-
-
Save x1hash/0231a70f7ab6ff401724 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/local/cpanel/3rdparty/bin/perl | |
############################################################################### | |
# Copyright 2006-2013, Way to the Web Limited | |
# URL: http://www.configserver.com | |
# Email: sales@waytotheweb.com | |
############################################################################### | |
sub custom_line { | |
my $line = shift; | |
my $lgfile = shift; | |
# Do not edit before this point | |
############################################################################### | |
# | |
# Custom regex matching can be added to this file without it being overwritten | |
# by csf upgrades. The format is slightly different to regex.pm to cater for | |
# additional parameters. You need to specify the log file that needs to be | |
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up | |
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG) | |
# | |
# The regex matches in this file will supercede the matches in regex.pm | |
# | |
# Example: | |
# if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) { | |
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1"); | |
# } | |
# | |
# The return values from this example are as follows: | |
# | |
# "Failed myftpmatch login from" = text for custom failure message | |
# $1 = the offending IP address | |
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces | |
# "5" = the trigger level for blocking | |
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled | |
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled | |
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] ModSecurity: Access denied with code 403/)) { | |
$ip = $1; $acc = ""; $ip =~ s/^::ffff://; | |
if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return} | |
} | |
# If the matches in this file are not syntactically correct for perl then lfd | |
# will fail with an error. You are responsible for the security of any regex | |
# expressions you use. Remember that log file spoofing can exploit poorly | |
# constructed regex's | |
############################################################################### | |
# Do not edit beyond this point | |
return 0; | |
} | |
1; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment