Block wp-login and xmlrpc brute force attacks with CSF / DirectAdmin

hosters.pk

Verified User
Joined
Jul 12, 2021
Messages
21
csf firewall have system to give user unblocked by himself.
it's call "Messenger Service", will integrate with google recaptcha.

please.... Setup it yourself. becarefully, it will be break change with some webserver. ..etc.. ,
I have done everything with Google reCAPTCHA

but I am not getting reCAPTCHA i am getting this message when my ip is ban
Code:
This site can’t be reachedThe webpage at https://mydomain.com/ might be temporarily down or it may have moved permanently to a new web address.
ERR_TUNNEL_CONNECTION_FAILED
any idea ?
 

anay

Verified User
Joined
Dec 7, 2005
Messages
96
I have been recently under wp-login brute force attack, I enabled this rule for blocking IP after 5 attempts and helped a lot to counter the attack. However, this rule doesn't know if request to wp-login.php was failure or success. It means that even if client successfully logged in but he does that 5 times (could be multiple user from same internet connection) then also he will be blocked. This is exactly I am facing, some of the users are being blocked as multiple users are logged in from same IP and boom, IP is blocked.

.htaccess protection is good but can't be done for each user as there lots of WP installation. Is there any other strategy where I can handle this issue without blocking legit users ?
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
7,646
Location
Maastricht
I have a different custom regexp, which you might use. Mine is this:
Code:
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Unauthorized",$1,"WPLOGINorWHATEVER","10","80,443","14400");

However as you see this is also checking code 200 which is in fact an OK, so successful login. You could try to change it to only look for the unauthorized by leaving the 200 out.
Code:
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (401)/)) {
    return ("Unauthorized",$1,"WPLOGINorWHATEVER","10","80,443","14400");
I hope the regexp is still correct like this. Change the limits/block to your own needs.
 

anay

Verified User
Joined
Dec 7, 2005
Messages
96
401 - unauthorized will not work here as its server side errors, if you open wp-login.php and provide wrong credentials, it still returns 200 as from the point of server right page is served , but from point of view of WP its login error. Hence, I don't think this way we can assess if its login failure or not.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
7,646
Location
Maastricht
Well as said I hoped it worked, because I never tested it. Seems not to work then. If no 401 is given but always a 200 then that's bit of an issue indeed.
You could rais the amount of checks to 10 like I did. This gives both the user but also the hacker more attempts before being blocked.

Another option is to use the WP Login BFM of DA itself and then you can setup the time in which DA's BFM looks into the apache logs for logins.
There's also an idea to create a custom counter.

Have a look at this, maybe you can use it some way:
 

anay

Verified User
Joined
Dec 7, 2005
Messages
96
@Richard G , you are missing the point here, 401 is given only when there is access related issue at server level, not at application level. The authentication failure occurring at application level (WP) .

Besides, I have come to ask here only after researching, have been thoroughly to link you gave, it itself says:
IMPORTANT: Note that apache does not know if a wp-login.php entry was a login failure or not.. All it knows is that a POST was made to the wp-login.php file. Because of this, the Brute Force Monitor considers each POST access to wp-login.php a failed login, even if the correct password was used. Keep this fact in mind when deciding on your IP block limit.

Hence I came here to ask if there could be any other strategy for now as currently legit users are also being blocked. For time being I have increased login-failure threshold but its not proper solution.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
7,646
Location
Maastricht
you are missing the point here, 401 is given only
No I don't. See my text. I just confirmed your answer that it would always give a 200 which would indeed still cause an issue.

But from the link I gave, I specifically stated to have a look at the timing the logs are scanned and the option to create a custom login counter.
Possible To-Do: Create a separate login counter max value for these types of logins, as the "failed" count doesn't really apply, logically.
If you could combine this in, for example set a check to 5 logins in 5 minutes or 10 logins in 5 minutes, that is something normal users wouldn't do that quick normally and less chance for legit users to be banned.
True, that's also a kind of threshold. But this is in fact not a DA problem or issue.

The authentication failure occurring at application level (WP) .
Hence WP should fix that it will give proper failure notices to apache by default.

As a last idea from my side, there is an option to create some script to get proper apache logs outputs it seems.
it's a plugin.

I presume what you need would be something which you can use serverwide like this. Maybe somebody knows how to create something like this server wide.
But the proper solution would be to address this at WP so they would thrown out these messages by default.
 

anay

Verified User
Joined
Dec 7, 2005
Messages
96
As a last idea from my side, there is an option to create some script to get proper apache logs outputs it seems.
it's a plugin.

I presume what you need would be something which you can use serverwide like this. Maybe somebody knows how to create something like this server wide.
But the proper solution would be to address this at WP so they would thrown out these messages by default.
This is nice idea, I can actually do that with softaculous to give that plugin during installation , will require some trial and testing. I have doubt though if it can actually log it to server error log. Anyways, will do in couple of days, hopefully will share results here.
 

BillyS

Verified User
Joined
Jul 17, 2021
Messages
50
When you say you've enabled this rule, are you referring to CSF?
I enabled this rule for blocking IP after 5 attempts and helped a lot to counter the attack.

If you're having trouble with users tripping this threshold, make the number much larger than 5. WHen you say I am under attack, are you talking about your clients or you individually?

If it's just your site, you have a number of options, including WP brute force plug ins.


Or you could hide the location of the login:

 

anay

Verified User
Joined
Dec 7, 2005
Messages
96
When you say you've enabled this rule, are you referring to CSF?


If you're having trouble with users tripping this threshold, make the number much larger than 5. WHen you say I am under attack, are you talking about your clients or you individually?

If it's just your site, you have a number of options, including WP brute force plug ins.


Or you could hide the location of the login:

Server is under attack.

If it was issue with one WP installation, I always change wp-login location first and pretty other things. But for your end users, its not possible to go each one and ask them to install such plugins.
 
Top