Created
May 16, 2017 20:03
-
-
Save ethanpil/97b62d9673327b5aeab90d8b3837843d to your computer and use it in GitHub Desktop.
Custom regex rules for CSF/LFD and NginX plus Wordpress fail2ban plugin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| ############################################################################### | |
| # Copyright 2006-2015, Way to the Web Limited | |
| # URL: http://www.configserver.com | |
| # Email: [email protected] | |
| ############################################################################### | |
| sub custom_line { | |
| my $line = shift; | |
| my $lgfile = shift; | |
| # Do not edit before this point | |
| ############################################################################### | |
| # | |
| # Custom regex matching can be added to this file without it being overwritten | |
| # by csf upgrades. The format is slightly different to regex.pm to cater for | |
| # additional parameters. You need to specify the log file that needs to be | |
| # scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up | |
| # to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG) | |
| # | |
| # The regex matches in this file will supercede the matches in regex.pm | |
| # | |
| # Example: | |
| # if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) { | |
| # return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1"); | |
| # } | |
| # | |
| # The return values from this example are as follows: | |
| # | |
| # "Failed myftpmatch login from" = text for custom failure message | |
| # $1 = the offending IP address | |
| # "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces | |
| # "5" = the trigger level for blocking | |
| # "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp | |
| # "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled | |
| # NginX security rules trigger (Default: 4 errors bans for 24 hours) | |
| # Catch ip that attempts to access a URL that is forbidden by NginX rules | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) { | |
| return ("NGINX Security rule triggered from",$1,"nginx_security","4","80,443","86400"); | |
| } | |
| # NginX 404 errors (Default: 4 errors bans for 24 hours) | |
| # Catch ip that accesses non-existant files and directories | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) { | |
| return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400"); | |
| } | |
| #Trying to download htaccess or htpasswd (Default: 1 error bans for 24 hours) | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) { | |
| return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400"); | |
| } | |
| # Wordpress fail2ban plugin (Default: 5 errors bans for 24 hours) | |
| if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) { | |
| return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400"); | |
| } | |
| # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) { | |
| return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400"); | |
| } | |
| # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) { | |
| return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400"); | |
| } | |
| # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) { | |
| return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400"); | |
| } | |
| # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) { | |
| return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400"); | |
| } | |
| # If the matches in this file are not syntactically correct for perl then lfd | |
| # will fail with an error. You are responsible for the security of any regex | |
| # expressions you use. Remember that log file spoofing can exploit poorly | |
| # constructed regex's | |
| ############################################################################### | |
| # Do not edit beyond this point | |
| return 0; | |
| } | |
| 1; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for those rules! I will try it on my dev server probably next week!
Since i'm not a "regex master", I will probably not be able to help you or create new rules, but I will be happy to test those rules on my dev server and if everything works fine, I will use them in production...
http://saftysign.ir