ConfigServer Community Forum

Maybe these rules could help:

SecRule RESPONSE_BODY "ERROR</strong>: The password you entered for the username" \
"phase:4,deny,status:406,log,id:'990075',msg:'Sergio - WordPress Login Failure'"

SecRule RESPONSE_BODY "ERROR</strong>: Invalid username" \
"phase:4,deny,status:406,log,id:'990076',msg:'Sergio - WordPress Login Failure'"

They are more straight forward than what Patrick did, this rules are my own and working great in my servers, I don't assume any responsibility on the use of these rules, use it at your own risk.

Guess I'll have to quit saying that I loathe posting WHT links as it keeps happening.

Did find this solution to be helpful and thought others might also. The .htaccess seems to have an extra space between allow,deny. Otherwise it works as advertised.

We have only ever allowed access to wp-admin/login.php by customer IP address which in this attack situation seems so far to have helped prevent the load issues many are seeing.

http://www.webhostingtalk.com/showpost. ... tcount=196

looks like it is confirmed as a botnet attacking WP
http://www.bbc.co.uk/news/technology-22152296

wordpress and joomla flood still problem until this time.
modsecurity can block this flood login, but still use high resource.

my sample logs:

ModSecurity: Warning. Pattern match "200" at RESPONSE_STATUS. [file "/usr/local/apache/conf/modsec_rules/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg " WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [hostname "xxxxxxxxx.cxx"] [uri "/wp-login.php"] [unique_id "UiK@IkPk6zYAAGDLhW8AAAAY"]


another server use BFD/APF with modsec rules can block automatic.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="10"

if [ -f "/usr/local/apache/logs/error_log" ]; then
FILE="/usr/local/apache/logs/error_log"
TLOG_TF="httpd.modsec"
# old rule
#ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | sed -n -e '/tag/s/.*\[tag "\(.*\)"\] \[hostname "\([^ ]*\)"\].*/\1:\2:\0/p' | tr ':[]' ' '| awk '{print$12":"$1}' | tr '[:upper:]' '[:lower:]' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`

ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | awk '{ for (k=1;k<=NF;++k){ if ($k ~ /\[id/) {y=k} }; gsub("[\\\[\\\]\"]", ""); x=NF - 4; print $8":"$(y+1)":"$x}' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
elif [ -f "/var/log/httpd/error_log" ]; then
FILE="/var/log/httpd/error_log"
TLOG_TF="httpd.modsec"
# old rule
#ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | sed -n -e '/tag/s/.*\[tag "\(.*\)"\] \[hostname "\([^ ]*\)"\].*/\1:\2:\0/p' | tr ':[]' ' '| awk '{print$12":"$1}' | tr '[:upper:]' '[:lower:]' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`

ARG_VAL=`$TLOG_PATH $FILE $TLOG_TF | grep "ModSecurity: Access denied" | awk '{ for (k=1;k<=NF;++k){ if ($k ~ /\[id/) {y=k} }; gsub("[\\\[\\\]\"]", ""); x=NF - 4; print $8":"$(y+1)":"$x}' | grep -E '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+'`
fi



how to block wordpress and joomla failed login using CSF/LFD using this logs?
how to modify this code work in LFD/CSF?

I didn't see this post, and I ended up posting another thread here. It has some information in it, but I'm also broken.

Since I have so many domains that log to many different log files, user websavers (on this forum) suggested some custom regex to help with this. It's purpose is to scan all the files, look for the failures, and add them to the csf.deny.

It's not working though, and I think it's because my mod_security audit log is different than his.

Is anyone good with RegEx that can have a look?

Here's the thread: viewtopic.php?f=6&t=6950