Learn about Centmin Mod LEMP Stack today
Become a Member

Featured Security CSF Firewall native fail2ban functionality

Discussion in 'System Administration' started by eva2000, Apr 12, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    With inspiration from @ethanpil work and my fail2ban work, I am now doing some testing for CSF Firewall native layer 7 application level protections similar to what fail2ban would do but without needing fail2ban to be installed. The thresholds for banning IPs in CSF Firewall for these native rules will need fine tuning and testing so best you test on test Centmin Mod server. Testing and feedback will help improve the rule sets and eventually an addon would be created so folks can optionally install and/or uninstall this CSF Firewall extended functionality ;)

    CSF Firewall Layer 7 Application Level Banning



    CSF Firewall allows custom server log level regex match banning of visitor IP addresses via customising the file at /usr/local/csf/bin/regex.custom.pm and defining up to 9 custom logs in /etc/csf/csf.conf for CSF Firewall's lfd daemon to monitor and scan. There is no Cloudflare Firewall API support added yet, will do that later.

    To setup and test this, please try on test server first with Centmin Mod 123.09beta01. The SSH commands to run to setup are below:
    This will
    1. backup csf firewall /etc/csf/csf.conf config to profile suffix labelled as backup-b4-customregex
    2. backup /usr/local/csf/bin/regex.custom.pm to /usr/local/csf/bin/regex.custom.pm.bak
    3. setup 4 custom log definitions in /etc/csf/csf.conf config file
    4. wget download the regex.custom.pm from hosted gist file
    5. restart csf firewall and lfd daemon
    6. grep for new custom log definitions in lfd log
    Code (Text):
    csf --profile backup backup-b4-customregex
    cp -a /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.bak
    egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
    sed -i "s|CUSTOM1_LOG = .*|CUSTOM1_LOG = \"/home/nginx/domains/\*/log/access.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM2_LOG = .*|CUSTOM2_LOG = \"/home/nginx/domains/\*/log/error.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM3_LOG = .*|CUSTOM3_LOG = \"/var/log/nginx/localhost.access.log\"|" /etc/csf/csf.conf
    sed -i "s|CUSTOM4_LOG = .*|CUSTOM4_LOG = \"/var/log/nginx/localhost.error.log\"|" /etc/csf/csf.conf
    egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
    wget -O /usr/local/csf/bin/regex.custom.pm https://gist.github.com/centminmod/f5551b92b8aba768c3b4db84c57e756d/raw/regex.custom.pm
    csf -ra
    fgrep 'nginx' /var/log/lfd.log | tail -100
    

    So 4 custom logs setup
    Code (Text):
    egrep 'CUSTOM1_LOG|CUSTOM2_LOG|CUSTOM3_LOG|CUSTOM4_LOG' /etc/csf/csf.conf
    CUSTOM1_LOG = "/home/nginx/domains/*/log/access.log"
    CUSTOM2_LOG = "/home/nginx/domains/*/log/error.log"
    CUSTOM3_LOG = "/var/log/nginx/localhost.access.log"
    CUSTOM4_LOG = "/var/log/nginx/localhost.error.log"
    

    check for lfd.log log to see if it picked up and is watching the 4 defined custom logs
    Code (Text):
    fgrep 'nginx' /var/log/lfd.log | tail -100
    Apr 12 07:48:26 host lfd[12904]: Watching /home/nginx/domains/demodomain.com/log/access.log...
    Apr 12 07:52:50 host lfd[13141]: Watching /home/nginx/domains/demodomain.com/log/error.log...
    Apr 12 07:52:50 host lfd[13141]: Watching /var/log/nginx/localhost.access.log...
    Apr 12 07:52:50 host lfd[13141]: Watching /var/log/nginx/localhost.error.log...
    


    Custom CSF Firewall Regexs



    Always check for most up to date regex rule sets for the custom /usr/local/csf/bin/regex.custom.pm that is used here.

