Menu
▾
▴
[SSHGuard-users] A minor bug in Wordpress brute force protection
|
From: Tony Z. <ton...@gm...> - 2018-01-25 16:34:10
|
Hello, I tried to implement Wordpress login brute force protection with my SSHGuard 2.1.0 (2.1.0-1 from Arch Linux repo), and found that SSHGuard will not react to access log of attempts to wp-login.php if there is an argument passed to wp-login.php. I am using iTheme Security to hide my wp-login.php address, and when a failed login happens, the following log was captured: server nginx: my.client.ip.addr - - [25/Jan/2018:11:20:57 -0500] "POST /wp-login.php?itsec-hb-token=somewploginentry HTTP/2.0" 200 2159 " https://my.server.domain.tld/wp-login.php?itsec-hb-token=somewploginentry" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gcko/20100101 Firefox/58.0" And the journalctl command used by SSHGuard can capture this message, but SSHGuard does not react to it (like "my.client.ip.addr" on service 370 with* danger 10*."). Could it be the WORDPRESS_LOGIN variable in attack_scanner.l the problem? I saw it was defined as .*"/wp-login"(\.php)?, I guess the regex need to allow addtional strings after the question mark. Thanks for your great work on SSHGuard! |
