CSF / LFD wont work LF_APACHE_404

M

Migdiradmin

Verified User
Joined
Jan 5, 2020
Messages
158
Hi i cant put this working in directadmin in cpanel works ok by default.

I want to try to ban IPs in CSF that returns 404 in
/var/log/httpd/access_log
/var/log/httpd/domain.com.log

Example:
Code: 
122.22.22.22 - - [19/Aug/2022:09:32:54 +0100] "GET /sadasadasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:55 +0100] "GET /sadasdasdadsasdasdasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:56 +0100] "GET /saasdasddsasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:57 +0100] "GET /sadaasddadsasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:58 +0100] "GET /sadasasddsasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:59 +0100] "GET /sadasdaasdasasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
122.22.22.22 - - [19/Aug/2022:09:32:59 +0100] "GET /sadasasdasdsasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

Anyone can do this with CSF/LFD and directadmin?
 
Migdiradmin said:
in cpanel works ok by default.
Click to expand...
Directadmin uses the same default as cPanel does (click). If you want a stricter check, you have to change that.

This is not a cPanel<->DA thing. It's a CSF setting.

Like the link says, look in the csf.conf for the LF_APACHE_404 setting and adjust it to your needs.
Be aware that setting this too low can also block false positives.
 
Richard G said:
LF_APACHE_404 setting
Click to expand...
.. just wondering about the description for this value: " This option will keep track of the number of "File does not exist" errors in
HTACCESS_LOG." So if it look only in htaccess-log, will it catch also acess- and domain-logs?
 
johannes said:
will it catch also acess- and domain-logs?
Click to expand...
Good one.

The logs are on the bottom of the csf.conf file. You can add things there.
By default it points to the apache error log. But you can add things like there. I use this line to also check the domain errorlogs:
HTACCESS_LOG = "/var/log/httpd/error_log /var/log/httpd/domains/*.error.log"
You can use the same method to also add the access log.
Don't forget to restart csf/lfd afterwards.
 
Richard G said:
Directadmin uses the same default as cPanel does (click). If you want a stricter check, you have to change that.

This is not a cPanel<->DA thing. It's a CSF setting.

Like the link says, look in the csf.conf for the LF_APACHE_404 setting and adjust it to your needs.
Be aware that setting this too low can also block false positives.
Click to expand...
Thanks but its not working, i already tried LF_APACHE_404 = 3 or 2 or 60 is just the same wont work, and in the cpanel works.

Your access_log return like this?, and you can ban/block?
122.22.22.22 - - [19/Aug/2022:09:32:59 +0100] "GET /sadasasdasdsasdasd HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
Click to expand...
 
Migdiradmin said:
Thanks but its not working, i already tried LF_APACHE_404 = 3 or 2 or 60 is just the same wont work, and in the cpanel works.
Click to expand...
In cPanel it does not work by default. I found various posts stating their having the same issue when using Apache 2.4, maybe you used 2.2 on cPanel before?
So I checked a cPanel server myself and there CSF is pointing to the error log too and in my error log there is not a single 404 518 to be found. Which explains while at this moment cP users also have issues with default installs.

Now again it's not a CP<->DA thing, it's a CSF regexp issue which might be fixed by setting and maybe Apache adjustment.

Did you change the logfile setting in the csf.conf as stated? So you have to use this one:
HTACCESS_LOG = "/var/log/httpd/error_log /var/log/httpd/access_log /var/log/httpd/domains/*.error.log"
and restart csf and lfd.

Best was to add just the domain log, but then it would be /var/log/httpd/domains/*.log at the end, which would include all logfiles, which might not be working.

If that doesn't work for you, I would suggest to ask over at the configserver forum, because it's a CSF regexp issue, not a DA issue.
 
In the CSF UI, at the bottom, you have also 9 custom log fields, for own logs.
 
You must log in or register to reply here.
Back
Top