Skip to content

Commit de3d698

Browse files
committed
Add dot dir honeypot
1 parent c49ece1 commit de3d698

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

regex.custom.pm

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,18 +133,34 @@ sub custom_line {
133133
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST].*(\/wp-admin|wp-admins.php|administrator\/|login.php|backend|admin|\/xmlrpc.php|\/wp-(app|cron|login|register|mail).php|wp-.*.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|wlwmanifest.xml|wp-cl-plugin.php|[a-z0-9_-]+-sitemap([0-9]+)?.xml)/)) {
134134
# return ("WordPress Catch all Attack",$1,"wordpress","7","80,443","1");
135135
# }
136+
136137
# /var/log/virtualmin/*_access_log
137138
# WordPress Non Existent plugin locations
138139
# (Default: 2 errors bans for 24 hours)
139140
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
140141
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
141142
}
143+
142144
# /var/log/nginx/access.log
143145
# WordPress Non Existent plugin locations
144146
# (Default: 2 errors bans for 24 hours)
145147
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
146148
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
147149
}
150+
151+
# /var/log/virtualmin/*_access_log
152+
# Non Existent Dot directory locations
153+
# (Default: 2 errors bans for 24 hours)
154+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^(\S+) -.*[GET|POST|HEAD] (\/.).*(\s404\s)/)) {
155+
return ("Dot directory Honeypot Trap",$1,"nginx_404","2","80,443","86400","0");
156+
}
157+
158+
# /var/log/nginx/access.log
159+
# Non Existent Dot directory locations
160+
# (Default: 2 errors bans for 24 hours)
161+
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^(\S+) -.*[GET|POST|HEAD] (\/.).*(\s404\s)/)) {
162+
return ("Dot directory Honeypot Trap",$1,"nginx_404","2","80,443","86400","0");
163+
}
148164

149165
# Source: https://www.digitalflare.co.uk/blog/view/blocking-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel/
150166
# WordPress XMLRPC

0 commit comments

Comments
 (0)