Modsecurity and CSF regex

Portal Home > Knowledgebase > Articles Database > Modsecurity and CSF regex

Posted by SAHostKing, 06-23-2015, 01:13 PM
I need assistance on a regex to block this via CSF say after 5 failed attempts : [Thu Jun 11 08:45:40.512566 2015] [:error] [pid 40857:tid 140173587228416] [client 168.63.216.42] ModSecurity: [file "/usr/local/apache/conf/modsec2.user.conf"] [line "37"] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes."] Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [hostname "domainname"] [uri "/wp-login.php"] [unique_id "VXkulMXyRLQAAJ@ZNuMAAAJJ"] Could someone please help?
Posted by diman, 06-24-2015, 05:55 AM
I suggest you to use fail2ban for this purpose - http://envyandroid.com/fail2ban-word...login-attacks/ Or you could decrease number of failed login attempts using Change Amount of Failed Logins option (https://smyl.es/how-to-block-wp-logi...rver-firewall/).
Posted by brianoz, 06-27-2015, 08:22 PM
If you're using the ModSec pattern that everyone else has been using to limit wp-login.php attempts, I think you might find that subsequent attempts get logged and if there are enough, CSF would ban based on those. I'm not sure, though my memory may be incorrect, that CSF directly supports wp-login.php detection otherwise (and it kind of doesn't need to, given the above).
Posted by DewlanceHosting, 06-27-2015, 09:36 PM
What type of help you are looking for? Do you have a root access? If you are using a cPanel and want to disable this then login to your WHM >> Modsecurity.. Disable rule.
Posted by Srv24x7, 07-04-2015, 03:11 AM
Hi, Have you tried enabling the LF_MODSEC option that is given in the CSF. You can create a filter on this just like what you want to block the IP on subsquent IP being found triggering modsecurity.
Posted by sabrina84, 07-04-2015, 01:01 PM
go for @dilman offer. Last edited by Postbox; 07-04-2015 at 10:02 PM.