DirectAdmin

Block wp-login and xmlrpc brute force attacks with CSF / DirectAdmin

xmlrpc wp-login are common attacks for WordPress installations, with CSF firewall
we can block them.

First we define in CUSTOMx_LOG the log directory from which CSF will be able to search for wp-login.php and xmlrpc.php requests.
Edit your /etc/csf/csf.conf like bellow:
CUSTOM1_LOG = "/var/log/httpd/domains/*.log"
If you have use CUSTOM1_LOG use the others

After we have to create custom functions for CSF so it will be able to block those attacks.

We add the following rules to /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one.

Then we add bellow code :

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

Finally we restart CSF and check if LFD is doing his new job :

csf -r.