filtering the error_log for wordpress login faiures

craigedmonds

Well-Known Member
Oct 29, 2007
113
0
66
Europe
cPanel Access Level
Root Administrator
Twitter
I get ALOT of notifications like this in my /usr/local/apache/logs/error_log.

Code:
[Thu Oct 17 09:04:37 2013] [error] [client 109.108.142.158] ModSecurity:  [file "/usr/local/apache/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "somedomainname.org.uk"] [uri "/wp-login.php"] [unique_id "[email protected]"]
Is there a way for me to parse my apache log file which detects a wordpress login failure and produces a list of domain names that have been attacked? It would be brilliant if I could get the username of the site that has been attacked because these attacks could also be on add on domains etc.

Perhaps some kind of ssh command or bash script I can run in SSH?

The idea would be to apply some brute force prevention on accounts that are being attacked..
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

You can find a list of access attempts blocked by Mod_Security at:

"WHM Home » Plugins » Mod_Security"

You can also find entries in:

/usr/local/apache/logs/modsec_audit.log

Or, if you only are seeking to obtain a list of the "hostname" entry in your Apache error log, you could develop a bash script that parses the domain name from those lines. The username of the account could then be obtained by comparing it to the /etc/userdomains file, or utilizing the /scripts/whoowns command.

Thank you.