if you are seeing a lot of access to wp-login.php , you can conclude it as a wordpress attack. The below script will show you the sorted list of accessing ip’s to wp-login
====
-----------
====
-----------
we can get the acces log IP from the below script,
grep -r "xx/Aug/2014" /usr/local/apache/domlogs/ | grep "xmlrpc.php" | awk '{ print $1 }' | cut -d : -f2 | sort | uniq -c | sort -n > /root/testwp
-----------
grep wp-login.php /usr/local/apache/domlogs/* grep “16/Jan/2013:03″|awk '{print $1}' | cut -d: -f2 | sort | uniq -c |sort -n | tail
CSF tuning
vi /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
----
Where 50 is the maximum number of connections from an IP address. You need to specify the port number also.
vi /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
----
Also we can use other CT options .
CT_INTERVAL = "30"
CT_BLOCK_TIME = "1800"
IPTable rule:
------------------------
-A : Append
-p : Protocol
--dport : For ports
-m limit : To limit iptables extension
--limit 25/minute : Defines maximum of 25 connection per minute.
--limit-burst 100 : The limit/minute will be enforced only after the total number of connection have reached the limit-burst level, ie 100 here
-j : Target
--------------------------
