[SSHGuard-users] A minor bug in Wordpress brute force protection

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I tried to implement Wordpress login brute force protection with my
SSHGuard 2.1.0 (2.1.0-1 from Arch Linux repo), and found that SSHGuard will
not react to access log of attempts to wp-login.php if there is an argument
passed to wp-login.php.

I am using iTheme Security to hide my wp-login.php address, and when a
failed login happens, the following log was captured:

server nginx: my.client.ip.addr - - [25/Jan/2018:11:20:57 -0500] "POST
/wp-login.php?itsec-hb-token=somewploginentry HTTP/2.0" 200 2159 "
https://my.server.domain.tld/wp-login.php?itsec-hb-token=somewploginentry"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gcko/20100101
Firefox/58.0"

And the journalctl command used by SSHGuard can capture this message, but
SSHGuard does not react to it (like "my.client.ip.addr" on service 370 with*
danger 10*.").

Could it be the WORDPRESS_LOGIN variable in attack_scanner.l the problem? I
saw it was defined as .*"/wp-login"(\.php)?, I guess the regex need to
allow addtional strings after the question mark.

Thanks for your great work on SSHGuard!

[SSHGuard-users] A minor bug in Wordpress brute force protection

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] A minor bug in Wordpress brute force protection