Block wp-login and xmlrpc brute force attacks with CSF / DirectAdmin

[itcms]

xmlrpc wp-login are common attacks for WordPress installations, with CSF firewall
we can block them.

First we define in CUSTOMx_LOG the log directory from which CSF will be able to search for wp-login.php and xmlrpc.php requests.
Edit your /etc/csf/csf.conf like bellow:
CUSTOM1_LOG = "/var/log/httpd/domains/*.log"
If you have use CUSTOM1_LOG use the others

After we have to create custom functions for CSF so it will be able to block those attacks.

We add the following rules to /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one.

Then we add bellow code :

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

Finally we restart CSF and check if LFD is doing his new job :

csf -r.

 

[factor]

wp-login.php brute force attacks

Hi, I have some bigger wp-login.php brute force attacks from many different IPs, for many wordpress installations, of course I have enabled "Directadmin's BFM compatible with CSF" from this topic...

forum.directadmin.com

 

[Richard G]

Thank you but these custom lines were already mentioned a couple of times on this forum.
For xmlrpc.php there are also methods mentioned to block access to them serverwide.

 

[floyd]

I use fail2ban.

 

[paisley]

How can this be done for:
Joomla: /administrator
Drupal: /user/login
Magento 1: /index.php/admin/
Magento 2: /admin

I tried:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/administrator*" /)) {
return ("JoomlaLogin Attack",$1,"JoomlaLOGIN","5","80,443","1");

But that does not work, hope someone can help me with this.

 

[Ohm J]

@paisley
atlease, You should have logging fail authentication to "CUSTOM1_LOG" PATH File

 

[paisley]

@paisley
atlease, You should have logging fail authentication to "CUSTOM1_LOG" PATH File

I have already have CUSTOM1_LOG = "/var/log/httpd/domains/*.log"
My question is how I can add a rule to also block Magento bruto force logins.

WordPress is working:

62.**** # lfd: (WPLOGIN) WP Login Attack 62.**** (CN/China/-): 5 in the last 3600 secs - Thu Jul 8 09:59:01 2021

 

[Ohm J]

@paisley
I mean, Your application must have logging into "domains/*.log"

after that, just create regex rules

 

[paisley]

@paisley
I mean, Your application must have logging into "domains/*.log"

after that, just create regex rules

My question is about how to create the regex rules

 

[Kyo]

Finally we restart CSF and check if LFD is doing his new job :

I have followed this guide
thank you very much for sharing beautiful information with us, can you please let me know how can I verify It's working or not ?

Thank You

 

[Zhenyapan]

how can I verify It's working or not ?

you can check your domain access/error logs before, and after you enabled CSF. You can try to stop CSF check logs, then start and check again.

 

[Kyo]

Thank You,

anything about this

User anonymous has 150 failed login attempts: exim1=3 & exim2=7 & pure-ftpd1=140

 

[Zhenyapan]

you can't block by login, only IPs, so if CSF see 140 attempts to connect to ftp with login ANONYMOUS but they all from 50+ different IPs -it will not blick this ips, untill there were more that 10 attempts from each ip. I solved it partially by setting harder limits - block after 2 attempts

 

[Kyo]

I solved it partially by setting harder limits

can you share your practice with me, I am tired of it,
i will be thankful to you

 

[Zhenyapan]

something like this

 

[Kyo]

Won't you get too many complaints from your customer that we are facing issue, or we cannot access our website or server is down lol

they won't understand it's for their protection or server performance they will just cry and how you will handle to unblock their IPs on daily bases

 

[johannes]

something like this

Each customer who wants to setup a simple new emailaccount, will come back to you.

 

[Kyo]

Each customer who wants to setup a simple new emailaccount, will come back to you.

But a customer who already running his website and got blocked due to 2 attempts of wrong password he will not able to see even his website homepage due to IP block, how can we handle such customer pressure for shared hosting,

I am not arguing, we are discussing Scenario maybe we can have a solution

 

[Ohm J]

csf firewall have system to give user unblocked by himself.
it's call "Messenger Service", will integrate with google recaptcha.

please.... Setup it yourself. becarefully, it will be break change with some webserver. ..etc.. ,

 

[Zhenyapan]

Each customer who wants to setup a simple new emailaccount, will come back to you.

we have page where users can unblock their IPs, they ask support 1-2 times a week, so it's not a problem