Page 1 of 1
Can't get to work REGEX.CUSTOM.PM
Posted: 21 Mar 2013, 10:26
by Ilia
How to make CSF react on additional lines in my secure log, such as:
Code: Select all
Mar 19 13:28:49 host webmin[11403]: Invalid login as user1 from 1.1.1.100
Mar 19 13:34:12 host webmin[11799]: Non-existent login as test from 1.1.1.100
Code: Select all
Mar 19 13:35:11 host webmin[11870]: Successful login as root from 1.1.1.100
Where should I tweak those settings?
Re: Make CSF to read log entries for Webmin
Posted: 01 Apr 2013, 22:48
by Ilia
I have finally came up with the correct
regex as I believe but I still can't make
lfd to block the IP.
I added these lines to
/etc/csf/regex.custom.pm and then restart CSF:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ webmin\[\d+\]: Invalid login as root from/)) {
return ("Failed Webmin login from",$1,"webmin","2","80,443","1");
}
is pointing to
/var/log/secure
I checked and tried to enter wrong passwords 5-10 times. The line that appears in CUSTOM1_LOG is there and it is:
Code: Select all
Apr 2 00:04:21 host webmin[95720]: Invalid login as root from 13.21.66.24
Still nothing is happening, what else am I missing?
Please help!?
P.S. Example of working regex in Perl can be found here:
www . codepad . org/Ug3xJbap
Re: Can't get to work REGEX.CUSTOM.PM
Posted: 04 Apr 2013, 09:49
by Ilia
I have finally solved it!
It was my bad as I didn't pay close attention to what was written in the manual of
regex.custom.pm as follows:
only used if LF_SELECT enabled
only used if LF_TRIGGER is disabled
If you leave LF_TRIGGER greater than 0 then the custom log feature is not working!
Best wishes,
Ilia
Re: Can't get to work REGEX.CUSTOM.PM
Posted: 04 Apr 2013, 18:14
by tecknaltd
well done