How to use CUSTOM1_LOG in CSF Firewall

avinashpudota · October 1, 2022, 8:24am

Hi, I have been using CUSTOM1_LOG in CSF on cPanel server to block WordPress bruteforce attacks successfully.

This is the method i followed for cPanel
https://www.digitalflare.co.uk/blog/view/blocking-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel/

When i tried to adapt this for hestiacp, i am unable to find the path i should use for CUSTOM1_LOG

I can see logs are saved to /var/log/apache2/domains. Should i use /var/log/apache2/domains/*.log

Thanks.

jlguerrero · October 1, 2022, 11:16am

Try this command:

cat /var/log/apache2/domains/*.log > file.log

Then analize it with a text editor to see if those CSF expressions will match the output.

Bear in mind that this will match also *.error.log

avinashpudota · October 3, 2022, 10:13am

I am unable to make it work. Can any one help me please.

Here is the log of /var/log/apache2/domains/domain.com.log after i tried to login with wrong password 6 times.

xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:04 +0530] "POST /wp-login.php HTTP/1.0" 200 2716 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:06 +0530] "POST /wp-login.php HTTP/1.0" 200 2716 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:10 +0530] "POST /wp-login.php HTTP/1.0" 200 2745 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:13 +0530] "POST /wp-login.php HTTP/1.0" 200 2745 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:17 +0530] "POST /wp-login.php HTTP/1.0" 200 2743 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
xxx.xxx.xxx.xxx(MY IP) - - [03/Oct/2022:15:28:21 +0530] "POST /wp-login.php HTTP/1.0" 200 2741 "https://domain.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"

This is the path i added in /etc/csf/csf.conf

CUSTOM1_LOG = "/var/log/apache2/domains/*.log"

This is the code i am using in /usr/local/csf/bin/regex.custom.pm where i have set to block after 5 attempts.

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","2","80,443","1");
}

avinashpudota · October 3, 2022, 10:27am

It’s actually working.

I didn’t turn off default Firewall. After disabling default firewall, CSF started to block IP’s.

system · November 2, 2022, 10:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.