IP who test xmlrpc.php

BTW do you know how blacklists work?
I activate 2 of them and I see the list are filled with IPs but where they are used?
 
Last edited: