CMS abuse monitor (cPanel)

[Arf]

My NOC said they'd created a mod_security filter to prevent dictionary attacks on wordpress log ins. Turns out, that only works when the person has a referral page in the URL. They can work around it by going direct. So, I created the following script for WordPress that allows X number of log in attempts in the previous hour before it automatically blocks the IP address.

Help wanted: This script searched for the wordpress login page in the logs "wp-login.php". Please provide any other log in pages for things like joomla, so I can add those.

Code: Select all

#/bin/bash

# Version 0.5.4 added search for Joomla log ins  
# Version 0.5.3 bug fix. fixed testing for repeats.
# Version 0.5.2 bug fix. use of "depth 1" changed to "maxdept 1" in find command.
# Version 0.5.1 changed to using /usr/sbin/csf rather than /etc/csf/csf.pl
# Version 0.5 Now, by default, program should be run every 5-15 minutes to catch bad guys in the current hour rather than waiting until the hour is over.
# Version 0.4 5.`15.2014 added ADMIN variable rather than hard coding email address.
# Version 0.3 5.8.14
# Version 0.2
# cms.abuse.monitor.sh by Thomas Leo
# To Install: Copy to file owned by root, chmod 700, run as cron a few minutes after each hour.
# 2 */1 * * * /path.to.program/cms.abuse.monitor.sh  # block IPs that log in more than X times per hr.

ADMIN="email@yourdomain.com"
THRESHOLD="35" #How many log in attempts per hr are allowed.

### No need to edit below this line ###


  dt=`date +%d/%b/%Y":"%H`
  for FILE in `find /usr/local/apache/domlogs/ -maxdepth 1 -type f | egrep -v "(bytes_log$|ftp_log$|offsetftpbytes$|offset$|bkup$)"`; do
    egrep "$dt:.*(\"POST /administrator/index.php| \"POST .*wp-login.php)" $FILE | awk '{print $1}' | sort | uniq -c | sort > /tmp/wp.test.tmp
     while read LINE; do
      QTY=`echo $LINE | awk '{print $1}'`
      if [ $QTY -gt $THRESHOLD ]; then
        IP=`echo $LINE | awk '{print $2}'`
        /usr/sbin/csf -d $IP | grep -c "deny failed:" > /tmp/cms.abuse.monitor.txt
        if [ `cat /tmp/cms.abuse.monitor.txt` -gt 0 ]; then
          REPEAT="YES"
        else
          REPEAT="NO"
        fi
          echo -e "`hostname` $0 $IP blocked for repeated abuse $QTY times ($FILE)($LINE)(REPEAT=$REPEAT)\n`cat /tmp/cms.abuse.monitor.txt`" | mail -vs "$0 results" $ADMIN
##        fi
      fi
    done < /tmp/wp.test.tmp
    #cat /tmp/wp.test.tmp
    rm /tmp/wp.test.tmp
  done

[Arf]

I've been testing this code and it's really catching a lot of bad guys.

I've made a minor update since the original post. I sure wish I knew the login URLs for the other CMS programs. If anyone could help me, I'd be most grateful.

[mbodamer]

Joomla admin login is found at www.domain.com/administrator/index.php by default.


i have about 150 joomla sites, 1.5, 2.5 and 3.X and anything that can help these sites from being hacked every 3 seconds would be great.

[Arf]

Hi Mike,
I don't have many if any Joomla sites so you'll need to beta test it. I'll see what I can do. Maybe something that alerts you without taking action would be the best way to test.

[Arf]

Mike,
Just change this
grep "$dt:.* \"POST .*wp-login.php" $FILE | awk '{print $1}' | sort | uniq -c | sort > /tmp/wp.test.tmp

to this

egrep "$dt:.*(\"POST /administrator/index.php| \"POST .*wp-login.php)" $FILE | awk '{print $1}' | sort | uniq -c | sort > /tmp/wp.test.tmp

I changed the above code.