LF_APACHE_403 - how does it work

[geniosity]

Hi

I've set the following parameters:

Code: Select all

LF_APACHE_403 = "60"
LF_APACHE_403_PERM = "3600"
LF_INTERVAL = 300.

The reason I needed to turn that on is because I'm being bombarded by attempts to access a blocked resource. The file "/etc/httpd/logs/error_log" is generating about 10 lines per second (about 1 or 2 from the same IP each second) with the following (truncated):

Code: Select all

[Mon Dec 30 20:15:43.434794 2013] [access_compat:error] [pid 32199] [client 80.82.65.123:46440] AH01797: client denied by server configuration: ..............

But, the IPs are not being blocked. What param could I be missing?

thanks
James

[geniosity]

Ok, I figured it out, different log file and different regex required. Nothing like people spamming your server to get you learning a new skill (PERL/regex) at 4am:

In csf.conf:

Code: Select all

CUSTOM1_LOG = "/etc/httpd/logs/error_log"

In regex.custom.pm:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[\S+:error\] (\[pid \d+\] )?\[client (\S+)\] \S+\: client denied by server configuration\:/)) {
        $ip = $2; $ip =~ s/:\w+//;
        return ("Failed access of forbidden resource",$ip,"forbiddenmatch","5","80","1");
}