Hi
I'm in the process of moving from Apache to Nginx, but I can't seem to get the new regex rules working for Nginx.
My rule for 404 flood detection is here:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400");
}
An example log is here:
2020/03/08 16:56:00 [error] 5064#0: *48847 open() "/home/*/public_html/server/install/error404" failed (2: No such file or directory), client: 127.0.0.1, server: *, request: "GET /install/error404 HTTP/2.0", host: "*"
I've replaced some stuff with *'s, and the IP address for privacy, but for some reason, this log entry does not validate against the rule. It validates on https://regex101.com/
CUSTOM1_LOG is also pointing to /var/log/nginx/error.log which is the correct log file location.
The LFD log shows no errors either and shows it is watching the file: Mar 8 16:42:48 web-2 lfd[10494]: Watching /var/log/nginx/error.log...
Any suggestions?
Thanks in advanced.
Nginx regex rules
-
- Junior Member
- Posts: 5
- Joined: 08 Mar 2020, 16:56
Re: Nginx regex rules
(Just to note as well, my IP address that I'm testing with isn't in /etc/csf/csf.ignore)
-
- Junior Member
- Posts: 5
- Joined: 08 Mar 2020, 16:56
Re: Nginx regex rules
Hi all,
For anyone else having the same issue. I managed to resolve it.
As mentioned previously, my regex rule was validating file on regex101.com, and validated on grep fine too.
LFD log also showed it was watching log file.
I basically uninstalled CSF/LFD, reinstalled, and set everything back up in csf.conf and now it works fine. No idea why it never worked but worth a try if anyone else is getting an issue that's similar.
Thanks
For anyone else having the same issue. I managed to resolve it.
As mentioned previously, my regex rule was validating file on regex101.com, and validated on grep fine too.
LFD log also showed it was watching log file.
I basically uninstalled CSF/LFD, reinstalled, and set everything back up in csf.conf and now it works fine. No idea why it never worked but worth a try if anyone else is getting an issue that's similar.
Thanks