ConfigServer Community Forum

Sergio

As the email is pure informative it means that you don't do have to do anything more than check why dovecot is reporting this. So, you don't need to add any rule into pignore as it is been ignored by the OS. Checking on the anvil process: is responsible for tracking authentication penalties for diff...

Sergio

If you provide a complete log line where that info appears, a regex can be done.

Sergio

Sergio

Or you can add that IP into cPHulk Black List.

Sergio

Sergio

Have you tried to add the following line into CSF.PIGNORE?
exe: /opt/cpanel/ea-php81/root/usr/sbin/php-fpm

Sergio

Sergio

What are you looking for the REGEX to do with that info?

Sergio

Sergio

Please post a blocked note to see what is wrong.

Sergio

Sergio

Does a "pignore" will help you on this?

Sergio

Sergio

Here is the new rule: # BLOCKING ModSec Rules attacks if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[\S+:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210280|210350|210380|210481|210492|210710|210730|210831|210921)"\...

Sergio

Post a log line of your ModSecurity error_log for me to check it, thanks.

Sergio

Sergio

Testing your sample log at regex101 the rule is working as should be and shows:

GROUP1 144-165 someaddress@gmail.com
GROUP2 170-181 12.34.56.78

Could it be that the IP is in a white list?

Sergio

ConfigServer Community Forum

Search found 1106 matches

Re: Fully disbled alert email from LFD

Re: How to filter on From:

Re: Blocked IP address can still deliver spam to server

Re: Fully disbled alert email from LFD

Re: Need some help with a log regex

Re: LF_SPI requires disabling on restored Server

Re: csf.pignore rules aren't working?

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Re: Blocking Wordpress Login and xmlprc attacks with LFD

Re: Regex problem using one of the pre-defined lsws ones