Blocking Wordpress Login and xmlprc attacks with LFD

beenym1
Junior Member
Posts: 1
Joined: 19 Jan 2017, 16:39

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by beenym1 »

Hi

I am also trying to add this to the CSF/LFD but to be honest have no idea where to start. Can someone post a step by step "idiots" guide on how/where to put these pieces of code?

I don't know where to find csf.conf or where to disable LF_TRIGGER

I have contacted ConfigServer directly and they have advised they will not help me, even if I paid for their assistance.

Thanks in advance.
vice17
Junior Member
Posts: 1
Joined: 24 Mar 2017, 18:08

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by vice17 »

I'm trying to change the XMLRPC rule without success.

I use WordPress Android App, that makes a lot off POST requests to xmlrpc.php. The problem is that i have a dynamic IP and a allow workaround is not a solution for me.

The access log is something like this:

1.2.3.4 - - [24/Mar/2017:16:46:43 +0000] "POST /xmlrpc.php HTTP/1.1" 200 948 "-" "Mozilla/5.0 (Linux; Android 7.1.1; Redmi Note 3 Build/N6F26U; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/56.0.2924.87 Mobile Safari/537.36 wp-android/6.9.1"

So I'm trying to change the If function without success, to check if the log has "wp-android" written so the condition will return false.

I'm nooby at regex, so if someone can help me, I would appreciate.

Cheers
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

CavemanSean wrote: 28 Nov 2016, 06:40 Hello there, I'm wanting to use this on my install of CSF as well, how-ever I'm not exactly sure how to set this up...
Cadmos wrote:I registered to answer you;

=- Tested on CentOS 6.7 -=

Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)

regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf

Code: Select all

CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Now I know where the config file is and how to edit that, what I'm not sure of is where this regex.custom.pm file is (or do I make it? and if I do how do I tie this into CSF?)


I believe I figured it out...
modified /usr/local/csf/bin/regex.custom.pm and included that text in it (I just tossed it above
#############
#Do not edit byond this point

so I hope its working :\
If you see the sticky about Custom Regex, you will read " All these REGEX are to be run in "regex.custom.pm", please check the readme file to know what is this.".

The readme file is included in CSF on button "Firewall Information" and it says to add them in /usr/local/csf/bin/regex.custom.pm once you open that file, it has more instructions and examples on how to add your regex rules.

Sergio
FutherForward20
Junior Member
Posts: 22
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Just to comment that although this appears to be useful, it doesn't seem to work for me;

I followed the instructions, then used a VPN to try to login to a wordpress site - and tried random logins 5 times to trigger the block. LFD accurately recorded the block like so:

(WPLOGIN) WP Login Attack 77.zzz.zzz.100 (-): 5 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
And when I do a search in the block tables, the IP also shows in the CSF log as blocked for 5 minutes.... All good - but then:

As soon as the block was showing, I then reloaded the wp-login page (still using the same VPN) and this time I entered the correct log in credentials and the site worked as per normal, allowing me to login....so.... I'm not sure exactly what's happening there - I expected the site to not load.... but it let me in just fine.

The block shows, but I was still able to login ... what could be going wrong here?
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

@FutherForward20

Do you have the file: /etc/apache2/logs/error_log in your server?
if you do, please do the following as root:

less /etc/apache2/logs/error_log | grep "77.zzz.zzz.100"
(change .zzz.zzz. for the real numbers of your VPN)

and post one of the lines of what you got, don't forget to set .zzz.zzz. again.

I will try to create a regex rule for you.

Sergio
FutherForward20
Junior Member
Posts: 22
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Hi @sergio

Thank you for your offer to assist, I appreciate that. FYI I am running Centos server 7.8 and WHM /Cpanel v86. Also running Modsec OWASP CRS v3. I also (mostly) but not always have a htaccess basic auth set up for WordPress sites (just an extra layer of security).

For some reason I don't seem to be able to post in the forum - keep getting a forbidden message... look like the forum has blocked my IP 3 times too ;-( it's a mission getting the post updated !


edit1

Here's what I have in usr/local/csf/bin/regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","1");
}
Here's what I have in etc/csf/csf.conf

Code: Select all

CUSTOM1_LOG = "/var/log/apache2/domlogs/*/*"
In var/log/lfd.log

Code: Select all

Jun 11 12:32:42 dazz8 lfd[2904]: (htpasswd) Failed web page login from 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_HTACCESS]
Jun 11 12:32:42 dazz8 lfd[2994]: (PERMBLOCK) 77.zzz.zzz.13 (-) has had more than 4 temp blocks in the last 86400 secs - *Blocked in csf* [LF_HTACCESS]
Jun 11 12:32:42 dazz8 lfd[25288]: (WPLOGIN) WP Login Attack 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* port=80 [LF_CUSTOMTRIGGER]
Jun 11 12:32:42 dazz8 lfd[25288]: (WPLOGIN) WP Login Attack 77.zzz.zzz.13 (-): 10 in the last 3600 secs - *Blocked in csf* port=443 [LF_CUSTOMTRIGGER]
Edit 2

in etc / apache2 / logs / error_log

Code: Select all

[Thu Jun 11 12:39:38.454047 2020] [auth_basic:error] [pid 4768] [client 77.zzz.zzz.13:0] AH01618: user not found: /wp-admin/j-s/password-strength-meter.min, referer: https://zzz.org.nz/wp-login.php
Edit 3
But I can still log into the site if I then try normally - and I can still load the front end of the site too. Could it be a cache issue?

Here is what I would like to happen: If someone hits wp-login (basic auth or not) or xmlrpc file more than 10 times in say 1 minute, they should be locked out for 15 minutes
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

I have tried to write here the regex rule that I wrote but the filter content has blocked my IPs I had to use 3 different connections.

Here is an image of the rule based on the info that you wrote above under EDIT 2:
The image will auto delete in 5 hours:

https://ibb.co/jGFwJvb

I have set the rule that at the first try the IP is blocked forever, you can change it to what is better for you, as how many errors and for how long.

Sergio

Disclaimer:
I don't assume any responsibility about what the above rule can do at your server, try it before you set in production.
FutherForward20
Junior Member
Posts: 22
Joined: 03 Sep 2016, 13:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by FutherForward20 »

Hey Sergio

Thanks for your efforts - yes the blocking of IPs in this forum seems pretty harsh.

Also I never received notification of your post - so I was not able to get to this post sooner - I missed your 5hr deadline.

Could you please repost with a longer timeframe?

Heaps of thanks for your time
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Post by Sergio »

Here is the new link for the image:
https://ibb.co/0mzF3PK

will be active for 12 hours.

Sergio
Post Reply