Someone attack my server from different ip at the same time and http-probing scenario does not ban it.
They make request to my server by its hostname (I even do not know how make it unavailable to everyone because it is auto-generated page by webuzo cPanel )
Frequantly, url request contains wp-login, wp-includes, wp-content so I want ban this ip as soon as parser find this in logs.
Mine scenario does not work:
#contributed by daria-zadorozhna type: trigger name: daria-zadorozhna/http-wp-files description: "detect wp-files" debug: false filter: "evt.Meta.log_type == 'http_access-log' && evt.Meta.http_path contains '/wp-'" groupby: evt.Meta.source_ip blackhole: 5m labels: service: http type: scan remediation: true
Could anyone help me write right scenario?