How to block XMLRPC Attacks using CSF

How to block XMLRPC Attacks using CSF

We will need to create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests.

Now, edit your ecsf.conf

nano /etc/csf/csf.conf

locate the line: CUSTOM1_LOG = "/var/log/customlog"
and replace it with: CUSTOM1_LOG = "/usr/local/apache/domlogs/*/*"

Have a look :

Now, create a function within CSF to detect and block these attacks.

nano /usr/local/csf/bin/regex.custom.pm

Add the following code:

# Block IP if more than 5 requests in 3600 for wp-login
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

# Block IP if more than 5 requests in 3600 for xml-rpc
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

have a look :

Restart CSF and LFD to apply changed:

csf -r
service lfd restart

You May Also Like

About the Author: Bipul

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.