You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
217
217
# postfix/smtpd UNKNOWN from unknown
218
218
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd[^U]*UNKNOWN from unknown\[(\d+\.\d+\.\d+\.\d+)\]/)) {
219
-
$ip = $1; $acc = "";
219
+
$ip = $1; $acc = "";
220
220
$ip =~ s/^::ffff://;
221
221
if (&checkip($ip)) {return ("UNKNOWN from unknown from","$ip|$acc","postfix_unknown")} else {return}
222
222
}
223
223
224
224
# postfix/smtpd lost connection after AUTH
225
225
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
226
226
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd\[\d+\]: lost connection after AUTH from [^\[]+\[(\d+\.\d+\.\d+\.\d+)\]/)) {
227
-
$ip = $1; $acc = "";
227
+
$ip = $1; $acc = "";
228
228
$ip =~ s/^::ffff://;
229
229
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_lost")} else {return}
230
230
}
231
231
232
232
# postfix/smtpd disconnect from unknown
233
233
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
234
234
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /postfix\/smtpd[^U]*disconnect from unknown\[(\d+\.\d+\.\d+\.\d+)\]/)) {
235
-
$ip = $1; $acc = "";
235
+
$ip = $1; $acc = "";
236
236
$ip =~ s/^::ffff://;
237
237
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_disconnect")} else {return}
238
238
}
239
239
240
240
# postfix/smtpd disconnect from domain[ip-address]
241
241
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
242
242
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: disconnect from \S+\[(\S+)\]/)) {
243
-
$ip = $1; $acc = "";
243
+
$ip = $1; $acc = "";
244
244
$ip =~ s/^::ffff://;
245
245
if (&checkip($ip)) {return ("lost connection after AUTH from","$ip|$acc","postfix_disconnect")} else {return}
246
246
}
247
-
248
-
#Postfix SMTP AUTH (Plesk) <-- Default from RegexMain.pm
249
-
# Default: 5 errors bans permanant (Uses settings from LF_SMTPAUTH)
250
-
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/(submission\/)?smtpd(?:\[\d+\])?: warning: \S+\[(\S+)\]: SASL (?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed/)) {
251
-
my$ip = $3;
252
-
$ip =~ s/^::ffff://;
253
-
if (checkip(\$ip)) {return ("Failed SASL login from","$ip","postfix_saslauth")} else {return}
254
-
}
255
247
# # postfix discard php header check
256
248
# if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /postfix\/cleanup[^d]*discard: header X-PHP-Script: [^f]+for (\d+\.\d+\.\d+\.\d+)/)) {
257
249
# return ("discard via php header check from ",$1,"postfix_discard","2","25,587,80","3600");
258
250
# }
259
-
#
251
+
#
260
252
# # postfix warn php header check
261
253
# if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /postfix\/cleanup[^w]+warning: header X-PHP-Script: ([^f]+)for (\d+\.\d+\.\d+\.\d+)/)) {
262
254
# return ("warn via php header check from ",$2,"postfix_warn_php","2","25,587,80","3600");
@@ -268,108 +260,6 @@ sub custom_line {
268
260
# return ("Client host rejected: hostname not found",$1,"smtphostname","4","","86400","0");
269
261
# }
270
262
271
-
#proftpd <-- Default from RegexMain.pm
272
-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - no such user \'(\S*)\'/)) {
273
-
my$ip = $2;
274
-
my$acc = $4;
275
-
$ip =~ s/^::ffff://;
276
-
$acc =~ s/:$//g;
277
-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
278
-
}
279
-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*) no such user found from/)) {
280
-
my$ip = $2;
281
-
my$acc = $4;
282
-
$ip =~ s/^::ffff://;
283
-
$acc =~ s/:$//g;
284
-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
285
-
}
286
-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - SECURITY VIOLATION/)) {
287
-
my$ip = $2;
288
-
my$acc = "";
289
-
$ip =~ s/^::ffff://;
290
-
$acc =~ s/:$//g;
291
