Login failure custom triggers allow you to define custom regex patterns used by the login failure daemon.
• Custom regex matching patterns are added to the file
/usr/local/csf/bin/regex.custom.pmwithout it being overwritten by CSF upgrades.
• The regex matches in this file will supersede the matches in/usr/local/csf/bin/regex.pm.
• If the matches in this file are not syntactically correct for perl then the login failure daemon will fail with an error.
• You are responsible for the security of any regex. Log file spoofing can exploit poorly constructed regex's.
| Name | Log | Log Location | Description |
|---|---|---|---|
| apache-overflows | HTACCESS_LOG | /var/www/vhosts/system/*/logs/error_log | Apache overflow attempts |
| apache-referrers | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Requests comming from a bad referrer |
| apache-scanners | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Bad requests scanning for vulnerabilities (phpmyadmin) |
| apache-useragents | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Bad useragents of bots and search engines that have little to no value |
| horde | CUSTOM2_LOG | /var/log/psa-horde/psa-horde.log | Failed logins to Horde webmail |
| joomla | HTACCESS_LOG | /var/www/vhosts/system/*/logs/error_log | Failed logins to Joomla - Must install: https://extensions.joomla.org/extension/fail2ban/ |
| mysqld | CUSTOM_LOG | /var/log/mysqld.log | Failed logins to MySQL - Enable auth loggging in /etc/my.cnf using log-warnings = 2 |
| php-url-fopen | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/access_*log | Requests to URLs using PHP fopen |
| plesk-panel | CUSTOM1_LOG | /var/log/plesk/panel.log | Failed logins to Plesk panel |
| roundecube | CUSTOM3_LOG | /var/log/plesk-roundcube/errors | Failed logins to Roundcube webmail |
| whmcs | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Failed logins to WHMCS |
| wordpress | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Failed logins to Wordpress |
| wordpress-user-enum | CUSTOM4_LOG | /var/www/vhosts/system/*/logs/*access*log | Malicious script scans a WordPress site for user data by requesting numerical user IDs |
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1","1");
}| Return value | Description |
|---|---|
| Failed myftpmatch login from | Text for custom failure message. |
| $1 | The IP address capture group position. |
| myftpmatch | A unique identifier for this custom rule, must be alphanumeric and have no spaces. |
| 5 | The trigger level for blocking. |
| 20,21 | The ports to block the IP from in a comma separated list, only used if LF_SELECT is enabled. |
| 1 | n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled. |
| 0 | whether to trigger Cloudflare block if CF_ENABLE is set. "0" = disable, "1" = enable. |
Use this site to test your own regex: https://regex101.com/. You can post your log line sample in the "TEST STRING" field and extract the required fields for use by the login failure daemon.
| File | Description |
|---|---|
/etc/csf/csf.conf |
CUSTOM1_LOG - CUSTOM9_LOG configuration options. |
/usr/local/csf/bin/regex.custom.pm |
Custom login failure triggers. |
/usr/local/csf/tpl/alert.txt |
Port blocking email template. |