Skip to content

Commit 149d1ad

Browse files
committed
Update regex.custom.pm
Remove Default from RegexMain.pm
1 parent e9a5330 commit 149d1ad

File tree

1 file changed

+6
-116
lines changed

1 file changed

+6
-116
lines changed

regex.custom.pm

Lines changed: 6 additions & 116 deletions
Original file line numberDiff line numberDiff line change
@@ -147,7 +147,7 @@ sub custom_line {
147147
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
148148
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
149149
}
150-
150+
151151
# /var/log/virtualmin/*_access_log
152152
# Non Existent Dot directory locations
153153
# (Default: 2 errors bans for 24 hours)
@@ -216,47 +216,39 @@ sub custom_line {
216216
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
217217
# postfix/smtpd UNKNOWN from unknown
218218
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd[^U]*UNKNOWN from unknown\[(\d+\.\d+\.\d+\.\d+)\]/)) {
219-
$ip = $1; $acc = "";
219+
$ip = $1; $acc = "";
220220
$ip =~ s/^::ffff://;
221221
if (&checkip($ip)) {return ("UNKNOWN from unknown from","$ip|$acc","postfix_unknown")} else {return}
222222
}
223223

224224
# postfix/smtpd lost connection after AUTH
225225
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
226226
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd\[\d+\]: lost connection after AUTH from [^\[]+\[(\d+\.\d+\.\d+\.\d+)\]/)) {
227-
$ip = $1; $acc = "";
227+
$ip = $1; $acc = "";
228228
$ip =~ s/^::ffff://;
229229
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_lost")} else {return}
230230
}
231231

232232
# postfix/smtpd disconnect from unknown
233233
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
234234
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd[^U]*disconnect from unknown\[(\d+\.\d+\.\d+\.\d+)\]/)) {
235-
$ip = $1; $acc = "";
235+
$ip = $1; $acc = "";
236236
$ip =~ s/^::ffff://;
237237
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_disconnect")} else {return}
238238
}
239239

240240
# postfix/smtpd disconnect from domain[ip-address]
241241
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
242242
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: disconnect from \S+\[(\S+)\]/)) {
243-
$ip = $1; $acc = "";
243+
$ip = $1; $acc = "";
244244
$ip =~ s/^::ffff://;
245245
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_disconnect")} else {return}
246246
}
247-
248-
#Postfix SMTP AUTH (Plesk) <-- Default from RegexMain.pm
249-
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
250-
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/(submission\/)?smtpd(?:\[\d+\])?: warning: \S+\[(\S+)\]: SASL (?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed/)) {
251-
my $ip = $3;
252-
$ip =~ s/^::ffff://;
253-
if (checkip(\$ip)) {return ("Failed SASL login from","$ip","postfix_saslauth")} else {return}
254-
}
255247
# # postfix discard php header check
256248
# if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /postfix\/cleanup[^d]*discard: header X-PHP-Script: [^f]+for (\d+\.\d+\.\d+\.\d+)/)) {
257249
# return ("discard via php header check from ",$1,"postfix_discard","2","25,587,80","3600");
258250
# }
259-
#
251+
#
260252
# # postfix warn php header check
261253
# if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /postfix\/cleanup[^w]+warning: header X-PHP-Script: ([^f]+)for (\d+\.\d+\.\d+\.\d+)/)) {
262254
# return ("warn via php header check from ",$2,"postfix_warn_php","2","25,587,80","3600");
@@ -268,108 +260,6 @@ sub custom_line {
268260
# return ("Client host rejected: hostname not found",$1,"smtphostname","4","","86400","0");
269261
# }
270262

271-
#proftpd <-- Default from RegexMain.pm
272-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - no such user \'(\S*)\'/)) {
273-
my $ip = $2;
274-
my $acc = $4;
275-
$ip =~ s/^::ffff://;
276-
$acc =~ s/:$//g;
277-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
278-
}
279-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*) no such user found from/)) {
280-
my $ip = $2;
281-
my $acc = $4;
282-
$ip =~ s/^::ffff://;
283-
$acc =~ s/:$//g;
284-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
285-
}
286-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - SECURITY VIOLATION/)) {
287-
my $ip = $2;
288-
my $acc = "";
289-
$ip =~ s/^::ffff://;
290-
$acc =~ s/:$//g;
291-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
292-
}
293-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password/)) {
294-
my $ip = $2;
295-
my $acc = $4;
296-
$ip =~ s/^::ffff://;
297-
$acc =~ s/:$//g;
298-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
299-
}
300-
#nginx <-- Default from RegexMain.pm
301-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ no user\/password was provided for basic authentication, client: (\S+),/)) {
302-
my $ip = $1;
303-
my $acc = "";
304-
$ip =~ s/^::ffff://;
305-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
306-
}
307-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ user \"(\S*)\": password mismatch, client: (\S+),/)) {
308-
my $ip = $2;
309-
my $acc = $1;
310-
$ip =~ s/^::ffff://;
311-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
312-
}
313-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ user \"(\S*)\" was not found in \".*?\", client: (\S+),/)) {
314-
my $ip = $2;
315-
my $acc = $1;
316-
$ip =~ s/^::ffff://;
317-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
318-
}
319-
#mod_security v2 (nginx) <-- Default from RegexMain.pm
320-
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[\S+\] \S+ \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
321-
my $ip = $1;
322-
my $acc = "";
323-
my $domain = "";
324-
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
325-
$ip =~ s/^::ffff://;
326-
my $ruleid = "unknown";
327-
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
328-
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
329-
}
330-
#BIND <-- Default from RegexMain.pm
331-
if (($config{LF_BIND}) and ($globlogs{BIND_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ named\[\d+\]: client (\S+)\#\d+(\s\(\S+\))?\:( view external\:)? (update|zone transfer|query \(cache\)) \'[^\']*\' denied$/)) {
332-
my $ip = $2;
333-
my $acc = "";
334-
$ip =~ s/^::ffff://;
335-
if (checkip(\$ip)) {return ("bind triggered by","$ip|$acc","bind")} else {return}
336-
}
337-
#webmin <-- Default from RegexMain.pm
338-
if (($config{LF_WEBMIN}) and ($globlogs{WEBMIN_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ webmin\[\d+\]: Invalid login as (\S+) from (\S+)/)) {
339-
my $ip = $3;
340-
my $acc = $2;
341-
$ip =~ s/^::ffff://;
342-
if (checkip(\$ip)) {return ("Failed Webmin login from","$ip|$acc","webmin")} else {return}
343-
}
344-
#dovecot <-- Default from RegexMain.pm
345-
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: pop3-login: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
346-
my $ip = $8;
347-
my $acc = $7;
348-
$ip =~ s/^::ffff://;
349-
$acc =~ s/^<|>$//g;
350-
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
351-
}
352-
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
353-
my $ip = $8;
354-
my $acc = $7;
355-
$ip =~ s/^::ffff://;
356-
$acc =~ s/^<|>$//g;
357-
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
358-
}
359-
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
360-
my $ip = $7;
361-
my $acc = $6;
362-
$ip =~ s/^::ffff://;
363-
$acc =~ s/^<|>$//g;
364-
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
365-
}
366-
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
367-
my $ip = $7;
368-
my $acc = $6;
369-
$ip =~ s/^::ffff://;
370-
$acc =~ s/^<|>$//g;
371-
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
372-
}
373263
# If the matches in this file are not syntactically correct for perl then lfd
374264
# will fail with an error. You are responsible for the security of any regex
375265
# expressions you use. Remember that log file spoofing can exploit poorly

0 commit comments

Comments
 (0)