Announcement

Collapse
No announcement yet.

BFD Custom Rule to check apache logs for Wordpress failed logins

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Justec View Post
    I got it figured out. At some point InterWorx change how the logs work. They make a log with the current day's date in the filename and then symbolic link to it.
    transfer.log -> transfer-2018-07-18.log

    For some reason the BFD script doesn't like that, so I found a work around to look for the actual file by inserting the date into it.
    I created a date variable which spits out YYYY-MM-DD which is then inserted into the file name.

    Code:
    # failed logins from a single address before ban
    # uncomment to override conf.bfd trig value
    TRIG="30"
    
    THEDATE=$( date +"%F" )
    
    # file must exist for rule to be active
    REQ="/home/site/var/site.com/logs/transfer-$THEDATE.log"
    
    if [ -f "$REQ" ]; then
    LP="/home/site/var/site.com/logs/transfer-$THEDATE.log"
    TLOG_TF="site-httpd"
    
    ## HTTPD
    ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E 'POST /wp-login.php' | awk '{print$1}'`
    fi
    Hi Justin

    did you ever find a way to apply this rule to all sites in home directory ?
    Got a few issues with some wordpress sites
    Thank you
    Gary T

    Comment


    • #17
      Hi Bear

      I hope your well and keeping safe

      I am not sure if Justec did but we use word defence plugin for WP, which bans

      Many thanks and stay safe

      John

      Comment


      • #18
        Originally posted by d2d4j View Post
        Hi Bear

        I hope your well and keeping safe

        I am not sure if Justec did but we use word defence plugin for WP, which bans

        Many thanks and stay safe

        John
        I will give it a try,
        thank you and stay safe
        Gary T

        Comment


        • #19
          Code:
          # wordpress admin login ban
          # failed logins from a single address before ban
          # uncomment to override conf.bfd trig value
          TRIG="3"
          
          THEDATE=$( date +"%F" )
          
          # file must exist for rule to be active
          REQ="/home/sites/var/my domain/logs/transfer-ssl-$THEDATE.log"
          
          if [ -f "$REQ" ]; then
          LP="/home/sites/var/my domain/logs/transfer-ssl-$THEDATE.log"
          TLOG_TF="site-httpd"
          
          ## HTTPD
          ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | sed -e 's/::ffff://' | grep -E 'POST /wp-login.php HTTP/1.1" 200' | awk '{print$1}'`
          fi
          used Justin's rule on some individual sites and obviously updated the log file path (my site uses ssl) added to the wp-login.php HTTP/1.1" 200 the 200 is incorrect login try's
          works really well
          Gary T

          Comment

          Working...
          X