The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

filtering the error_log for wordpress login faiures

Discussion in 'General Discussion' started by craigedmonds, Oct 17, 2013.

  1. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    I get ALOT of notifications like this in my /usr/local/apache/logs/error_log.

    Code:
    [Thu Oct 17 09:04:37 2013] [error] [client 109.108.142.158] ModSecurity:  [file "/usr/local/apache/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "somedomainname.org.uk"] [uri "/wp-login.php"] [unique_id "Ul@aFW1Lp9kAABxrMboAAAAT"]
    
    
    Is there a way for me to parse my apache log file which detects a wordpress login failure and produces a list of domain names that have been attacked? It would be brilliant if I could get the username of the site that has been attacked because these attacks could also be on add on domains etc.

    Perhaps some kind of ssh command or bash script I can run in SSH?

    The idea would be to apply some brute force prevention on accounts that are being attacked..
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,686
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can find a list of access attempts blocked by Mod_Security at:

    "WHM Home » Plugins » Mod_Security"

    You can also find entries in:

    /usr/local/apache/logs/modsec_audit.log

    Or, if you only are seeking to obtain a list of the "hostname" entry in your Apache error log, you could develop a bash script that parses the domain name from those lines. The username of the account could then be obtained by comparing it to the /etc/userdomains file, or utilizing the /scripts/whoowns command.

    Thank you.
     
Loading...

Share This Page