Skip to content

Commit c49ece1

Browse files
tmilandtmiland
committed
Update regex.custom.pm
1 parent 0a3de59 commit c49ece1

File tree

1 file changed

+26
-27
lines changed

1 file changed

+26
-27
lines changed

regex.custom.pm

Lines changed: 26 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -38,56 +38,52 @@ sub custom_line {
3838
# rule sets inspired by ethanpill's work at https://community.centminmod.com/posts/49893/
3939

4040
# /var/log/virtualmin/*_access_log
41-
# /var/log/nginx/access.log
4241
# Nginx 444 (Default: 5 errors bans for 24 hours)
43-
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
42+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
4443
return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
4544
}
4645

4746
# /var/log/nginx/access.log
4847
# Nginx 444 (Default: 5 errors bans for 24 hours)
49-
# if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
50-
# return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
51-
# }
48+
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(\s444\s)/)) {
49+
return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
50+
}
5251

5352
# /var/log/virtualmin/*_error_log
54-
# /var/log/nginx/error.log
5553
# NginX security rules trigger (Default: 40 errors bans for 24 hours)
56-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
54+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
5755
return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
5856
}
5957

6058
# /var/log/nginx/error.log
6159
# NginX security rules trigger (Default: 40 errors bans for 24 hours)
62-
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
63-
# return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
64-
# }
60+
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
61+
return ("Nginx Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
62+
}
6563

6664
# /var/log/virtualmin/*_error_log
67-
# /var/log/nginx/error.log
6865
# NginX 404 errors (Default: 50 errors bans for 24 hours)
69-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
66+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
7067
return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
7168
}
7269

7370
# /var/log/nginx/error.log
7471
# NginX 404 errors (Default: 50 errors bans for 24 hours)
75-
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
76-
# return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
77-
# }
72+
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
73+
return ("Nginx Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
74+
}
7875

7976
# /var/log/virtualmin/*_access_log
80-
# /var/log/nginx/access.log
8177
#Trying to download htaccess or htpasswd (Default: 2 error bans for 24 hours)
82-
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
78+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
8379
return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
8480
}
8581

8682
# /var/log/nginx/access.log
8783
#Trying to download htaccess or htpasswd (Default: 2 error bans for 24 hours)
88-
# if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
89-
# return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
90-
# }
84+
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
85+
return ("Trying to download .ht files",$1,"nginx_htfiles","2","80,443","86400","0");
86+
}
9187

9288
# Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
9389
# (Default: 2 errors bans for 24 hours)
@@ -120,30 +116,33 @@ sub custom_line {
120116
}
121117

122118
# /var/log/virtualmin/*_error_log
123-
# /var/log/nginx/error.log
124119
# https://community.centminmod.com/posts/74546/
125120
# Nginx connection limit rule trigger (Default: 5 errors bans for 60mins)
126-
if (($globlogs{CUSTOM2_LOG}{$lgfile}) or ($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
121+
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
127122
return ("Nginx Security rule triggered from",$1,"nginx_conn_limit","5","80,443","3600","0");
128123
}
129124

130125
# /var/log/nginx/error.log
131126
# https://community.centminmod.com/posts/74546/
132127
# Nginx connection limit rule trigger (Default: 5 errors bans for 60mins)
133-
# if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
134-
# return ("Nginx Security rule triggered from",$1,"nginx_conn_limit_localhost","5","80,443","3600","0");
135-
# }
128+
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
129+
return ("Nginx Security rule triggered from",$1,"nginx_conn_limit_localhost","5","80,443","3600","0");
130+
}
136131

137132
# WordPress Catch all
138133
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST].*(\/wp-admin|wp-admins.php|administrator\/|login.php|backend|admin|\/xmlrpc.php|\/wp-(app|cron|login|register|mail).php|wp-.*.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|wlwmanifest.xml|wp-cl-plugin.php|[a-z0-9_-]+-sitemap([0-9]+)?.xml)/)) {
139134
# return ("WordPress Catch all Attack",$1,"wordpress","7","80,443","1");
140135
# }
141-
142136
# /var/log/virtualmin/*_access_log
137+
# WordPress Non Existent plugin locations
138+
# (Default: 2 errors bans for 24 hours)
139+
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
140+
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
141+
}
143142
# /var/log/nginx/access.log
144143
# WordPress Non Existent plugin locations
145144
# (Default: 2 errors bans for 24 hours)
146-
if (($globlogs{CUSTOM1_LOG}{$lgfile}) or ($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
145+
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD] (\/wp-content\/plugins\/).*(\s404\s)/)) {
147146
return ("WordPress Plugins Honeypot Trap",$1,"wordpress_404","2","80,443","86400","0");
148147
}
149148

0 commit comments

Comments
 (0)