Custom Logs not triggering CloudFlare block
Posted: 17 Jan 2018, 04:40
Hello,
I noticed that CSF now supports blocking at the CloudFlare level which is great, however I'm trying to use a custom log with a custom regex to trigger a block in CloudFlare and this doesn't seem to be working.
I've tried with it set as a permanent block and a temporary block but neither of these are triggering the API call to CloudFlare. I'm not using cPanel, just plain CentOS.
I have my custom rules triggering correctly and showing in my logs and getting emails stating they've been activated but then I check CloudFlare and nothing is appearing in there. I've tested the API connection to CloudFlare on the command line with csf --cloudflare function and these are all working.
Below is a sample from the config changes I've made, to get this all working.
I noticed that CSF now supports blocking at the CloudFlare level which is great, however I'm trying to use a custom log with a custom regex to trigger a block in CloudFlare and this doesn't seem to be working.
I've tried with it set as a permanent block and a temporary block but neither of these are triggering the API call to CloudFlare. I'm not using cPanel, just plain CentOS.
I have my custom rules triggering correctly and showing in my logs and getting emails stating they've been activated but then I check CloudFlare and nothing is appearing in there. I've tested the API connection to CloudFlare on the command line with csf --cloudflare function and these are all working.
Below is a sample from the config changes I've made, to get this all working.
- Installed LWP (requirement for CloudFlare)
- In /etc/csf/csf.conf
modify:- URLGET
1
to
2
- CF_ENABLE
0
to
1
- CF_TEMP
3600
to
86400
- LF_TRIGGER
"0"
to
"10"
Trigger custom rule after this many login failure/custom log attempts/entries
- LF_TRIGGER_PERM = "86400"
CUSTOM1_LOG
"/var/log/customlog"
to
"/var/log/httpd/sites_access_log"
- Set CloudFlare settings in /etc/csf/csf.cloudflare
- DOMAIN:any:USER:--linux_username---:CFACCOUNT:--Cloudflare_username--:CFAPIKEY:--Cloudflare_API_KEY--{/list]
Jan 17 15:01:21 sstd lfd[13728]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Jan 17 15:09:58 sstd lfd[14685]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Jan 17 15:12:31 sstd lfd[15039]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
Jan 17 15:15:25 sstd lfd[15465]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_TRIGGER]
I have since removed from the local csf with csf -dr and csf -tr after I checked they were not present in CloudFlare.
My custom regex similar to this:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*"GET \/index\.php\/(site\/login).*" (401|403)/))
{
return ("MyApp Login Failure",$1,"CustLoginFailMyApp","80,443",86400)
}
Is there a simple configuration problem I have here or do Custom Logs not trigger CloudFlare blocks, or do I need to include something else inside the regex match before returning, or do I need to return different parameters to the function in return on the custom regex?
Thanks in advance
Regards
Todd - URLGET