LF_APACHE_404 doesn't block

[breonet]

Hi all,

I installed csf on a fresh server, without cpanel or webmin, and I'm using it correectly. LFD seems to work fine, and the SMTP login failures part of csf too.

The problem is when activating the option:
LF_APACHE_404 = "100"
LF_APACHE_404_PERM = "600"

I receive a lot of 404 errors (maybe a DoS attack) but csf doesn't ban the ip.

How does csf blocks the ip? What criteria does csf follow? Maybe my access_log is being recorded on a different way and csf doesn't detect the 404 errors (that these are loged), like this:

xx.xx.xx.xx - - [11/Jul/2014:18:26:33 +0200] "POST /dir/file.php HTTP/1.1" 404 42120 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
xxx.xx.xxx.xxx - - [11/Jul/2014:18:26:33 +0200] "GET /dir2/file2.bin HTTP/1.1" 404 41561 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)"

Thanks a lot for your help.

[hominhdat]

I have the same issue. Firewall csf still not block
I use regex custom file and set regex like this:
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\d+\.\d+\.\d+\.\d+\s+\S+\s+\S+ \[.*\] ".*" \d+ (297|9359|300|279) ".*" ".*"/) {
return ("deny ",$1,"ddos","1","8080,80","1");
}

CUSTOM3_LOG is /var/log/httpd/accesslog

[miguelandroidcsf]

I Have the same issue.

Need any special regex custom to this work?

Code: Select all

33.33.33.33 - - [1/Aug/2022:09:50:00 +0100] "GET /test HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"