Skip to content

Commit 0a3de59

Browse files
tmilandtmiland
committed
Update regex.custom.pm
1 parent 42d9c11 commit 0a3de59

File tree

1 file changed

+33
-20
lines changed

1 file changed

+33
-20
lines changed

regex.custom.pm

Lines changed: 33 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -38,52 +38,56 @@ sub custom_line {
3838
# rule sets inspired by ethanpill's work at https://community.centminmod.com/posts/49893/
3939

4040
# /var/log/virtualmin/*_access_log
41+
# /var/log/nginx/access.log
4142
# Nginx 444 (Default: 5 errors bans for 24 hours)
42-
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
43+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
4344
return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
4445
}
4546

4647
# /var/log/nginx/access.log
4748
# Nginx 444 (Default: 5 errors bans for 24 hours)
48-
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
49-
return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
50-
}
49+
# if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
50+
# return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
51+
# }
5152

5253
# /var/log/virtualmin/*_error_log
54+
# /var/log/nginx/error.log
5355
# NginX security rules trigger (Default: 40 errors bans for 24 hours)
54-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
56+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
5557
return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
5658
}
5759

5860
# /var/log/nginx/error.log
5961
# NginX security rules trigger (Default: 40 errors bans for 24 hours)
60-
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
61-
return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
62-
}
62+
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
63+
# return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
64+
# }
6365

6466
# /var/log/virtualmin/*_error_log
67+
# /var/log/nginx/error.log
6568
# NginX 404 errors (Default: 50 errors bans for 24 hours)
66-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
69+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
6770
return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
6871
}
6972

7073
# /var/log/nginx/error.log
7174
# NginX 404 errors (Default: 50 errors bans for 24 hours)
72-
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
73-
return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
74-
}
75+
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
76+
# return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
77+
# }
7578

7679
# /var/log/virtualmin/*_access_log
80+
# /var/log/nginx/access.log
7781
#Trying to download htaccess or htpasswd (Default: 2 error bans for 24 hours)
78-
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
82+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
7983
return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
8084
}
8185

8286
# /var/log/nginx/access.log
8387
#Trying to download htaccess or htpasswd (Default: 2 error bans for 24 hours)
84-
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
85-
return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
86-
}
88+
# if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
89+
# return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
90+
# }
8791

8892
# Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
8993
# (Default: 2 errors bans for 24 hours)
@@ -116,24 +120,33 @@ sub custom_line {
116120
}
117121

118122
# /var/log/virtualmin/*_error_log
123+
# /var/log/nginx/error.log
119124
# https://community.centminmod.com/posts/74546/
120125
# Nginx connection limit rule trigger (Default: 5 errors bans for 60mins)
121-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
126+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
122127
return ("Nginx Security rule triggered from",$1,"nginx_conn_limit","5","80,443","3600","0");
123128
}
124129

125130
# /var/log/nginx/error.log
126131
# https://community.centminmod.com/posts/74546/
127132
# Nginx connection limit rule trigger (Default: 5 errors bans for 60mins)
128-
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
129-
return ("Nginx Security rule triggered from",$1,"nginx_conn_limit_localhost","5","80,443","3600","0");
130-
}
133+
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
134+
# return ("Nginx Security rule triggered from",$1,"nginx_conn_limit_localhost","5","80,443","3600","0");
135+
# }
131136

132137
# WordPress Catch all
133138
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST].*(\/wp-admin|wp-admins.php|administrator\/|login.php|backend|admin|\/xmlrpc.php|\/wp-(app|cron|login|register|mail).php|wp-.*.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|wlwmanifest.xml|wp-cl-plugin.php|[a-z0-9_-]+-sitemap([0-9]+)?.xml)/)) {
134139
# return ("WordPress Catch all Attack",$1,"wordpress","7","80,443","1");
135140
# }
136141

142+
# /var/log/virtualmin/*_access_log
143+
# /var/log/nginx/access.log
144+
# WordPress Non Existent plugin locations
145+
# (Default: 2 errors bans for 24 hours)
146+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
147+
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
148+
}
149+
137150
# Source: https://www.digitalflare.co.uk/blog/view/blocking-wp-login-and-xmlrpc-brute-force-attacks-with-csf-cpanel/
138151
# WordPress XMLRPC
139152
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST].*(xmlrpc.php)/)) {

0 commit comments

Comments
 (0)