Login Failure Custom Triggers

Login failure custom triggers allow you to define custom regex patterns used by the login failure daemon.

• Custom regex matching patterns are added to the file /usr/local/csf/bin/regex.custom.pm without it being overwritten by CSF upgrades.
• The regex matches in this file will supersede the matches in /usr/local/csf/bin/regex.pm.
• If the matches in this file are not syntactically correct for perl then the login failure daemon will fail with an error.
• You are responsible for the security of any regex. Log file spoofing can exploit poorly constructed regex's.

Custom Triggers

Name Log Log Location Description
apache-overflows HTACCESS_LOG /var/www/vhosts/system/*/logs/error_log Apache overflow attempts
apache-referrers CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Requests comming from a bad referrer
apache-scanners CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Bad requests scanning for vulnerabilities (phpmyadmin)
apache-useragents CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Bad useragents of bots and search engines that have little to no value
horde CUSTOM2_LOG /var/log/psa-horde/psa-horde.log Failed logins to Horde webmail
joomla HTACCESS_LOG /var/www/vhosts/system/*/logs/error_log Failed logins to Joomla - Must install: https://extensions.joomla.org/extension/fail2ban/
mysqld CUSTOM_LOG /var/log/mysqld.log Failed logins to MySQL - Enable auth loggging in /etc/my.cnf using log-warning = 2
php-url-fopen CUSTOM4_LOG /var/www/vhosts/system/*/logs/access_*log Requests to URLs using PHP fopen
plesk-panel CUSTOM1_LOG /var/log/plesk/panel.log Failed logins to Plesk panel
roundecube CUSTOM3_LOG /var/log/plesk-roundcube/errors Failed logins to Roundcube webmail
whmcs CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Failed logins to WHMCS
wordpress CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Failed logins to Wordpress
wordpress-user-enum CUSTOM4_LOG /var/www/vhosts/system/*/logs/*access*log Malicious script scans a WordPress site for user data by requesting numerical user IDs

Example

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
        return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1","1");
}
Return value Description
Failed myftpmatch login from Text for custom failure message.
$1 The IP address capture group position.
myftpmatch A unique identifier for this custom rule, must be alphanumeric and have no spaces.
5 The trigger level for blocking.
20,21 The ports to block the IP from in a comma separated list, only used if LF_SELECT is enabled.
1 n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled.
0 whether to trigger Cloudflare block if CF_ENABLE is set. "0" = disable, "1" = enable.

Creating Your Own Custom Triggers

Use this site to test your own regex: https://regex101.com/. You can post your log line sample in the "TEST STRING" field and extract the required fields for use by the login failure daemon.

Related Files

File Description
/etc/csf/csf.conf CUSTOM1_LOG - CUSTOM9_LOG configuration options.
/usr/local/csf/bin/regex.custom.pm Custom login failure triggers.
/usr/local/csf/tpl/alert.txt Port blocking email template.

Related Pages