Re: Custom REGEX rules for CSF.
Posted: 30 Dec 2023, 20:02
see above post
Peer support forums for ConfigServer Scripts
https://www.forum.configserver.com/
Code: Select all
# Block IP if more than 10 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","10","80,443","86400");
}
Code: Select all
Time: Thu Feb 15 22:36:46 2024 -0300
IP: 100.101.102.103 (Example Country/Example ISP/[invalid URL removed])
Failures: 10 (WPLOGIN)
Interval: 3600 seconds
Blocked: Temporary Block for 86400 seconds [LF_CUSTOMTRIGGER]
Log entries:
100.101.102.103 - - [15/Feb/2024:22:31:54 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:31:57 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:53 -0300] "GET /wp-login.php?action=logout&_wpnonce=fcc7219067 HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:33:54 -0300] "GET /wp-login.php?loggedout=true&wp_lang=es_ES HTTP/2.0" 200 9555 "[[invalid URL removed]]([invalid URL removed])" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:42 -0300] "GET /wp-login.php?redirect_to=https%3A%2F%[invalid URL removed]%2Fwp-admin%2F&reauth=1 HTTP/2.0" 200 9273 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
100.101.102.103 - - [15/Feb/2024:22:34:45 -0300] "POST /wp-login.php HTTP/2.0" 302 - "[[invalid URL removed]]([invalid URL removed])%
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","3600");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","3600");
}