Can't get to work REGEX.CUSTOM.PM

[Ilia]

How to make CSF react on additional lines in my secure log, such as:

Code: Select all

Mar 19 13:28:49 host webmin[11403]: Invalid login as user1 from 1.1.1.100
Mar 19 13:34:12 host webmin[11799]: Non-existent login as test from 1.1.1.100

How could I block those who failed logging in to Webmin for more than 3 times?

Code: Select all

Mar 19 13:35:11 host webmin[11870]: Successful login as root from 1.1.1.100

How to send an alert email for successful Login to Webmin based on log entries?

Where should I tweak those settings?

[Ilia]

I have finally came up with the correct regex as I believe but I still can't make lfd to block the IP.

I added these lines to /etc/csf/regex.custom.pm and then restart CSF:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ webmin\[\d+\]: Invalid login as root from/)) {
               return ("Failed Webmin login from",$1,"webmin","2","80,443","1");
       }

CUSTOM1_LOG is pointing to /var/log/secure

I checked and tried to enter wrong passwords 5-10 times. The line that appears in CUSTOM1_LOG is there and it is:

Code: Select all

Apr  2 00:04:21 host webmin[95720]: Invalid login as root from 13.21.66.24

Still nothing is happening, what else am I missing?

Please help!?

P.S. Example of working regex in Perl can be found here: www . codepad . org/Ug3xJbap

[Ilia]

I have finally solved it! It was my bad as I didn't pay close attention to what was written in the manual of regex.custom.pm as follows:

only used if LF_SELECT enabled
only used if LF_TRIGGER is disabled

If you leave LF_TRIGGER greater than 0 then the custom log feature is not working!

Best wishes,
Ilia

[tecknaltd]

well done