Im using OpenLitespeed (last version) with CentOS7.
I'd like to block offending IPs but sound like that, following this viewtopic.php?t=9447, im unable to do that.
I've configured OpenLitespeed to put logs in the form of vhost1.access.log vshost2.access.log in /usr/local/lsws/logs/vhosts/
Here's an example
444.444.444.155 - - [09/Apr/2017:04:43:55 +0200] "GET /xmlrpc.php HTTP/1.1" 404 655 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "mydomain.com,"
444.209.444.155 - - [09/Apr/2017:04:43:55 +0200] "GET /wp-login.php HTTP/1.1" 200 1127 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "anotherdomain.com"
I've tried that in /usr/local/csf/bin/regex.custom.pm
Code: Select all
# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
}
# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
}LF_TRIGGER_PERM = "3600"
for CUSTOM2_LOG ive tried both of them without success:
CUSTOM2_LOG = "/usr/local/lsws/logs/vhosts/vhost1.access.log"
and after
CUSTOM2_LOG = "/usr/local/lsws/logs/vhosts/*/*"
What am i doing wrong ? Eventually, do you help me in the right direction with regex.custom.pm ? Im pretty sure something is messedup there because line is slightly different from apache.