-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
292
-
}
293
-
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password/)) {
294
-
my$ip = $2;
295
-
my$acc = $4;
296
-
$ip =~ s/^::ffff://;
297
-
$acc =~ s/:$//g;
298
-
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
299
-
}
300
-
#nginx <-- Default from RegexMain.pm
301
-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\]\S+ \*\S+ no user\/password was provided for basic authentication, client: (\S+),/)) {
302
-
my$ip = $1;
303
-
my$acc = "";
304
-
$ip =~ s/^::ffff://;
305
-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
306
-
}
307
-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\]\S+ \*\S+ user \"(\S*)\": password mismatch, client: (\S+),/)) {
308
-
my$ip = $2;
309
-
my$acc = $1;
310
-
$ip =~ s/^::ffff://;
311
-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
312
-
}
313
-
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\]\S+ \*\S+ user \"(\S*)\" was not found in \".*?\", client: (\S+),/)) {
314
-
my$ip = $2;
315
-
my$acc = $1;
316
-
$ip =~ s/^::ffff://;
317
-
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
318
-
}
319
-
#mod_security v2 (nginx) <-- Default from RegexMain.pm
320
-
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[\S+\]\S+ \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
321
-
my$ip = $1;
322
-
my$acc = "";
323
-
my$domain = "";
324
-
if ($line =~ /\]\[hostname "([^\"]+)"\]\[/) {$domain = $1}
325
-
$ip =~ s/^::ffff://;
326
-
my$ruleid = "unknown";
327
-
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
328
-
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
329
-
}
330
-
#BIND <-- Default from RegexMain.pm
331
-
if (($config{LF_BIND}) and ($globlogs{BIND_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ named\[\d+\]: client (\S+)\#\d+(\s\(\S+\))?\:( view external\:)? (update|zone transfer|query \(cache\)) \'[^\']*\' denied$/)) {
332
-
my$ip = $2;
333
-
my$acc = "";
334
-
$ip =~ s/^::ffff://;
335
-
if (checkip(\$ip)) {return ("bind triggered by","$ip|$acc","bind")} else {return}
336
-
}
337
-
#webmin <-- Default from RegexMain.pm
338
-
if (($config{LF_WEBMIN}) and ($globlogs{WEBMIN_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ webmin\[\d+\]: Invalid login as (\S+) from (\S+)/)) {
339
-
my$ip = $3;
340
-
my$acc = $2;
341
-
$ip =~ s/^::ffff://;
342
-
if (checkip(\$ip)) {return ("Failed Webmin login from","$ip|$acc","webmin")} else {return}
343
-
}
344
-
#dovecot <-- Default from RegexMain.pm
345
-
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: pop3-login: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
346
-
my$ip = $8;
347
-
my$acc = $7;
348
-
$ip =~ s/^::ffff://;
349
-
$acc =~ s/^<|>$//g;
350
-
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
351
-
}
352
-
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
353
-
my$ip = $8;
354
-
my$acc = $7;
355
-
$ip =~ s/^::ffff://;
356
-
$acc =~ s/^<|>$//g;
357
-
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
358
-
}
359
-
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
360
-
my$ip = $7;
361
-
my$acc = $6;
362
-
$ip =~ s/^::ffff://;
363
-
$acc =~ s/^<|>$//g;
364
-
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
365
-
}
366
-
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?method=\S+, rip=(\S+), lip=/)) {
367
-
my$ip = $7;
368
-
my$acc = $6;
369
-
$ip =~ s/^::ffff://;
370
-
$acc =~ s/^<|>$//g;
371
-
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
372
-
}
373
263
# If the matches in this file are not syntactically correct for perl then lfd
374
264
# will fail with an error. You are responsible for the security of any regex
375
265
# expressions you use. Remember that log file spoofing can exploit poorly
0 commit comments