wp-login.php Brute Force

Matt

Owner
All,

There is an increasing number of attempts at brute forcing the wp-login.php file, and I can see this happening on the shared hosting server.

To help combat this, I've written a bash script that checks the access log files, grabs the IP attempting to log into wp-login.php, counts it, checks against a pre-defined white list, checks against previously blocked IP's, and totals the number of attempts.

If the total number is above the limit I've set, the IP address will be blocked by the firewall.

Bash:
#!/bin/bash

checkdate=`date --date='today' +"%d/%b/%Y"`
whitelist="/root/scripts/whitelist.txt"
iptablesbin="/sbin/iptables"
csf="/usr/sbin/csf -d"
comment="WPLogin DOS"
# find todays wp-login attempts :
for i in `grep -R "wp-login.php" /usr/local/apache/domlogs/* | grep "POST" | grep "$checkdate" | awk -F: '{ print $2 }' | awk '{ print $1 }' | sort -n | uniq -c | sort -nr | awk '$1 > NUMBER {print $2}'`
do
badip=$i
ipbanned=`$iptablesbin -nL | grep -c $badip`
ipinwhitelist=`grep -c $badip $whitelist`

if [ $ipbanned -eq 0 ] && [ $ipinwhitelist -eq 0 ]; then
        $csf $badip $comment
fi
done

If you want / need to have your IP address added to the whitelist, please PM your IP address.
 
Top