CSF/LFD to Block Wordpress Bruteforce Attacks Using a Custom Regex dont work

[emo321]

Hello

Currently csf/lfd doesn't detect attacks on wp-login.php

My Settings:

regex.custom.pm

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/\S+\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
    return ("Failed SASL login from",$1,"mysaslmatch","3","25","86400");
}

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "POST \/wp-login\.php.*" 200/)) {
        return ("Failed WordPress login from",$1,"wordpress","3","80,443","3600");
    }

csf.conf

Code: Select all

CUSTOM1_LOG = "/home/example.com/logs/example.com.access_log"
CUSTOM2_LOG = "/var/log/maillog"

Example log from the second rule (custom1)

Code: Select all

"123.123.123.123 - - [29/Apr/2020:11:42:04 +0200] "POST /wp-login.php HTTP/1.1" 200 2006 "https://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0""

The first rule works and blocks (custom2), while the second is not detected at all (custom1)
What's the problem?

[emo321]

It's working now ... I found an error in my custom1 rule