SOLVED cPHulk Blacklist v csf Firewall Deny IP

PCZero

Well-Known Member
Dec 13, 2003
645
71
178
63
Earth
www.pczero.net
OK do I have a guy who is constantly trying to call up the wplogin script for every site on my server (even though I have no WP sites). I want to block/ban his IP by either black listing him in cPHulk or adding his IP to the deny list in csf. Is there any effective difference between the two that might make one method a better choice to accomplish the task at hand?
 

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
I'd block him in CSF, its pretty painless.

However, if you have no WP sites, i'm pretty sure that there's a custom regex on the CSF forum to automatically block anyone trying to open wplogin.php.
So even if he comes back with another IP, he will just end up blocking himself.
 

PCZero

Well-Known Member
Dec 13, 2003
645
71
178
63
Earth
www.pczero.net
LOL boy do I feel stupid! I think this was the page that I wanted to know about.

Mod Note: removed third-party URL.
 
Last edited by a moderator:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,207
363
cPanel Access Level
DataCenter Provider
Twitter
Hello David,

The instructions on that page appear to remain applicable, however the discussion on the following threads includes more recent tests from other cPanel & WHM users specific to the wp-login.php attacks:

wp-login.php and mod security
Block WordPress wp-login.php attempts with CSF?

There's a CSF forums thread you may find helpful as well:

Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum

Note: I removed the link you added because third-party URLs can sometimes stop working over time.

Thank you.
 

PCZero

Well-Known Member
Dec 13, 2003
645
71
178
63
Earth
www.pczero.net
Thanks Michael. I'll look at the page you mention. Some of the pages I looked were really difficult for me to read and follow. With my dyslexia (or as I like to call it - lysdexia) I need a really dumbed down step-by-step guide when venturing into areas such as this. After I get a chance later today to go over the page you posted, I'll get back with you if I need help navigating the process if that is good with you. Again I appreciate the help.
 
  • Like
Reactions: cPanelMichael

keat63

Well-Known Member
Nov 20, 2014
1,312
92
28
cPanel Access Level
Root Administrator
Try this, I think it should work. (Taken from the CSF forum and made easier to understand)



Code:
In /etc/csf/csf.conf at about line 2600 add:

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"


In /usr/local/csf/bin/regex.custom.pm add:

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("xmlrpc log in attempt",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
  
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("wordpress log in attempt",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }

It triggers on "3" hits of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)
 

PCZero

Well-Known Member
Dec 13, 2003
645
71
178
63
Earth
www.pczero.net
Hey Michael, I am working on the wp-login block now and nee to make sure I am doing this correctly.

Going off of the 4th post in the thread at Blocking Wordpress Login and xmlprc attacks with LFD - ConfigServer Community Forum it loks liek I need to do two things.

#1 in /etc/csf edit the regex.cutstom.pm file and add this...


# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGIN","3","80,443,21,25,22,23","1");
}

#2 edit /etc/csf/csf.conf
edit CUSTOM2-LOG as follows


CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"


Is that the long and short of what i need to do to auto ban wp-login attempts?
 

PCZero

Well-Known Member
Dec 13, 2003
645
71
178
63
Earth
www.pczero.net
ketqa63 thank you. I needed exactly that, the "I am a dummy" version of the code. I did as you said and testd it using my phone. Sure enough this is now in teh cfs black list...

##.##.##.## # lfd: (WPLOGINorWHATEVER) wordpress log in attempt 172.58.xxx.xxx (US/United States/-): 3 in the last 3600 secs - Wed Jul 3 18:53:36 2019

Thanks to both you and Michael for helping me out. reading a lengthy thread with lots of code snippets can be difficult for me with my reading disability. The time you guys take to help me helps me a whole lot and i appreciate it very much.
 
Last edited by a moderator: