Hi, I have been using CUSTOM1_LOG in CSF on cPanel server to block WordPress bruteforce attacks successfully.
This is the method i followed for cPanel
https://www.digitalflare.co.uk/blog/view/blocking-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel/
When i tried to adapt this for hestiacp, i am unable to find the path i should use for CUSTOM1_LOG
I can see logs are saved to /var/log/apache2/domains. Should i use /var/log/apache2/domains/*.log
Thanks.
Try this command:
cat /var/log/apache2/domains/*.log > file.log
Then analize it with a text editor to see if those CSF expressions will match the output.
Bear in mind that this will match also *.error.log
I am unable to make it work. Can any one help me please.
Here is the log of /var/log/apache2/domains/domain.com.log after i tried to login with wrong password 6 times.
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:04 +0530] "POST /wp-login.php HTTP/1.0" 200 2716 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:06 +0530] "POST /wp-login.php HTTP/1.0" 200 2716 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:10 +0530] "POST /wp-login.php HTTP/1.0" 200 2745 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:13 +0530] "POST /wp-login.php HTTP/1.0" 200 2745 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:17 +0530] "POST /wp-login.php HTTP/1.0" 200 2743 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:21 +0530] "POST /wp-login.php HTTP/1.0" 200 2741 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
This is the path i added in /etc/csf/csf.conf
CUSTOM1_LOG = "/var/log/apache2/domains/*.log"
This is the code i am using in /usr/local/csf/bin/regex.custom.pm where i have set to block after 5 attempts.
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","2","80,443","1");
}
It’s actually working.
I didn’t turn off default Firewall. After disabling default firewall, CSF started to block IP’s.
1 Like
system
Closed
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.