LF_SELECT and regex.custom

[Ilia]

I have been testing it for hours and now could surely say, it's not working the expected way.

I have the following in regex.custom

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
               return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
       }

Despite of settings in custom.regex for port numbers in csf.tempban I always have the following line:

Code: Select all

1392112469|1.2.3.4|*|in|604800|lfd - (DomainOrgUserNotFound) Failed domain.org directory authentication from 1.2.3.4 

Which later results in error on iptables, for example, when removing temp etry with -tr key:

Code: Select all

iptables v1.4.7: invalid port/service `alerts' specified
Try `iptables -h' or 'iptables --help' for more information.

EDIT 1:
If you disable LF_SELECT, then it works properly getting || on ports.

Be kind looking at this thoroughly please and fixing it as soon as possible!

[Ilia]

In case I edit /usr/sbin/lfd and change:

From:

Code: Select all

unless ($config{LF_TRIGGER}) {$apps = $app}

To:

Code: Select all

unless (!$config{LF_TRIGGER}) {$apps = $app}

Then the problem seems to be solved and custom port blocking starts working! Is that it? Or it's gonna break something else? Shouldn't right?

EDIT 1:

But comma separated list doesn't seems to work? It looks that it gets the ports not from regex.custom but blocks referred port. (kinda right but not the way it was planned)

EDIT 2:

No, the above solution works incorrectly..

[ForumAdmin]

I was unable to recreate a problem with this. Using a custom regex in /etc/csf/regex.custom.pm of:

Code: Select all

        if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /bob (.*)/)) {
                return ("Failed bobmatch login from",$1,"bobmatch","3","5,6,7,8","3600");
        }

Logging the lines 3 times:

Code: Select all

bob 2.3.4.5

Produced the following in /var/lib/csf/csf.tempban:

Code: Select all

root@homer [~]# cat /var/lib/csf/csf.tempban
1392155079|2.3.4.5|5,6,7,8|in|3600|lfd - (bobmatch) Failed bobmatch login from 2.3.4.5 (FR/France/Rhone-Alpes/Oyonnax/ALyon-651-1-21-5.w2-3.abo.wanadoo.fr): 3 in the last 3600 secs

Together with a log line in lfd.log of:

Code: Select all

Feb 11 21:44:39 homer lfd[17681]: (bobmatch) Failed bobmatch login from 2.3.4.5 (FR/France/Rhone-Alpes/Oyonnax/ALyon-651-1-21-5.w2-3.abo.wanadoo.fr): 3 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]

Do ensure that you have LF_SELECT set to 1 and LF_TRIGGER set to 0. Otherwise, I do not know why it is not working for you.

[Ilia]

Hmm. Not sure at all now! I tried that for so many times and for sure LF_SELECT was set to 1 and LF_TRIGGER set to 0.

The only thing that is possible now is wrong regex that I used?

Have you tired my example with httpd? It was taken originally from csf distro regex file.

Is there some csf/lfd cache that could be cleared?

[ForumAdmin]

I would need an example log line that is meant to trigger your custom rule to investigate any further. Also, do check your /etc/csf/regex.custom.pm and ensure that you don't have multiple checks in there just incase it is trapping an older one.

[Ilia]

Probably I had duplicates? Please take a look:

Log trigger is:

Code: Select all

[Tue Feb 11 15:06:54 2014] [error] [client 1.2.3.4] user Test not found: /

Content of regex.custom.pm:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
               return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
       }

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*): authentication failure for/)) {
               return ("Failed domain.org directory authentication from",$1,"DomainOrgAuthenticationFailure","3","80,443","604800");
       }

[ForumAdmin]

I am still unable to recreate the problem you are seeing.

I added the following to /etc/csf/regex.custom.pm:

Code: Select all

    if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
                   return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
           }

Then set LF_SELECT to 1 and LF_TRIGGER to 0 and restarted lfd. Adding the following log line 3 times:

Code: Select all

[Tue Feb 11 15:06:54 2014] [error] [client 11.2.3.4] user Test not found: /

Resulted in a block in /var/lib/csf/csf.tempban of:

Code: Select all

1392305696|11.2.3.4|80,443|in|604800|lfd - (DomainOrgUserNotFound) Failed domain.org directory authentication from 11.2.3.4 (US/United States/Ohio/Columbus/-): 3 in the last 3600 secs

and a log line in /var/log/lfd.log of:

Code: Select all

Feb 13 15:34:56 homer lfd[249074]: (DomainOrgUserNotFound) Failed domain.org directory authentication from 11.2.3.4 (US/United States/Ohio/Columbus/-): 3 in the last 3600 secs - *Blocked in csf* for 604800 secs [LF_CUSTOMTRIGGER]

[Ilia]

Maybe then it's because I had two entries for CUSTOM_LOG1?

What happens if you do:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
               return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
       }

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*): authentication failure for/)) {
               return ("Failed domain.org directory authentication from",$1,"DomainOrgAuthenticationFailure","3","80,443","604800");