Nginx regex rules

[williamsth]

Hi

I'm in the process of moving from Apache to Nginx, but I can't seem to get the new regex rules working for Nginx.

My rule for 404 flood detection is here:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400");
}

An example log is here:

2020/03/08 16:56:00 [error] 5064#0: *48847 open() "/home/*/public_html/server/install/error404" failed (2: No such file or directory), client: 127.0.0.1, server: *, request: "GET /install/error404 HTTP/2.0", host: "*"

I've replaced some stuff with *'s, and the IP address for privacy, but for some reason, this log entry does not validate against the rule. It validates on https://regex101.com/

CUSTOM1_LOG is also pointing to /var/log/nginx/error.log which is the correct log file location.
The LFD log shows no errors either and shows it is watching the file: Mar 8 16:42:48 web-2 lfd[10494]: Watching /var/log/nginx/error.log...

Any suggestions?
Thanks in advanced.

[williamsth]

(Just to note as well, my IP address that I'm testing with isn't in /etc/csf/csf.ignore)

[williamsth]

Hi all,

For anyone else having the same issue. I managed to resolve it.
As mentioned previously, my regex rule was validating file on regex101.com, and validated on grep fine too.
LFD log also showed it was watching log file.

I basically uninstalled CSF/LFD, reinstalled, and set everything back up in csf.conf and now it works fine. No idea why it never worked but worth a try if anyone else is getting an issue that's similar.

Thanks