This regex of CSF Firewall v14.02 that main in lfd.pl
This is log by Application that install from custombuild
Let see compare on default LFD Regex and log from application
default log of roundcube is wrong path by install default from csf firewall
DIRECTADMIN_LOG_R = "/var/www/html/roundcube/logs/errors" // #this is wrong path
this should fix from Csf firewall production or from application ?
This solution for every one want to fix:
edit /etc/csf/regex.custom.pm
add
before line: return 0;
###UPDATE 2021-08-18; break change about lastest version of dovecot
Add new regex rules
Code:
#DirectAdmin
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG}{$lgfile}) and ($line =~ /^\S+ \'(\S+)\' \d+ (failed login attempts\. Account|failed login attempt on account) \'(\S+)\'/)) {
my $ip = $1;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_R}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\]: IMAP Error: Login failed for (\S+) from (\S+)\. AUTHENTICATE PLAIN: Authentication failed\. in \/var\/www\/html\/roundcubemail/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin Roundcube login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_S}{$lgfile}) and ($line =~ /^\S+\s+\S+ \[LOGIN_ERROR\] (\S+)( \(\S+\))? from (\S+): Unknown user or password incorrect\.\s*$/)) {
my $ip = $3;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin SquirrelMail login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_P}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+: pma auth user='(\S+)' status='mysql-denied' ip='(\S+)'\s*$/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin phpMyAdmin login from","$ip|$acc","directadmin")} else {return}
}This is log by Application that install from custombuild
Code:
#Roundcube "/var/www/html/roundcube/logs/errors.log"
[07-Jun-2020 14:22:43 +0700]: <sbjjdlvr> IMAP Error: Login failed for adawd against localhost from 1.2.3.4(X-Forwarded-For: 1.2.3.4). AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcubemail-1.4.5/program/lib/Roundcube/rcube_imap.php on line 200 (POST /webmail/?_task=login&_action=login)
#phpmyadmin "/var/www/html/phpMyAdmin/log/auth.log"
Jun 07 15:57:01 phpmyadmin: user denied: awdwa (mysql-denied) from 1.2.3.4Let see compare on default LFD Regex and log from application
default log of roundcube is wrong path by install default from csf firewall
DIRECTADMIN_LOG_R = "/var/www/html/roundcube/logs/errors" // #this is wrong path
this should fix from Csf firewall production or from application ?
This solution for every one want to fix:
edit /etc/csf/regex.custom.pm
add
Code:
if (($config{LF_DIRECTADMIN}) and ($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\]: (\S+) IMAP Error: Login failed for (\S+) (\S+) (\S+) from (\S+)\(/)) {
my $ip = $5;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin Roundcube login from","$ip|$acc","directadmin")}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_P}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+ phpmyadmin: user denied\: (\S+) \(mysql-denied\) from (\S+)\s*/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin phpMyAdmin login from","$ip|$acc","directadmin")}
}
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: pop3-login: (Aborted login|Disconnected|Disconnected: Inactivity|Disconnected: Connection closed|Disconnected: Aborted.*out)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Aborted login|Disconnected|Disconnected: Inactivity|Disconnected: Connection closed|Disconnected: Aborted.*out)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
my $ip = $8;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}before line: return 0;
###UPDATE 2021-08-18; break change about lastest version of dovecot
Add new regex rules
Last edited: