new defense against DoS

hello all -

the DoS attacks against my wordpress sites has become relentless and i am now seeing tens of thousands of attacks where i used to see only hundreds or maybe thousands.

the csf firewall people have an interesting answer. there is a daemon called lfd, or login-failure-daemon that constantly runs in the background. i have it set where if anybody tries to hit wp-login.php they are locked out for an hour.

naturally the /wp-login.php name has to be changed via wordpress plugin, but this is very easily done.

several times now my apache webserver has become overloaded with the attack attempts. i believe we may have found an answer to the problem (hopefully).

setup steps for lfd ( login failure daemon) 2014-04-05

1) add lines into
/usr/local/csf/bin/regex.custom.pm - custom rules for firewall, insert this perl command into the file:

# example log file line to look for:
#50.22.3.226 - - [04/Apr/2014:02:01:45 -0400] "POST /wp-login.php HTTP/1.0" 500 534 "-" "-"

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /(\S+) - - \[.+\] "POST \/wp-login\.php HTTP\S+" [500,403]/))
{
return ('Failed wp-login.php login from ',$1,"wp-login.php","1","80","3600");
}

80 - port number to block
3600 - number of seconds to wait

2) change line in
/etc/csf/csf.conf
CUSTOM2_LOG = "/var/log/virtualmin/marksdomain.com_access_log"

3) restart the firewall:
csf --disable ; csf --enable ;

4) (optional) monitor activity:
tail -f /var/log/lfd.log ;
 
Last edited:
Top