KNOWNHOST WIKI

User Tools

Site Tools


security:csf-lfd:configure-wordpress-using-regex

How To Configure CSF/LFD to Block Wordpress Bruteforce Attacks Using a Custom Regex


Wordpress bruteforce attacks are a common problem. At a large enough scale, they can cause Out of Memory errors on the server, which in turn result in service failures that make all sites on the server display errors and otherwise inaccessible. Sure there are Wordpress web application firewall plugins that can help, but installing and configuring these can be a daunting task if you need to do so for all sites on a server.

A few options exist that can be configured server-wide. One such option is ModSecurity, and another is an unsupported CSF/LFD firewall custom configuration to monitor the domain access logs for these attacks and then block offending IPs. Instructions to configure this are documented here.

First, you would need to edit the file /usr/local/csf/bin/regex.custom.pm.

nano /usr/local/csf/bin/regex.custom.pm

When editing, the changes must be made in the middle of the file. You will see several commented lines with instructions for how to use the file and then a blank space, which is followed by the following:

###############################################################################
# Do not edit beyond this point

	return 0;
}

1;

Here is an image showing the editable section of the file:

Add the following custom regex to that blank space:

    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
        return ("Failed WordPress login from",$1,"wordpress","5","80,443","3600");
    }

Next, edit the configuration file /etc/csf/csf.conf to add the custom log that CSF/LFD will monitor. This will be set to the domain access logs:

nano /etc/csf/csf.conf
  CUSTOM1_LOG = "/etc/apache2/logs/domlogs/*/*"

Lastly, restart CSF/LFD to apply these changes.

csf -r

And that's it! You're CSF/LFD firewall should now monitor the domain access logs and block Wordpress bruteforcing.

security/csf-lfd/configure-wordpress-using-regex.txt · Last modified: 2019/10/11 14:53 by Karson N.