Configure custom regex matching patterns for use by the login failure daemon.
juggernaut --task=lfd:loginfailurecustomtriggers --oper=<trigger_add|trigger_edit|trigger_del> --name=<string>Option |
Value | Description |
|---|---|---|
--oper |
<string> | The operation you want to perform. Operations: trigger_add, trigger_edit, trigger_del |
--name |
<string> | A unique identifier for this custom rule. It must be alphanumeric and have no spaces. |
--log_file |
<string> | The log file that needs to be scanned for log line matches. Log files: HTACCESS_LOG, MODSEC_LOG, SSHD_LOG, SU_LOG, FTPD_LOG, SMTPAUTH_LOG, POP3D_LOG, IMAPD_LOG, IPTABLES_LOG, SUHOSIN_LOG, BIND_LOG, SYSLOG_LOG, CUSTOM1_LOG-CUSTOM9_LOG |
--message |
<yes> | Text for custom failure message. |
--patterns |
<yes> | The regex pattern to match. Single quotes must be properly escaped replacing a single quote with '\'' |
--ip_address |
<digit> | The capture group position of the IP address. |
--trigger |
<digit> | The trigger level for blocking. |
--ports |
<digit1,digit2> | The ports to block the IP from in a comma separated list, only used if LF_SELECT is enabled. |
--block_time |
<0-604800> | The block time in seconds. n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled. |
--cloudflare |
<1|0> | Whether to trigger Cloudflare block if CF_ENABLE is set. |
--enabled |
<1|0> | Enable or disable the trigger. |
--restart |
<yes> | Restart the service after saving settings. |
// add a custom trigger for mysql
juggernaut --oper=trigger_add --name='mysqld' --log_file='CUSTOM_LOG' --message='Failed mysqld login with username [$1] from' --ip_address=2 --trigger=5 --ports=3306 --block_time=86400 --cloudflare=1 --enabled=1 --patterns='^(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[Warning\] Access denied for user \'\''(\w+)\'\''\@\'\''(\S+)\'\'' (?:to database \'\''[^\'\'']*\'\''|\(using password: (?:YES|NO)\))*\s*$'
// remove the custom mysql trigger
juggernaut -oper=trigger_del --value='mysqld'