Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/bin/bash
# this script will help mitigate wp-login and xmlrpc attacks for servers that not use imunify modsecrules, if you server use it, you dont need install it
# this is the first version, and we will work alot on that
run() {
#moving old regex.custom to be safe on this action
mv /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.bkp
# download custom regex.custom
wget --quiet https://gist.githubusercontent.com/igorhrq/5ddc40f4d55e190bd41edc33da95eebc/raw/d23135cc0128a4ce8c3e98d11e331fbbb051b2f5/gistfile1.txt -O /usr/local/csf/bin/regex.custom.pm
# added variable on csf.conf
sed -i '/DEBUG =/ a CUSTOM49_LOG = "/var/log/apache2/domlogs/*/*"' /etc/csf/csf.conf
#check if everything was added fine on last line of csf.conf
egrep "CUSTOM49_LOG =".*"" /etc/csf/csf.conf
if [ $? -eq 0 ]
then
echo "csf.conf was received the right configuration"
else
echo "Sorry, csf.conf is not configured yet, please proceed doing this configuration manually"
fi
# restart csf and lfd
service lfd restart && csf -r >/dev/null 2>&1
echo -e "csf and lfd was restarted"
echo "the configuration was finished, all events now of bruteforce attacks on wp-login and XMLRPC should be find on var\/log\/lfd.log"
echo "example -> \(WPLOGIN\) WP Login Attack 77.zzz.zzz.13 (-) 10 in the last 3600 secs - Blocked in csf port=80"
}
run
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment