ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Trying to find out why y regex is not working

https://mail.forum.configserver.com/viewtopic.php?t=11771

Page 1 of 1

Trying to find out why y regex is not working

Posted: 08 May 2020, 14:48
by Progressed
Hi all,

those regex's huh ;)

according to several regextesters this should work:

Code: Select all

SSHD_LOG = /var/log/auth.log
The regex:

Code: Select all

   if (($globlogs{SSHD_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ wordpress(\(.*)\).* Authentication failure for (.*) from (.*)/)) {
     $ip = $3; $website = $1; $user = $2;
     return ("Failed WordPress login from",$ip,"WP-BRUTEFORCE","5","80,443","86400");
   }
The logline that should trigger.

Code: Select all

May  8 11:00:49 web01 wordpress(DOMAIN.COM)[19462]: Authentication failure for USER from IPADDRESS
Somehow its not triggering. Am i that blind?
Reason for above regex is that i want $website to be added in the return like "Failed WordPress login at $website from" ....

Ok this is not working... so i took it down a notch. simple...

Code: Select all

if (($globlogs{SSHD_LOG}{$lgfile}) and ($line =~ /.*Authentication failure for .* from (.*)\n/)) {
  return ("Wordpress admin user from",$1,"WP-BRUTEFORCE","5","80,443","86400");
}
Also... noting... can someone shed his/her light on this?

Re: Trying to find out why y regex is not working

Posted: 08 May 2020, 15:10
by Progressed
ffs... my mistake.

I took a line Authentication failure out of the log. Only thing is that i should have use Authentication attempt.

Isnt an attempt always a failure? Im goingn to check with the plugin maker.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited