SOLVED cPHulk Blacklist v csf Firewall Deny IP

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
OK do I have a guy who is constantly trying to call up the wplogin script for every site on my server (even though I have no WP sites). I want to block/ban his IP by either black listing him in cPHulk or adding his IP to the deny list in csf. Is there any effective difference between the two that might make one method a better choice to accomplish the task at hand?
 

keat63

Well-Known Member
Nov 20, 2014
1,908
256
113
cPanel Access Level
Root Administrator
I'd block him in CSF, its pretty painless.

However, if you have no WP sites, i'm pretty sure that there's a custom regex on the CSF forum to automatically block anyone trying to open wplogin.php.
So even if he comes back with another IP, he will just end up blocking himself.
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
Michael, can you look at this page please and tell me is it is legit and will work to block IPs of wp-login attacks?


BTW, my name is David in case you were interested! :)
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello David,

It looks like the page or link you are referencing was not included in your post. Can you respond with the link to the page you'd like me to review?

Thanks!
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
LOL boy do I feel stupid! I think this was the page that I wanted to know about.

Mod Note: removed third-party URL.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello David,

The instructions on that page appear to remain applicable, however the discussion on the following threads includes more recent tests from other cPanel & WHM users specific to the wp-login.php attacks:

wp-login.php and mod security
Block WordPress wp-login.php attempts with CSF?

There's a CSF forums thread you may find helpful as well:

Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum

Note: I removed the link you added because third-party URLs can sometimes stop working over time.

Thank you.
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
Thanks Michael. I'll look at the page you mention. Some of the pages I looked were really difficult for me to read and follow. With my dyslexia (or as I like to call it - lysdexia) I need a really dumbed down step-by-step guide when venturing into areas such as this. After I get a chance later today to go over the page you posted, I'll get back with you if I need help navigating the process if that is good with you. Again I appreciate the help.
 
  • Like
Reactions: cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello David,

Of course! Let me know if you have any questions or need advice with any of the instructions on those threads. We're here to help.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,908
256
113
cPanel Access Level
Root Administrator
Try this, I think it should work. (Taken from the CSF forum and made easier to understand)



Code:
In /etc/csf/csf.conf at about line 2600 add:

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"


In /usr/local/csf/bin/regex.custom.pm add:

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("xmlrpc log in attempt",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
  
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("wordpress log in attempt",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }

It triggers on "3" hits of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
Hey Michael, I am working on the wp-login block now and nee to make sure I am doing this correctly.

Going off of the 4th post in the thread at Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum it loks liek I need to do two things.

#1 in /etc/csf edit the regex.cutstom.pm file and add this...


# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGIN","3","80,443,21,25,22,23","1");
}

#2 edit /etc/csf/csf.conf
edit CUSTOM2-LOG as follows


CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"


Is that the long and short of what i need to do to auto ban wp-login attempts?
 

PCZero

Well-Known Member
Dec 13, 2003
712
85
178
Earth
ketqa63 thank you. I needed exactly that, the "I am a dummy" version of the code. I did as you said and testd it using my phone. Sure enough this is now in teh cfs black list...

##.##.##.## # lfd: (WPLOGINorWHATEVER) wordpress log in attempt 172.58.xxx.xxx (US/United States/-): 3 in the last 3600 secs - Wed Jul 3 18:53:36 2019

Thanks to both you and Michael for helping me out. reading a lengthy thread with lots of code snippets can be difficult for me with my reading disability. The time you guys take to help me helps me a whole lot and i appreciate it very much.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello @PCZero,

I'm glad to see everything worked out well. Thanks for sharing the outcome.

I've marked this thread as Solved.