ConfigServer Community Forum

Working for us - just make sure that the code has copied across/formatted properly. We have this implemented on a number of servers. Here is our formatted code: # XMLRPC if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) { return ("WP X...

This is working very nicely - thanks for your help. Looking forward to the attachment_id block.

Thank you very much. We've implemented that now and we're monitoring. Also we want to block these and appreciate your help: 178.32.12.113 - - [27/Apr/2016:09:21:43 +0800] "GET /?attachment_id=637 HTTP/1.0" 301 - "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit$ 178....

Also would my custom log path work like this?

/usr/local/apache/domlogs/*

I've been playing with a few examples - would these work? if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*wp-login; { return ("WP Login Attack",$1,"SecmasWPLOGIN","10","1"); } if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+).*xmlrpc; { re...

Hi - we're needing some assistance to get these type of attacks blocked automatically with a custom regex- say 10 login attempts in 12 hours to mitigate slow logins and permanently banned and added to block list where we can remove them if needed in case of customer false attempts. We've tried a few...