LF_APACHE_404 Trigger not working
Posted: 09 Feb 2021, 12:30
In my testing I wasn't able to get the LF_APACHE_404 login failure trigger to work. I'm not sure if this is just a Plesk server issue or if this bug applies to Cpanel servers too.
From the stackoverflow post below it looks like in Apache 2.4.1 the 404 error code was demoted from the core:error to core:info log level as 404 errors are not logged to the error_log by default unless you set LogLevel core:info in the apache config (I'm using a Plesk server to test).
https://stackoverflow.com/questions/365 ... -error-log
After setting LogLevel core:info in the apache config 404 errors are logged to the error log but the CSF regex doesn't match because the regex only matches core:error messages:
Old regex used by CSF
Fixed regex which will match both info and error
Regex101 Test
https://regex101.com/r/Ic3NCp/1
From the stackoverflow post below it looks like in Apache 2.4.1 the 404 error code was demoted from the core:error to core:info log level as 404 errors are not logged to the error_log by default unless you set LogLevel core:info in the apache config (I'm using a Plesk server to test).
https://stackoverflow.com/questions/365 ... -error-log
After setting LogLevel core:info in the apache config 404 errors are logged to the error log but the CSF regex doesn't match because the regex only matches core:error messages:
Old regex used by CSF
Code: Select all
^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?File does not exist\:/
Code: Select all
^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?(?:error|info)\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?File does not exist\:
https://regex101.com/r/Ic3NCp/1