Block wp-login and xmlrpc brute force attacks with CSF / cPanel

Another great counter attack to “flooders” on your WordPress installations. This time with CSF firewall. I had massive brute force attacks on WordPress installations on some cPanel server which were causing very high server loads.¬† Here is great way to block abusers with CSF firewall. Here is how.

First, create custom log from which CSF will be able to search for wp-login.php and xmlrpc.php requests. Edit your /etc/csf/csf.conf like bellow:

CUSTOM2_LOG = "/var/log/apache2/domlogs/*/*"

Because majority of those attacks are from some very well known country’s that are causing problems, you may want to white list country’s from which users shouldn’t be blocked. Add list of white list country’s in CC_IGNORE.

Then you must create custom functions for CSF so it will be able to block those attacks. Add this to your /usr/local/csf/bin/regex.custom.pm file. If it’s not there, create one. Then add this:

# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# WP-LOGINS
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("WP Login Attack",$1,"WPLOGIN","5","80,443","1");
}

Restart CSF and check if LFD is doing his new job. On success you should see something like this:

May 10 11:33:16 cp lfd[589350]: (WPLOGIN) WP Login Attack 4.4.4.4 (PL/Poland/s1.hekko.net.pl): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:33:36 cp lfd[589587]: (WPLOGIN) WP Login Attack 5.5.5.5 (TR/Turkey/5.5.5.5.linuxhosting.com.tr): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
May 10 11:34:24 cp lfd[590012]: (WPLOGIN) WP Login Attack 6.6.6.6 (DE/Germany/static.6.6.6.6.clients.your-server.de): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]83247]: (WPLOGIN) WP Login Attack 7.7.7.7 (VN/Vietnam/-): 5 in the last 600 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
...

Requests for ignored country’s should look like this:

May 10 11:45:36 cp lfd[591718]: WP Login Attack 1.1.1.1 - ignored
May 10 11:45:41 cp lfd[591718]: WP Login Attack 2.2.2.2 - ignored
...

I hope this helps. ūüôā

Directadmin – Process failed (1) when writing error message to your@mail.com (frozen)

User complained about not being able to receive error messages from remote mail servers. When he sent to this email address from Gmail, error message return, but when he tried from Directadmin server, no error message arrived in inbox. I could see those messages in Exim’s mail queue as frozen.

In Exim mail log, this error was shown:

Process failed (1) when writing error message to your@mail.com (frozen)

After a while of digging online, I’ve found out that BlockCracking is causing this problem. We had BlockCracking version 1.8 which was apparently version with this issue. You’ll have to upgrade BlockCracking to version 1.10 or newer. Just go to your Directadmin’s custombuild directory, then follow this steps:

./build exim
./build dovecot_conf
./build spamassassin
./build blockcracking
./build update
./build exim_conf

After that, error messages should arrive in your inbox.

CSF – whitelist user from SMTP_BLOCK

CSF features great option SMTP_BLOCK which block outgoing SMTP for all users except root, exim and mailman. I had a problem with one user which was using MailChimp as mass mailing within their application. Because of SMTP_BLOCK it wasn’t working. Disabling SMTP_BLOCK globally is not recommended, you can white list users for which you would like to allow sending.

Go to your CSF settings and find SMTP_ALLOWUSER. Then add user which should be allowed (users separated with coma). Don’t forget to restart CSF.

Directadmin – Proxy Error: DNS lookup failure for php-fpm56 …

If you changed php handler for your Directadmin installation to php-fpm, rewrite all configs and then get error like this:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /index.php.
Reason: DNS lookup failure for: php-fpm56.domainname

It is almost certainly that apache templates that are used for generating user http configuration files are wrong. Probably you have custom templates.

Go to¬†/usr/local/directadmin/data/templates/custom and check if there are files like files¬†virtual_host2.conf … . If they are, just rename custom directory to something new:

[root@lol ~]# cd /usr/local/directadmin/data/templates/
[root@lol templates]# mv custom custom-bak

Directadmin will then use default templates when creating new Apache configs. Rewrite your apache config files:

[root@lol ~]#  cd /usr/local/directadmin/custombuild
[root@lol custombuild]# ./build rewrite_confs

It should solve the problem. Also, make sure that php-fpm for all php versions are working.

RoundCube: Could not save new password. Connection error. Recv failure: Connection reset by peer

If you’re having trouble when try to change your email password in Roundcube on your Directadmin installation, than error will be probably something like this:

Could not save new password. Connection error. Recv failure: Connection reset by peer

Solution is simple. Just open Roundcube configuration file (/var/www/html/roundcube/plugins/password/config.inc.php) and find:

$rcmail_config['password_directadmin_host'] = 'tls://localhost';

then, change it to:

$rcmail_config['password_directadmin_host'] = 'ssl://localhost';

It should work.

Directadmin/Letsencrypt – Domain does not exist on the system. Unable to find your.hostname.com in /etc/virtual/domainowners

A few days ago I was doing complete migration of old Directadmin server to new Directadmin server which had different hostname. Everything went well but I was unable to register Letsencrypt SSL certificate for new server hostname.

