CLF probes and false positive

Create issue
Issue #134 new
Former user created an issue

I have an IP blocked when it shouldn't. I think the block is triggered from "POST /wp-admin/admin-ajax.php".

Also I have a 10 second flush delay in writing the logs to file (to save disk I/O) that's why a short delay between sshguard blocking and web-server request.

I check the sshguard source code and looks like "CLF probes" only triggered when we get 4[0-9]{2} codes and not for 200 codes. Any idea how to troubleshoot it?

Sep 29 00:02:33 server30 sshguard[88219]: Attack from "79.118.13.xxx" on service CLF Probes with danger 10.
Sep 29 00:02:33 server30 sshguard[88219]: Blocking "79.118.13.xxx/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
79.118.13.xxx - - [29/Sep/2020:00:02:09 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.053)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-includes/images/spinner.gif HTTP/2.0" 200 3656 "https://www.example.com/wp-admin/load-styles.php?c=0&dir=ltr&load%5Bchunk_0%5D=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load%5Bchunk_1%5D=,site-icon,l10n,buttons,wp-auth-check&ver=5.5.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-login.php?interim-login=1&wp_lang=en_US HTTP/2.0" 200 2395 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.048)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-includes/css/buttons.min.css?ver=5.5.1 HTTP/2.0" 200 1597 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/css/forms.min.css?ver=5.5.1 HTTP/2.0" 200 6917 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/css/l10n.min.css?ver=5.5.1 HTTP/2.0" 200 739 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/css/login.min.css?ver=5.5.1 HTTP/2.0" 200 2117 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-includes/js/zxcvbn-async.min.js?ver=1.0 HTTP/2.0" 200 353 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/js/password-strength-meter.min.js?ver=5.5.1 HTTP/2.0" 200 629 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/js/user-profile.min.js?ver=5.5.1 HTTP/2.0" 200 2253 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-admin/images/wordpress-logo.svg?ver=20131107 HTTP/2.0" 200 828 "https://www.example.com/wp-admin/css/login.min.css?ver=5.5.1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.000)
79.118.13.xxx - - [29/Sep/2020:00:02:10 +0300] "GET /wp-includes/js/zxcvbn.min.js HTTP/2.0" 200 430256 "https://www.example.com/wp-login.php?interim-login=1&wp_lang=en_US" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.288)
79.118.13.xxx - - [29/Sep/2020:00:05:56 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.088)
79.118.13.xxx - - [29/Sep/2020:00:06:56 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.072)
79.118.13.xxx - - [29/Sep/2020:00:08:57 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.086)
79.118.13.xxx - - [29/Sep/2020:00:10:58 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.081)
79.118.13.xxx - - [29/Sep/2020:00:12:59 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.075)
79.118.13.xxx - - [29/Sep/2020:00:15:00 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.153)
79.118.13.xxx - - [29/Sep/2020:00:44:44 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.097)
79.118.13.xxx - - [29/Sep/2020:00:45:44 +0300] "POST /wp-admin/admin-ajax.php HTTP/2.0" 200 77 "https://www.example.com/wp-admin/admin.php?page=atomixstar_newsletter_subscribers" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.080)

Comments (2)

  1. Christos Chatzaras

    Also I found these logs from a previous day:

    79.118.13.xx - - [27/Sep/2020:01:58:24 +0300] "GET /confirm-email?email=office@atomix-star.com&hash_id=b69f89c22934ecaf72806a9a96c547 HTTP/2.0" 404 117 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" (0.044)
    

    which sshg-parser shows as attack. This is triggered from the word “mail” possibly in HTTP_BOTSEARCH_WEBMAIL regex:

    roundcube|(ext)?mail|horde|(v-?)?webmail
    

  2. Log in to comment