Blocking Wordpress Login and xmlprc attacks with LFD

14 posts Page 1 of 2
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


Hi - we're needing some assistance to get these type of attacks blocked automatically with a custom regex- say 10 login attempts in 12 hours to mitigate slow logins and permanently banned and added to block list where we can remove them if needed in case of customer false attempts. We've tried a few things including fail2ban although it would be great if LFD can scan the logs and ban them automatically without plugins, etc. Access logs are located under /usr/local/apache/domlogs/* so we would need a wildcard type scanning of the logs. The log is a domain name. Not sure of the impact in performance as there are over 140 sites on this server. Recommendations and advice is most welcome. thanks.

Example from the access logs we would like to block:

1.0.170.246 - - [17/Apr/2016:08:10:43 +0800] "POST /wp-login.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.91 Safari/537.36"
1.0.170.246 - - [17/Apr/2016:08:10:59 +0800] "GET /wp-login.php HTTP/1.0" 200 3624 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.91 Safari/537.36"
1.0.170.246 - - [17/Apr/2016:09:54:33 +0800] "POST /wp-login.php HTTP/1.0" 302 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4"
1.0.170.246 - - [17/Apr/2016:09:54:40 +0800] "GET /wp-login.php HTTP/1.0" 200 3686 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4"
185.106.92.160 - - [17/Apr/2016:15:10:27 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:11:35 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:12:02 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:13:42 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:14:41 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
185.106.92.160 - - [17/Apr/2016:15:14:49 +0800] "POST /xmlrpc.php HTTP/1.0" 200 370 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


I've been playing with a few examples - would these work?

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*wp-login; {
return ("WP Login Attack",$1,"SecmasWPLOGIN","10","1");
}

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*xmlrpc; {
return ("WP XMLRPC Attack",$1,"SecmasWPXMLRPC","10","1");
}
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


Also would my custom log path work like this?

/usr/local/apache/domlogs/*
Cadmos
Junior Member
Posts: 1
Joined: 24 Apr 2016, 23:33


I registered to answer you;

=- Tested on CentOS 6.7 -=

Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)

regex.custom.pm
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf
Code: Select all
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


Thank you very much. We've implemented that now and we're monitoring. Also we want to block these and appreciate your help:

178.32.12.113 - - [27/Apr/2016:09:21:43 +0800] "GET /?attachment_id=637 HTTP/1.0" 301 - "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit$
178.32.12.113 - - [27/Apr/2016:09:21:46 +0800] "GET /?attachment_id=637 HTTP/1.0" 200 6975589 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) Apple$
192.162.27.79 - - [27/Apr/2016:09:22:50 +0800] "GET /?attachment_id=574 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0 $
192.162.27.79 - - [27/Apr/2016:09:22:53 +0800] "GET /?attachment_id=574 HTTP/1.0" 200 7978481 "http://www./" "Mozill$
107.172.195.72 - - [27/Apr/2016:09:23:13 +0800] "GET /?attachment_id=262 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0$
107.172.195.72 - - [27/Apr/2016:09:23:16 +0800] "GET /?attachment_id=262 HTTP/1.0" 200 2351004 "http://www./" "Mozil$
172.245.245.23 - - [27/Apr/2016:09:23:25 +0800] "GET /?attachment_id=575 HTTP/1.0" 301 - "http://www./" "Mozilla/5.0 (Windows $
172.245.245.23 - - [27/Apr/2016:09:23:28 +0800] "GET /?attachment_id=575 HTTP/1.0" 200 7523020 "http://www./" "Mozilla/5.0 (Wi$
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


This is working very nicely - thanks for your help. Looking forward to the attachment_id block.
DaNgErOuS
Junior Member
Posts: 25
Joined: 22 Feb 2010, 07:33


Cadmos wrote:
I registered to answer you;


regex.custom.pm
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf
Code: Select all
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Hi
when i add custom regex i see this error with lfd stoping

Starting lfd:/usr/local/csf/bin/regex.custom.pm did not return a true value at /usr/local/csf/lib/ConfigServer/RegexMain.pm line 45.
Compilation failed in require at /usr/sbin/lfd line 26.
BEGIN failed--compilation aborted at /usr/sbin/lfd line 26.

what is the problem ?
thanks
mediacloudgroup
Junior Member
Posts: 6
Joined: 17 Apr 2016, 10:56


Working for us - just make sure that the code has copied across/formatted properly. We have this implemented on a number of servers. Here is our formatted code:

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443,21,25,22,23","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /))$
return ("WP Login Attack",$1,"WPLOGIN","10","80,443,21,25,22,23","1");
}

# WP-ATTACHMENTID
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?attachment_id=/)) {
return ("WP Attachment Attack",$1,"WPATTACHMENTATTACK","5","80,443,21,25,22,23","1");
}
saraedward
Junior Member
Posts: 1
Joined: 23 Nov 2016, 08:55


Also would my custom log path work like this?
Moderated Message:
Please do not put signatures in posts or you risk being banned for spamming
CavemanSean
Junior Member
Posts: 1
Joined: 28 Nov 2016, 06:37


Hello there, I'm wanting to use this on my install of CSF as well, how-ever I'm not exactly sure how to set this up...
Cadmos wrote:
I registered to answer you;

=- Tested on CentOS 6.7 -=

Triggers on "3" hits (better make it more) of GET or POST of /xmlrpc.php or /wp-login.php by using the default interval settings of csf.conf (3600).

It bans the IP permanently "1" (it requires LF_TRIGGER disabled in csf.conf or else it ignores the value and uses the default temporary block time 3600)

regex.custom.pm
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
csf.conf
Code: Select all
CUSTOM2_LOG = "/usr/local/apache/domlogs/*/*"

Now I know where the config file is and how to edit that, what I'm not sure of is where this regex.custom.pm file is (or do I make it? and if I do how do I tie this into CSF?)


I believe I figured it out...
modified /usr/local/csf/bin/regex.custom.pm and included that text in it (I just tossed it above
#############
#Do not edit byond this point

so I hope its working :\
14 posts Page 1 of 2