I was getting error like this:

[root@myserver scripts]# ./letsencrypt.sh request my.server.com 4096
Domain does not exist on the system. Unable to find my.server.com in /etc/virtual/domainowners. Exiting...
no valid domain found - exiting

First thing I did is I add new hostname as domain to user admin. Certificate was indeed registered than, but not as server hostname (/usr/local/directadmin/conf/cacert.pem). I deleted domain than.

After a little search I found out that I forgot to change servername variable in directadmin.conf. So I changed it, restart directadmin but I was getting the same error. At the end I found out that the easiest way to fix this is to change hostname in Directadmin administration.

  1. Go to Directadmin as admin user and navigate to¬†Administrator Settings, then set some temporary hostname in¬†Server’s Hostname. Let’s say my.server2.com.
  2. Wait until cron will make changes – you should see new hostname in Administrator Settings when refreshing page.
  3. Go in Administrator Settings again and change¬†Server’s Hostname to your old hostname – my.server.com.
  4. Run letsencrypt.sh again.

This time, certificate was registered successfully.

[root@myserver scripts]# ./letsencrypt.sh request my.server.com 4096
Setting up certificate for a hostname: my.server.com
Generating 4096 bit RSA key for let's encrypt account...
openssl genrsa 4096 > "/usr/local/directadmin/conf/letsencrypt.key"
Generating RSA private key, 4096 bit long modulus
...

Directadmin – find all email forwarders on server for specific email account

Here is simple one liner for finding all mail aliases on Directadmin server that are forwarding to your email account Рin this example your@email.com. All aliases are saved in files /etc/virtual/<domain_name>/aliases.

[root@directadmin ~]# grep -ri "your@email.com" /etc/virtual/*/aliases | awk -F '/|:' {'print $4 ": " $6 " ->" $7'}
email.com: alias1 -> your@email.com
somedomain.net: sales -> your@email.com,mail2@somedomain.net
anotherdomain.com: chacha -> myaddress@anotherdomain.com,this@email.com,your@email.com
.
.
.

Bulk TTL change in Directadmin

You may want to change TTL values for all domains and their DNS records on your Directadmin server. This can be done very easily. Here is how.

  • Go to templates directory.
    cd /usr/local/directadmin/data/templates
  • Directadmin’s default TTL value is¬†14400, so let’s say we want to change it to 300. You will have to edit template file named.db.
    sed -ie 's/14400/300/g' named.db
  • Rewrite all¬†configuration files for each user
    echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue

Wait a minute or two, then check if user configs were rewrited with new values. Go to /etc/namedb and than open .db file of some domain. It should contain new TTL value.

Directadmin – install Letsencrypt SSL certificate on server hostname

Letsencrypt is a revolutionary step forward on web security. Free, valid SSL certificates for everyone. I won’t write about how to install and config¬†letsencrypt on Directadmin machine. I will show only how to¬†generate and install letsencrypt certificate on your Directadmin hostname.

When you installed Letsencrypt on Directadmin and tried to install certificate for your server hostname, there is a possibility that you came to this problem: HTTP/1.1 400 Bad Request

Just do this:

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

And than install certificate on your server hostname:

/usr/local/directadmin/scripts/letsencrypt.sh request my.serverhostname.com 4096

Open your Directadmin configuration file and change

SSL=0 to SSL=1

Also add this:

carootcert=/usr/local/directadmin/conf/carootcert.pem

Restart your Directadmin and you should be set.

Directadmin – block zip attachments with ClamAV and Exim

A lot of¬†viruses and malware¬†is¬†sent in emails with zip attachments. Sometimes your antivirus like ClamAV wont catch nasty email. This is a big¬†problem when you receiving tons of this kind of messages. So if you’re receiving tons of¬†nasty emails¬†containing¬†zip attachments with viruses in it, good way¬†to solve this is by simply reject emails with zip attachments. This was done on¬†Directadmin server with Custombuild 2.0. Even if you’re not using Directadmin, configuration¬†for ClamAV should be very identical.

  • If you built Exim and Clamav with Custombuild 2.0, than you should see this line in your /etc/exim.conf. Uncomment¬†if it’s not already. If you’re using Custombuild 1.2, then this should be changed in /etc/exim.conf directly – settings¬†in step 2 bellow.
    .include_if_exists /etc/exim.clamav.conf
  • Open file¬†/etc/exim.clamav.conf and find word¬†demime within that file. Then¬†simply add zip to it. It should look like this:
    #1.0
    deny message = This message contains malformed MIME ($demime_reason)
    demime = *
    condition = ${if >{$demime_errorlevel}{2}{1}{0}}
    deny message = This message contains a virus or other harmful content ($malware_name)
    demime = *
    malware = *
    deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
    demime = bat:com:pif:prf:scr:vbs:zip
    warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

Now any email with zip attachment will be rejected. Sender will receive error message like this:

The error that the other server returned was: 
550 This message contains an attachment of a type which we do not accept (.zip)

© 2019 geegkytuts.net
Hosted by Hosterdam


About author