I have just installed csf+lfd on my rackspace cloud server (a vanilla LAMP stack running centos 6.7). I only tweaked a couple of settings in the default csf.conf file: the ports allowed in TCP_IN and TCP6_IN, and then set RESTRICT_SYSLOG to 3. I also set TESTING to 0. I then installed csf+lfd as a service:
chkconfig --level 235 csf on
service csf restart
The impetus for setting up csf+lfd in the first place was to counter attacks on a Wordpress site on this server. The bot was trying to brute force via the xmlrpc.php file. First of all I denied access to this file globally in Apache via:
<FilesMatch "^(xmlrpc\.php|wp-trackback\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>
This seems to work well. I can see lines in the Apache error log like:
[Mon Aug 24 13:19:48 2015] [error] [client 1.2.3.4] client denied by server configuration: /path/to/virtualhost/xmlrpc.php
But there is one bot coming from a particular IP address who hits the xmlrpc.php URL every second for an hour or so at a time. I was hoping that csf+lfd would notice and add the IP address to the deny list, but it hasn't done this. I have the Apache error log in the log file locations section of the csf.conf file:
HTACCESS_LOG = "/var/log/httpd/error_log"
And in the Apache error log, I had about 3600 entries for that IP trying to hit xmlrpc.php over the course of an hour. Yet csf+lfd didn't pick that up.
Being a newbie I'm sure it's something simple I'm missing here. Any help greatly appreciated.