    You can always download and use latest regex.custom.pm using below 2 commands
    Code (Text):
    wget -O /usr/local/csf/bin/regex.custom.pm https://gist.github.com/centminmod/f5551b92b8aba768c3b4db84c57e756d/raw/regex.custom.pm
    csf -ra
    


    Below is current example regex rule sets for
    1. nginx HTTP 444 status errors ban if more than 5 entries in logs - ban is for 24hrs (86400 seconds)
    2. access forbidden by rule matches ban if more than 40 entries entries in logs - ban is for 24hrs (86400 seconds). High threshold used to account for new web apps/new nginx users configuring their web apps/scripts so they don't run into issues.
    3. 404 not found matches ban if more than 50 entries in logs - ban is for 24hrs (86400 seconds). High threshold used to account for new web apps/new nginx users configuring their web apps/scripts so they don't run into issues.
    4. attempts to access .htaccess or .htpasswd ban if more than 1 entries in logs - ban is for 24hrs (86400 seconds)
    5. wordpress plugin wp-fail2ban-redux logged entries ban if more than 2 entries in logs - ban is for 24hrs (86400 seconds)
    6. connection rate limit rules if more than 30 entries in nginx error logs - ban is for 60 mins (3600 seconds)
    Code (Text):
    # /home/nginx/domains/*/log/access.log
    # Nginx 444  (Default: 5 errors bans for 24 hours)
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(444)/)) {
        return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
    }
    
    # /var/log/nginx/localhost.access.log
    # Nginx 444  (Default: 5 errors bans for 24 hours)
    if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(444)/)) {
        return ("Nginx 444",$1,"nginx_444","5","80,443","86400","0");
    }
    
    # /home/nginx/domains/*/log/error.log
    # NginX security rules trigger (Default: 40 errors bans for 24 hours)
    if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
    }
    
    # /var/log/nginx/localhost.error.log
    # NginX security rules trigger (Default: 40 errors bans for 24 hours)
    if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_security","40","80,443","86400","0");
    }
    
    # /home/nginx/domains/*/log/error.log
    # NginX 404 errors (Default: 50 errors bans for 24 hours)
    if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
    }
    
    # /var/log/nginx/localhost.error.log
    # NginX 404 errors (Default: 50 errors bans for 24 hours)
    if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_404s","50","80,443","86400","0");
    }
    
    # /home/nginx/domains/*/log/access.log
    #Trying to download htaccess or htpasswd  (Default: 1 error bans for 24 hours)
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
        return ("Trying to download .ht files",$1,"nginx_htfiles","1","80,443","86400","0");
    }
    
    # /var/log/nginx/localhost.access.log
    #Trying to download htaccess or htpasswd  (Default: 1 error bans for 24 hours)
    if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET/)) {
        return ("Trying to download .ht files",$1,"nginx_htfiles","1","80,443","86400","0");
    }
    
    # Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
    # (Default: 2 errors bans for 24 hours)
    if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) {
      return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400","0");
    }
    
    # Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
    # (Default: 2 errors bans for 24 hours)
    if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) {
      return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400","0");
    }
    
    # Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
    # (Default: 2 errors bans for 24 hours)
    if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) {
      return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400","0");
    }
    
    # Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
    # (Default: 2 errors bans for 24 hours)
    if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) {
      return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400","0");
    }
    
    # Wordpress fail2ban plugin https://wordpress.org/plugins/wp-fail2ban-redux/
    # (Default: 2 errors bans for 24 hours)
    if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) {
      return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400","0");
    }
    
    # /home/nginx/domains/*/log/error.log
    # https://community.centminmod.com/posts/74546/
    # Nginx connection limit rule trigger (Default: 30 errors bans for 60mins)
    if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_conn_limit","30","80,443","3600","0");
    }
    
    # /var/log/nginx/localhost.error.log
    # https://community.centminmod.com/posts/74546/
    # Nginx connection limit rule trigger (Default: 30 errors bans for 60mins)
    if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone .*, client: (\S+),(.*)/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_conn_limit_localhost","30","80,443","3600","0");
    }
    


    Uninstallation



    Now if you want to remove this custom testing configuration from CSF Firewall follow these SSH command steps where:
    1. profile list will list csf profile backups look for listing name containing _backup_b4_customregex i.e. 1523525787_backup_b4_customregex
    2. then restore /etc/csf/csf.conf config backup
    3. restore default /usr/local/csf/bin/regex.custom.pm.bak to /usr/local/csf/bin/regex.custom.pm
    4. restart csf firewall and lfd daemon
    Code (Text):
    csf --profile list
    csf --profile restore 1523525787_backup_b4_customregex
    \cp -af /usr/local/csf/bin/regex.custom.pm.bak /usr/local/csf/bin/regex.custom.pm
    csf -ra
    


    CSF Firewall Layer 7 Application Level Ban Notes


    • Centmin Mod by default buffers access log writes so they are not written to access logs in real time which would skew CSF Firewall as well as fail2ban usage unless you disable access log buffering (which will increase nginx usage loads).

    Unban IP From CSF Firewall



    CSF Firewall does a temp IP ban first and if temp IP ban records more than 4 occurrences, CSF Firewall does a permanent ban. To unblock an IP you need to remove it from CSF Firewall's permanent and temporarily ban lists using below commands:

    To very if IP is banned for a grep i.e. ip = xxx.xxx.xxx.xxx
    Code (Text):
    csf -g xxx.xxx.xxx.xxx
    

    To unban from temp ban list
    Code (Text):
    csf -tr xxx.xxx.xxx.xxx
    

    To unban form permanent ban list
    Code (Text):
    csf -dr xxx.xxx.xxx.xxx
    

    To verify grep unbanned ip again
    Code (Text):
    csf -g xxx.xxx.xxx.xxx
    
     
    Last edited: Jun 4, 2019
    • Winner Winner x 3
    • Informative Informative x 2
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Example of blocking at CSF Firewall lfd daemon level in /var/log/lfd.log. All custom regex blocks are tagged with label LF_CUSTOMTRIGGER so easy to use fgrep or grep to filter for
    Code (Text):
    fgrep 'LF_CUSTOMTRIGGER' /var/log/lfd.log                         
    Apr 12 08:44:21 hostname lfd[14003]: (nginx_404s) NGINX Security rule triggered from xxx.xxx.xxx.xxx (US/United States/-): 50 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
    Apr 12 09:04:42 hostname lfd[15422]: (nginx_444) Nginx 444 xxx.xxx.xxx.xxx (US/United States/-): 5 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
    Apr 12 09:08:23 hostname lfd[15525]: (PERMBLOCK) xxx.xxx.xxx.xxx (US/United States/-) has had more than 4 temp blocks in the last 86400 secs - *Blocked in csf* [LF_CUSTOMTRIGGER]
    Apr 12 09:09:22 hostname lfd[15605]: (nginx_444) Nginx 444 xxx.xxx.xxx.xxx (US/United States/-): 5 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
    Apr 12 09:32:34 hostname lfd[16537]: (nginx_404s) NGINX Security rule triggered from xxx.xxx.xxx.xxx (US/United States/-): 50 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
    
     
    • Like Like x 1
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,288
    308
    83
    May 31, 2014
    Ratings:
    +576
    Local Time:
    10:44 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    That will be great :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Well lets perfect the CSF Firewall regex rules first before looking at Cloudflare Firewall API support :)
     
    • Agree Agree x 1
  5. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  6. negative

    negative Active Member

    286
    28
    28
    Apr 11, 2015
    Ratings:
    +62
    Local Time:
    10:44 AM
    1.9.10
    10.1.11
    I prefer and hope that configure it when Cloudflare Firewall API ready.
     
    • Like Like x 1
  7. Meirami

    Meirami Member

    128
    15
    18
    Dec 21, 2017
    Ratings:
    +41
    Local Time:
    10:44 AM
    I added one more rule to the list.
    Code:
    # /var/log/nginx/localhost.access.log                                                                                                                 
    # Nginx 404 (Default:25 errors bans for 24 hours)                                                                                                     
    if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(404)/)) {                                                             
        return ("Nginx 404",$1,"nginx_404","25","80,443","86400","0");                                                                                     
    }
    Edited code, missed important part because nano cut the line.
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    be careful banning on 404 not found can be tricky especially if you misconfigure your initial nginx vhost for your web app i.e. incorrect nginx rewrite rules may lead to all visitors receiving 404 not found which means all visitors would be banned for 24hrs.
     
    • Like Like x 1
    • Optimistic Optimistic x 1
  9. Meirami

    Meirami Member

    128
    15
    18
    Dec 21, 2017
    Ratings:
    +41
    Local Time:
    10:44 AM
    I don't do such a misconfigurations. :whistle:

    Just kidding... :D
    I'm running Nextcloud for family use and there are whitelisted IPs. So I think there will be no harm or just a little.

