Regex problem using one of the pre-defined lsws ones
Posted: 09 Sep 2024, 18:01
I'm using this rule I pulled from the forum:
Any thoughts as to what might be going on?
on my cPanel/Linux box. In CSF.conf, I have# BLOCKING LiteSpeed attacks by Sergio
if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\S+\s+\S+\s\[NOTICE\].*Failed Login Attempt \- username: (\S+) ip: (\S+)/i)) {
return ("$1",$2,"SECMAS_LiteSpeed","1","1");
}
and a sample log line isCUSTOM4_LOG = "/usr/local/lsws/admin/logs/error.log"
If I put the sample log line in a regex tester, the pattern matches just fine. But it's not blocking. I've restarted both CSF and LFD. Any idea what could be going on? This endpoint is getting hit hundreds of times every 15 minutes, with the IP changing slightly every couple of hours.2024-09-09 11:44:59.892860 [NOTICE] [27145] [T0] [12.34.56.78:51468-1#_AdminVHost] [STDERR] [WebAdmin Console] Failed Login Attempt - username: someaddress@gmail.com ip: 12.34.56.78 url: https://ftp.myclientdomain.com:7080/login.php\n
Any thoughts as to what might be going on?