ConfigServer Community Forum

So I'm an idiot. What can I say?

I've set my customlog1 as follows:
CUSTOM1_LOG = "/var/log/nginx/access_log"
Yes, that is the correct path.

The format looks like:
118.126.124.10 - - [16/Sep/2023:15:31:48 -0400] "HEAD /manager/html HTTP/1.1" 404 0 "-" "Python/3.6 aiohttp/3.8.3"

I'm looking for 5 404's from the same IP in the specified time period in order to give them the boot. Truthfully, if they're appearing in that log, they're not doing anything useful on the server, ie, they're not accessing any domains, so 5 is being extraordinarily generous.

My regex, which I tested on regex101.com, looks as follows:
\"\s404\s
does not appear to trigger LFD, but regex101 matches on 404.

My entry in regex.custom.pm is:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ \"\s404\s
{
return ("NotFound from",$1,"NotFound","5","80,443","1","0");
}

What am I missing? I'm sure I'm being stupid. I'm not all that great w/regex. Still, regex101 indicated my regex was correct, so I'm confused.

Thanks so much for any assistance. I appreciate your time.

I did some more studying & made some changes. I guess I'll see if what I did worked. My entry in regex.pm now looks as follows:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ ^(\S+)\s+\S+\s\S+\s\S+\s\S+\s"([^"]*)"\s404\s
{
return ("NotFound from",$1,"NotFound","5","80,443","1","0");
}

I also made absolutely sure that /var/log/nginx/access_log was indeed being watched by CSF.

Well, I made some additional changes, enclosing (400) and (404) in parentheses. regex101 divides the matches by IP, the irrelevant middle, and the return code correctly, but LFD doesn't seem to trigger. Unless I can come up w/something different, I guess I'll have to wait for Sergio . I tried. I'm officially sick of regex. I'll get over it.

Write a full log line of what you want to block and I will help you to do the regex.

Sergio

Sergio, here is a line. Please note, though, that the length of the strings differ widely, as in this 1 is really long. I'm wanting to act on the return code.

As indicated, it seems from my testing that my regexp should have worked, so I'm eager for an explanation as to why it didn't. Thank you for your work w/the CSF community.

205.210.31.66 - - [25/Sep/2023:15:08:00 -0400] "\x16\x03\x01\x00\xCA\x01\x00\x00\xC6\x03\x03\xC9\xACCp\x94Qc\x14\xAD\xDB\xA8\x14\xAD\xFE,\xE9.\x81)\x85\xC4\xFA/0Ui\xCA\xBB\xEF\xA8lq\x00\x00h\xCC\x14\xCC\x13\xC0/\xC0+\xC00\xC0,\xC0\x11\xC0\x07\xC0'\xC0#\xC0\x13\xC0\x09\xC0(\xC0$\xC0\x14\xC0" 400 150 "-" "-"

ok,
on that log line what are you looking for to be triggered?
Also, on that log line what do you want to receive?

I want to block the ip after 5 400 return codes. Is that what you're asking?

Yes, I wanted to know exactly what you want to do.

Here is the regex that will help you: Sergio