ConfigServer Community Forum

Guys.

Could someone help me with a custom regex to block failed cpanel logins.

I see quite a number of these daily.
Dropping connection from xx.xxx.xx.xx because of tcp_wrappers at cpsrvd.pl line 4191

If there are only one or two entries, then i don't worry too much, but occasionally, i'll get some hacker/robot etc, that will have 30 or more attempts, and quite often coming back for another go later in the day.
These i'm blocking manually.

Looking at other custom regex rules, it's difficult to figure out exactly how they work.

So I copied someone elses and modified it slightly.
Would somethink like this do it ?

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+Dropping connection from \[(\S+)\]/)) {
return ("cpanel_login attack",$1,"SecmasCPANEL","1","1");
}