ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Blocking offending IPs in OpenLitespeed

https://mail.forum.configserver.com/viewtopic.php?t=10171

Page 1 of 1

Blocking offending IPs in OpenLitespeed

Posted: 09 Apr 2017, 03:58
by JohnnyMat
Hello

Im using OpenLitespeed (last version) with CentOS7.
I'd like to block offending IPs but sound like that, following this viewtopic.php?t=9447, im unable to do that.

I've configured OpenLitespeed to put logs in the form of vhost1.access.log vshost2.access.log in /usr/local/lsws/logs/vhosts/

Here's an example

444.444.444.155 - - [09/Apr/2017:04:43:55 +0200] "GET /xmlrpc.php HTTP/1.1" 404 655 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "mydomain.com,"
444.209.444.155 - - [09/Apr/2017:04:43:55 +0200] "GET /wp-login.php HTTP/1.1" 200 1127 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "anotherdomain.com"

I've tried that in /usr/local/csf/bin/regex.custom.pm

Code: Select all

# XMLRPC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
    
 # WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/wp-login\.php.*" /)) {
    return ("your ban comment",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");
    }
in /etc/csf/csf.conf i have

LF_TRIGGER_PERM = "3600"

for CUSTOM2_LOG ive tried both of them without success:

CUSTOM2_LOG = "/usr/local/lsws/logs/vhosts/vhost1.access.log"

and after

CUSTOM2_LOG = "/usr/local/lsws/logs/vhosts/*/*"

What am i doing wrong ? Eventually, do you help me in the right direction with regex.custom.pm ? Im pretty sure something is messedup there because line is slightly different from apache.

Re: Blocking offending IPs in OpenLitespeed

Posted: 09 Apr 2017, 05:56
by Sergio
I don't think your REGEX will work as your log line is:
444.444.444.155 - - [09/Apr/2017:04:43:55 +0200] "GET /xmlrpc.php HTTP/1.1" 404 655 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "mydomain.com,"

and the regex that you wrote is not matching the log line. Try this one, it will match:

Code: Select all

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+)\s\-\s\-.*GET \/xmlrpc\.php HTTP.* 404 /)) {
    return ("your ban comment",$1,"XMLRPCorWHATEVER","3","80,443,21,25,22,23","1");
    }
To check your rules, go to www.regexpal.com and copy the regex rule and some of the log lines in there and it will show you if the regex works.

Re: Blocking offending IPs in OpenLitespeed

Posted: 09 Apr 2017, 07:11
by JohnnyMat
Edit

10 stars for your reply.
Everything working.
Right now checking :

xxx.xxx.xxx.x # lfd: (XMLRPCorWHATEVER) xmlrpc WP ban xxx.xxx.xx (NL/Netherlands/-): 3 in the last 3600 secs - Sun Apr 9 11:52:06 2017
xxx.xxx.xx.xx # lfd: (WPLOGINorWHATEVER) wp-login.php WP ban xxx.xxx.xxx (TW/Taiwan/xxx.xx.xxnet.tw):

Re: Blocking offending IPs in OpenLitespeed

Posted: 09 Apr 2017, 09:15
by msfh
ok tnx I read your answered and solve my problem.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited