Page 1 of 1
LF_SELECT and regex.custom
Posted: 11 Feb 2014, 10:11
by Ilia
I have been testing it for hours and now could surely say, it's not working the expected way.
I have the following in regex.custom
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
}
Despite of settings in custom.regex for port numbers in csf.tempban I always have the following line:
Code: Select all
1392112469|1.2.3.4|*|in|604800|lfd - (DomainOrgUserNotFound) Failed domain.org directory authentication from 1.2.3.4
Which later results in error on iptables, for example, when removing temp etry with -tr key:
Code: Select all
iptables v1.4.7: invalid port/service `alerts' specified
Try `iptables -h' or 'iptables --help' for more information.
EDIT 1:
If you disable LF_SELECT, then it works properly getting || on ports.
Be kind looking at this thoroughly please and fixing it as soon as possible!
Re: LF_SELECT and regex.custom
Posted: 11 Feb 2014, 11:16
by Ilia
In case I edit /usr/sbin/lfd and change:
From:
Code: Select all
unless ($config{LF_TRIGGER}) {$apps = $app}
To:
Code: Select all
unless (!$config{LF_TRIGGER}) {$apps = $app}
Then the problem seems to be solved and custom port blocking starts working! Is that it? Or it's gonna break something else? Shouldn't right?
EDIT 1:
But comma separated list doesn't seems to work? It looks that it gets the ports not from regex.custom but blocks referred port. (kinda right but not the way it was planned)
EDIT 2:
No, the above solution works incorrectly..
Re: LF_SELECT and regex.custom
Posted: 11 Feb 2014, 21:46
by ForumAdmin
I was unable to recreate a problem with this. Using a custom regex in /etc/csf/regex.custom.pm of:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /bob (.*)/)) {
return ("Failed bobmatch login from",$1,"bobmatch","3","5,6,7,8","3600");
}
Logging the lines 3 times:
Produced the following in /var/lib/csf/csf.tempban:
Code: Select all
root@homer [~]# cat /var/lib/csf/csf.tempban
1392155079|2.3.4.5|5,6,7,8|in|3600|lfd - (bobmatch) Failed bobmatch login from 2.3.4.5 (FR/France/Rhone-Alpes/Oyonnax/ALyon-651-1-21-5.w2-3.abo.wanadoo.fr): 3 in the last 3600 secs
Together with a log line in lfd.log of:
Code: Select all
Feb 11 21:44:39 homer lfd[17681]: (bobmatch) Failed bobmatch login from 2.3.4.5 (FR/France/Rhone-Alpes/Oyonnax/ALyon-651-1-21-5.w2-3.abo.wanadoo.fr): 3 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]
Do ensure that you have LF_SELECT set to 1 and LF_TRIGGER set to 0. Otherwise, I do not know why it is not working for you.
Re: LF_SELECT and regex.custom
Posted: 12 Feb 2014, 07:09
by Ilia
Hmm. Not sure at all now! I tried that for so many times and for sure LF_SELECT was set to 1 and LF_TRIGGER set to 0.
The only thing that is possible now is wrong regex that I used?
Have you tired my example with httpd? It was taken originally from csf distro regex file.
Is there some csf/lfd cache that could be cleared?
Re: LF_SELECT and regex.custom
Posted: 12 Feb 2014, 09:32
by ForumAdmin
I would need an example log line that is meant to trigger your custom rule to investigate any further. Also, do check your /etc/csf/regex.custom.pm and ensure that you don't have multiple checks in there just incase it is trapping an older one.
Re: LF_SELECT and regex.custom
Posted: 12 Feb 2014, 09:40
by Ilia
Probably I had duplicates? Please take a look:
Log trigger is:
Code: Select all
[Tue Feb 11 15:06:54 2014] [error] [client 1.2.3.4] user Test not found: /
Content of regex.custom.pm:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
}
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*): authentication failure for/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgAuthenticationFailure","3","80,443","604800");
}
Re: LF_SELECT and regex.custom
Posted: 13 Feb 2014, 15:38
by ForumAdmin
I am still unable to recreate the problem you are seeing.
I added the following to /etc/csf/regex.custom.pm:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
}
Then set LF_SELECT to 1 and LF_TRIGGER to 0 and restarted lfd. Adding the following log line 3 times:
Code: Select all
[Tue Feb 11 15:06:54 2014] [error] [client 11.2.3.4] user Test not found: /
Resulted in a block in /var/lib/csf/csf.tempban of:
Code: Select all
1392305696|11.2.3.4|80,443|in|604800|lfd - (DomainOrgUserNotFound) Failed domain.org directory authentication from 11.2.3.4 (US/United States/Ohio/Columbus/-): 3 in the last 3600 secs
and a log line in /var/log/lfd.log of:
Code: Select all
Feb 13 15:34:56 homer lfd[249074]: (DomainOrgUserNotFound) Failed domain.org directory authentication from 11.2.3.4 (US/United States/Ohio/Columbus/-): 3 in the last 3600 secs - *Blocked in csf* for 604800 secs [LF_CUSTOMTRIGGER]
Re: LF_SELECT and regex.custom
Posted: 14 Feb 2014, 08:54
by Ilia
Maybe then it's because I had two entries for CUSTOM_LOG1?
What happens if you do:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*) not found:/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgUserNotFound","3","80,443","604800");
}
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] user (\S*): authentication failure for/)) {
return ("Failed domain.org directory authentication from",$1,"DomainOrgAuthenticationFailure","3","80,443","604800");