    I'm trying to reduce this kind of scans.
    Code:
    104.248.227.12 - - [05/Nov/2018:04:33:51 +0000] "GET                         
    +/BC6108C03803AEA073FBD3E2D637256D.php HTTP/1.1" 404 548 "-" "Mozilla/5.0   
    +(Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)         
    +Chrome/70.0.3538.77 Safari/537.36"                                         
    104.248.227.12 - - [05/Nov/2018:04:33:51 +0000] "GET                         
    +/mysql/admin/index.php?lang=en HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows 
    +NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)                 
    +Chrome/70.0.3538.77 Safari/537.36"                                         
    104.248.227.12 - - [05/Nov/2018:04:33:51 +0000] "GET                         
    +/mysql/dbadmin/index.php?lang=en HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows
    +NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)                 
    +Chrome/70.0.3538.77 Safari/537.36"                                         
    104.248.227.12 - - [05/Nov/2018:04:33:52 +0000] "GET                         
    +/phpmyadmin/index.php?lang=en HTTP/1.1" 404 548 "-" "Mozilla/5.0 (Windows NT
    +6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77
    +Safari/537.36"
     
    • Informative Informative x 1
  10. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    makes good sense then :)
     
    • Like Like x 1
  11. negative

    negative Active Member

    286
    28
    28
    Apr 11, 2015
    Ratings:
    +62
    Local Time:
    10:44 AM
    1.9.10
    10.1.11
    It looks good solution for scanners..

    With that way, i will block for 24 hours who get 25 times 404 error, right?

    Code (Text):
    # /var/log/nginx/localhost.access.log                                                                                                                
    # Nginx 404 (Default:25 errors bans for 24 hours)                                                                                                    
    if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /(\S+) -.*[GET|POST|HEAD].*(404)/)) {                                                            
        return ("Nginx 404",$1,"nginx_404","25","80,443","86400","0");                                                                                    
    }
     
  12. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    Can you please make a regex for this kind of error log (dos attack)?
    Code:
    2019/06/02 11:04:19 [error] 6669#0: *84517 limiting connections by zone "conperiplimit", client: 1.1.1.1, server: domain.com, request: "GET /?xxxx=xxxxx HTTP/1.1", host: "domain.com", referrer: "http://engadget.search.aol.com/search?q=xxxxx"
    
    Thanks a lot!
     
  13. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    This is what I got now, but not so sure on the last regex part.
    (\S+),.*/))
    Code:
    # /home/nginx/domains/*/error.log
    # Nginx Connection Limit per IP errors (Default: 50 errors bans for 12 hours)
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*conperiplimit\), client: (\S+),.*/)) {
        return ("Nginx Connection Limit per IP triggered from",$1,"nginx_limit_conn","50","80,443","43200","0");
    }
     
  14. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    not tested but something like below
    Code (Text):
    # /home/nginx/domains/*/log/error.log
    # https://community.centminmod.com/posts/74546/
    # https://regexr.com/4f47b
    # Nginx connection limit rule trigger (Default: 40 errors bans for 24 hours)
    if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone (.*)/)) {
        return ("NGINX Security rule triggered from",$1,"nginx_conn_limit","40","80,443","86400","0");
    }
    

    regex isn't my strength know how wise so used RegExr: Learn, Build, & Test RegEx
     
    • Winner Winner x 1
  15. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    Okay I'll test this now.
    Thanks Eva!
    Code (Text):
    # /home/nginx/domains/*/error.log
    # Nginx Connection Limit per IP errors (Default: 50 errors bans for 12 hours)
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone (.*)/)) {
    return ("Nginx Connection Limit per IP triggered from",$1,"nginx_limit_conn","50","80,443","43200","0");
    }
     
  16. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    Tried attacking my site behind CF, but not working though.
    Not blocking the server/attackers IP.

    My regex:
    Code:
    # /home/nginx/domains/*/error.log
    # Nginx Connection Limit per IP errors (Default: 100 errors bans for 12 hours)
    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*limiting connections by zone (.*)/)) {
        return ("Nginx Connection Limit per IP triggered from",$1,"nginx_limit_conn","100","80,443","43200","0");
    }
    I also installed Nginx realip module to reflect the correct IP on the error.log.

    Anywhere else to debug?
    Thanks!
     
  17. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    maybe threshold too high at 100 errors ?

    also note
     
    • Like Like x 1
  18. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    But I already have 10k+ error.log of this:
    10,600+ for the single attacker IP I tested.
     
  19. rdan

    rdan Well-Known Member

    4,545
    1,088
    113
    May 25, 2014
    Ratings:
    +1,588
    Local Time:
    3:44 PM
    Mainline
    10.2
    My CUSTOM1_LOG only target my error.log files.
    "/home/nginx/domains/*/error.log"
     
  20. eva2000

    eva2000 Administrator Staff Member

    40,183
    8,876
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,685
    Local Time:
    5:44 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ah yes !

    check CSF LFD logs ?
    Code (Text):
    fgrep 'LF_CUSTOMTRIGGER' /var/log/lfd.log | sed -e "s|$(hostname -s)|hostname|g"
    
     
    • Like Like x 1
..