Menu
▾
▴
Re: [SSHGuard-users] A minor bug in Wordpress brute force protection
|
From: Gary <li...@la...> - 2018-01-27 19:03:29
|
I hadn't realized you were looking at web server logs. I don't run WordPress, but I use Nginx maps to snag all these obvious hackers. Perhaps a different approach, at least for Nginx users, would be to look for the 444 response code rather than trying to come up with regex for every scenario. On my freeBSD server, I've been using swatch to give the hacker a three minute timeout. From my experiments, that is what it takes for these hacking scripts like Jorgee to go away. They must have 60+ attacks in Jorgee. These are all easy enough for a non-coder like me to snap with a map. I think it would be more flexible, at least for Nginx, to just look for 444. Actually what I do is set up a custom log format so I can easily parse the log for the 444 return and then the IP address. I have a script to make a list of the offending IP addresses and see which go to data centers. I then block the IP space of that data center and then pest is gone forever. Original Message From: kev...@gm... Sent: January 27, 2018 10:42 AM To: ssh...@li...; ton...@gm... Subject: Re: [SSHGuard-users] A minor bug in Wordpress brute force protection Hi Tony, Thanks for the report. On 01/25/2018 08:33, Tony Zhou wrote: > I tried to implement Wordpress login brute force protection with my > SSHGuard 2.1.0 (2.1.0-1 from Arch Linux repo), and found that SSHGuard > will not react to access log of attempts to wp-login.php if there is an > argument passed to wp-login.php. > > I am using iTheme Security to hide my wp-login.php address, and when a > failed login happens, the following log was captured: > > server nginx: my.client.ip.addr - - [25/Jan/2018:11:20:57 -0500] "POST > /wp-login.php?itsec-hb-token=somewploginentry HTTP/2.0" 200 2159 > "https://my.server.domain.tld/wp-login.php?itsec-hb-token=somewploginentry" > "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gcko/20100101 > Firefox/58.0" I didn't expect to see the '?' in POST requests, so the parser does not recognize characters after 'wp-login.php' when detecting the attack. I think I'll go ahead and add a catch-all to the regex? -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
