backup xen server
How To Unblock an IP Address in CSF
Let’s say that you want to check whether or not a specific IP address, maybe 8.8.8.8 , is blocked by CSF. That’s easy!
csf -g 8.8.8.8
Unblock an IP Address
If the IP address is denied in CSF and you want to remove it, then use this command:
csf -dr 8.8.8.8
CSF then needs to be restarted for the change to take effect:
csf -r
https://www.liquidweb.com/kb/how-to-unblock-an-ip-address-in-csf/
Block wp-login and xmlrpc brute force attacks with CSF / cPanel
Block wp-login and xmlrpc brute force attacks with CSF / cPanel
Block wp-login and xmlrpc brute force attacks with CSF / cPanel
Another great counter attack to “flooders” on your WordPress installations. This time with CSF firewall. I had massive brute force attacks on WordPress installations on some cPanel server which were causing very high server loads. Here is great way to block abusers with CSF firewall. Here is how.
First, create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests. Edit your /etc/csf/csf.conf like bellow:
CUSTOM1_LOG = “/var/log/apache2/domlogs/*/*”
Because majority of those attacks are from some very well known country’s that are causing problems, you may want to white list country’s from which users shouldn’t be blocked. Add list of white list country’s in CC_IGNORE.
Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this:
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/xmlrpc\.php.*” /)) {
return (“WP XMLPRC Attack”,$1,”XMLRPC”,”5″,”80,443″,”1″);
}
# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/wp-login\.php.*” /)) {
return (“WP Login Attack”,$1,”WPLOGIN”,”5″,”80,443″,”1″);
}
Restart CSF and check if LFD is doing his new job. On success you should see something like this:
May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (PL/Poland/s1.hekko.net.pl): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (TR/Turkey/5.5.5.5.linuxhosting.com.tr): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:34:24 cp lfd[590012]: (WPLOGIN) WP Login Attack 6.6.6.6 (DE/Germany/static.6.6.6.6.clients.your-server.de): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]83247]: (WPLOGIN) WP Login Attack 7.7.7.7 (VN/Vietnam/-): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]
…
Requests for ignored country’s should look like this:
May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 – ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 – ignored
…
I hope this helps.