https://github.com/tmiland/csf-custom-regex/blob/master/regex.custom.pm
Edit your /etc/csf/csf.conf like bellow:
CUSTOM1_LOG = “/var/log/httpd/domains/*.log”
We add the following rules to /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one.
Then we add bellow code :
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/xmlrpc\.php.*” /)) {
return (“WP XMLPRC Attack”,$1,”XMLRPC”,”5″,”80,443″,”1″);
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/wp-login\.php.*” /)) {
return (“WP Login Attack”,$1,”WPLOGIN”,”5″,”80,443″,”1″);
}
file tương tự như mẫu:
sub custom_line {
my$line = shift;
my$lgfile = shift;
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return (“Unauthorized”,$1,”WPLOGINorWHATEVER”,”10″,”80,443″,”14400″);
}
return 0;
}
1;
Finally we restart CSF and check if LFD is doing his new job :
csf -r
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Unauthorized",$1,"WPLOGINorWHATEVER","10","80,443","14400");