ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://forum.configserver.com/

regex for badbots not triggering after updating to v9.10

https://forum.configserver.com/viewtopic.php?t=9632

Page 1 of 1

regex for badbots not triggering after updating to v9.10

Posted: 12 Jul 2016, 08:59
by csmaniac
Dear Support,
after updating to csf v9.10 custom regex rules stop triggering regex.custom.pm
i use centos 7 with plesk and mod_Security

regex.custom.pm rule:

Code: Select all

      if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /(\S+) - - \[\S+\s+\S+\] "(GET|POST) \/ HTTP\/\S+" \d+ \d+ \S+\s+"\S+ \(compatible\; (MJ12bot|Baiduspider|AhrefsBot)\/\S+ \S?http\S+\)"/)) {
         return ("GET POST HEAD Attempt From: $1","MJ12bot-Baiduspider-AhrefsBot","1","1");
    }
CUSTOM1_LOG: /var/www/vhosts/system/*/logs/access_*log

Lines to trigger:

Code: Select all

149.202.48.192 - - [12/Jul/2016:08:43:51 +0300] "GET / HTTP/1.0" 200 96340 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)"
180.76.15.30 - - [12/Jul/2016:08:24:38 +0300] "GET / HTTP/1.0" 200 21132 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"

and

Code: Select all

     if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /(\S+) - - \[\S+\s+\S+\] "(GET|POST) \/\S+ HTTP\/\S+" \d+ \d+ \S+\s+"\S+ \(compatible\; (MJ12bot|Baiduspider|AhrefsBot)\/\S+ \S?http\S+\)"/)) {
         return ("GET POST HEAD Attempt From: $1","MJ12bot-Baiduspider-AhrefsBot2","1","1");
    }
CUSTOM1_LOG: /var/www/vhosts/system/*/logs/access_*log

Lines to trigger:

Code: Select all

180.76.15.134 - - [12/Jul/2016:08:35:17 +0300] "GET /language/en/kallirroe-hotel/ HTTP/1.0" 200 7285 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
51.255.65.8 - - [12/Jul/2016:08:54:14 +0300] "GET /tag/%CF%80%CE%BB%CE%B7%CF%81%CF%8E%CE%BC%CE%B1%CF%84%CE%B1/ HTTP/1.0" 200 96452 "-" "Mozilla/5.0 (compatible; AhrefsBot/5.1; +http://ahrefs.com/robot/)"
173.208.157.186 - - [12/Jul/2016:08:38:10 +0300] "GET /shop/ HTTP/1.0" 200 18182 "-" "Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)"
Best Regards

Re: regex for badbots not triggering after updating to v9.10

Posted: 13 Jul 2016, 21:57
by ForumAdmin
Instead of using

Code: Select all

($lgfile eq $config{CUSTOM1_LOG})
try using this instead:

Code: Select all

($globlogs{CUSTOM1_LOG}{$lgfile})

Re: regex for badbots not triggering after updating to v9.10

Posted: 17 Jul 2016, 12:11
by csmaniac
Hi, I have already tried it and unfortunately it didn't work.
I have also re-installed csf v9.10 from scratch and rebooted server.
When i enter multiple directories path in custom_logs it doesn't watch those logs. in fact it watches some of those logs randomly! Sometime it blocks and sometimes it doesn't block. I can see it reading and searching those logs.
CUSTOM1_LOG: /var/www/vhosts/system/*/logs/access_*log

On another server I don't use multiple directories path in custom_logs I use single directory path and it works fine!
I think something happens when i enter a path with multiple directories to watch.
This specific path has about 80 directories inside vhosts/*/logs for csf to watch!

Any ideas?
Regards
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited