Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Another great counter attack to “flooders” on your WordPress installations. This time with CSF firewall. I had massive brute force attacks on WordPress installations on some cPanel server which were causing very high server loads. Here is great way to block abusers with CSF firewall. Here is how.

First, create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests. Edit your /etc/csf/csf.conf like bellow:

CUSTOM1_LOG = “/var/log/apache2/domlogs/*/*”

Because majority of those attacks are from some very well known country’s that are causing problems, you may want to white list country’s from which users shouldn’t be blocked. Add list of white list country’s in CC_IGNORE.

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this:

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/xmlrpc\.php.*” /)) {
return (“WP XMLPRC Attack”,$1,”XMLRPC”,”5″,”80,443″,”1″);
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] “\w*(?:GET|POST) \/wp-login\.php.*” /)) {
return (“WP Login Attack”,$1,”WPLOGIN”,”5″,”80,443″,”1″);
}

Restart CSF and check if LFD is doing his new job. On success you should see something like this:

May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (PL/Poland/s1.hekko.net.pl): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (TR/Turkey/5.5.5.5.linuxhosting.com.tr): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:34:24 cp lfd[590012]: (WPLOGIN) WP Login Attack 6.6.6.6 (DE/Germany/static.6.6.6.6.clients.your-server.de): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]83247]: (WPLOGIN) WP Login Attack 7.7.7.7 (VN/Vietnam/-): 5 in the last 600 secs – *Blocked in csf* [LF_CUSTOMTRIGGER]

Requests for ignored country’s should look like this:

May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 – ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 – ignored

I hope this helps.

arduino temperatura

buzzer

https://www.satellasoft.com/?materia=beep-usando-buzzer-com-arduino

NTC 10k temperatura

http://labdegaragem.com/profiles/blogs/tutorial-como-utilizar-o-termistor-ntc-com-arduino

 

http://www.audioacustica.com.br/exemplos/Valores_Resistores/Calculadora_Ohms_Resistor.html

 

 

led

http://www.audioacustica.com.br/exemplos/Valores_Resistores/Calculadora_Ohms_Resistor.html

RT-N13U

https://oldwiki.archive.openwrt.org/toh/asus/rt-n13u

https://oldwiki.archive.openwrt.org/doc/howto/firstlogin

 

opkg update

opkg install base-files block-mount busybox dnsmasq dropbear firewall fstools hostapd-common ip6tables iptables iw jshn jsonfilter kernel kmod-cfg80211 kmod-crypto-aes kmod-crypto-arc4 kmod-crypto-core kmod-eeprom-93cx6 kmod-fs-vfat kmod-gpio-button-hotplug kmod-ip6tables kmod-ipt-conntrack kmod-ipt-core kmod-ipt-nat kmod-ipv6 kmod-leds-gpio kmod-ledtrig-usbdev kmod-lib-crc-ccitt kmod-lib-crc-itu-t kmod-mac80211 kmod-nf-conntrack kmod-nf-conntrack6 kmod-nf-ipt kmod-nf-ipt6 kmod-nf-nat kmod-nf-nathelper kmod-nls-base kmod-nls-cp437 kmod-nls-iso8859-1 kmod-ppp kmod-pppoe kmod-pppox kmod-rt2800-lib kmod-rt2800-mmio kmod-rt2800-soc kmod-rt2x00-lib kmod-rt2x00-mmio kmod-scsi-core kmod-slhc kmod-tun kmod-usb-core kmod-usb-dwc2 kmod-usb-printer kmod-usb-storage libblkid libblobmsg-json libc libgcc libip4tc libip6tc libiwinfo libiwinfo-lua libjson-c libjson-script liblua liblzo libmount libnl-tiny libopenssl libpcap libpthread librt libubox libubus libubus-lua libuci libuci-lua libusb-1.0 libuuid libxtables lua luci luci-app-firewall luci-app-openvpn luci-app-p910nd luci-app-samba luci-base luci-i18n-base-pt-br luci-i18n-openvpn-en luci-i18n-openvpn-pt-br luci-lib-ip luci-lib-nixio luci-mod-admin-full luci-proto-ipv6 luci-proto-ppp luci-theme-bootstrap mtd netifd odhcp6c odhcpd openvpn-openssl opkg p910nd ppp ppp-mod-pppoe procd rpcd samba36-server swconfig tcpdump ubox ubus ubusd uci uhttpd uhttpd-mod-ubus usign wpad-mini zlib

 

 

Remover senha arquivo p12

https://serverfault.com/questions/515833/how-to-remove-private-key-password-from-pkcs12-container

 

Export to temporary pem file

openssl pkcs12 -in protected.p12 -nodes -out temp.pem
#  -> Enter password

Convert pem back to p12

openssl pkcs12 -export -in temp.pem  -out unprotected.p12
# -> Just press [return] twice for no password

Remove temporary certificate

rm temp.pem