Page 1 of 1

Custom REGEX not triggering ip block

Posted: 26 Jan 2018, 09:18
by adhy
Hi Guys,

I'm trying to setup a custom regex for nextcloud login failure detection. It is not working (triggering when I try to login >5 times with incorrect credentials):

I have setup /var/www/nextcloud/data/nextcloud.log as CUSTOM1_LOG. lfd says it is watching the file, and entries look like this:

Code: Select all

{"reqId":"jh3hXB9cFRzocSjYGbPL","level":2,"time":"2018-01-26T09:09:31+00:00","remoteAddr":"1.2.3.4","user":"--","app":"core","method":"HEAD","url":"\/remote.php\/webdav","message":"Login failed: 'hdhs' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (iOS) Nextcloud-iOS\/2.19.1","version":"12.0.4.3"}
my regex.custom.pm has these lines:

Code: Select all

# Nextcloud Login_Failed - 5 attempts in the last hour
        if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\{"reqId":".*","level":.*,"time":".*","remoteAddr":".*","user":"--","app":"core","method":".*","url":".*","message":"Login failed: (\S+) \(Remote IP: '(\S+)'\)","userAgent":".*","version":".*"\}$/)) {
                   return ("Incorrect password for $1 ",$2,"Nextcloud_Login_failed","5","","3600");
        }
But as said nothing is blocked...

Help?

Re: Custom REGEX not triggering ip block

Posted: 30 Jan 2018, 09:53
by adhy
Nevermind, I solved it. I was looking at the wrong log :o

Either way, in case someone else is interested: this regex line works fine for Nextcloud..