-
-
Save luison/099b9c24ae24dc6aae812bf97af58820 to your computer and use it in GitHub Desktop.
Custom regex rules for CSF/LFD and NginX as a proxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| ############################################################################### | |
| # Copyright 2006-2015, Way to the Web Limited | |
| # URL: http://www.configserver.com | |
| # Email: [email protected] | |
| ############################################################################### | |
| sub custom_line { | |
| my $line = shift; | |
| my $lgfile = shift; | |
| # Do not edit before this point | |
| ############################################################################### | |
| #forked versions removing wordpress rules and some adjustemnts | |
| #requires CUSTOM1_LOG configured in csf to nginx error log | |
| # SOURCES (fork and) | |
| # https://kutt.it/fupogk | |
| # https://kutt.it/VnHyGp | |
| # | |
| # | |
| # Custom regex matching can be added to this file without it being overwritten | |
| # by csf upgrades. The format is slightly different to regex.pm to cater for | |
| # additional parameters. You need to specify the log file that needs to be | |
| # scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up | |
| # to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG) | |
| # | |
| # The regex matches in this file will supercede the matches in regex.pm | |
| # | |
| # Example: | |
| # if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) { | |
| # return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1"); | |
| # } | |
| # | |
| # The return values from this example are as follows: | |
| # | |
| # "Failed myftpmatch login from" = text for custom failure message | |
| # "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces | |
| # "5" = the trigger level for blocking | |
| # "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp | |
| # "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled | |
| # NginX security rules trigger (Default: 4 errors bans for 24 hours) | |
| # Catch ip that attempts to access a URL that is forbidden by NginX rules | |
| # @todo confirm nginx config | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) { | |
| return ("NGINX Security rule triggered from",$1,"nginx_security","4","80,443","86400"); | |
| } | |
| # NginX 404 errors (Default: 5 errors bans for 24 hours) | |
| # Catch ip that accesses non-existant files and directories | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) { | |
| return ("NGINX Security rule triggered from",$1,"nginx_404s","8","80,443","86400"); | |
| } | |
| #Trying to download htaccess or htpasswd (Default: 1 error bans for 24 hours) | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) { | |
| return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400"); | |
| } | |
| # NginX 404 errors (Default: 50 errors bans for 24 hours) | |
| if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) { | |
| return ("NGINX Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0"); | |
| } | |
| ##WORDPRESS DISABLED RULES | |
| # # Wordpress fail2ban plugin (Default: 5 errors bans for 24 hours) | |
| # if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) { | |
| # return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400"); | |
| # } | |
| # # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| # if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) { | |
| # return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400"); | |
| # } | |
| # # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| # if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) { | |
| # return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400"); | |
| # } | |
| # # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| # if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) { | |
| # return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400"); | |
| # } | |
| # # Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours) | |
| # if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) { | |
| # return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400"); | |
| # } | |
| # If the matches in this file are not syntactically correct for perl then lfd | |
| # will fail with an error. You are responsible for the security of any regex | |
| # expressions you use. Remember that log file spoofing can exploit poorly | |
| # constructed regex's | |
| ############################################################################### | |
| # Do not edit beyond this point | |
| return 0; | |
| } | |
| 1; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment