Custom Logs not triggering CloudFlare block

Post Reply
yoshi_fp
Junior Member
Posts: 1
Joined: 17 Jan 2018, 04:22

Custom Logs not triggering CloudFlare block

Post by yoshi_fp »

Hello,

I noticed that CSF now supports blocking at the CloudFlare level which is great, however I'm trying to use a custom log with a custom regex to trigger a block in CloudFlare and this doesn't seem to be working.

I've tried with it set as a permanent block and a temporary block but neither of these are triggering the API call to CloudFlare. I'm not using cPanel, just plain CentOS.

I have my custom rules triggering correctly and showing in my logs and getting emails stating they've been activated but then I check CloudFlare and nothing is appearing in there. I've tested the API connection to CloudFlare on the command line with csf --cloudflare function and these are all working.

Below is a sample from the config changes I've made, to get this all working.
  • Installed LWP (requirement for CloudFlare)
  • In /etc/csf/csf.conf

    modify:
    • URLGET
      1
      to
      2
    • CF_ENABLE
      0
      to
      1
    • CF_TEMP
      3600
      to
      86400
    • LF_TRIGGER
      "0"
      to
      "10"
      Trigger custom rule after this many login failure/custom log attempts/entries
    • LF_TRIGGER_PERM = "86400"
      CUSTOM1_LOG
      "/var/log/customlog"
      to
      "/var/log/httpd/sites_access_log"
    • Set CloudFlare settings in /etc/csf/csf.cloudflare
      • DOMAIN:any:USER:--linux_username---:CFACCOUNT:--Cloudflare_username--:CFAPIKEY:--Cloudflare_API_KEY--{/list]
    I am seeing these entries in my logs, and have checked CloudFlare and the local csf for the IPs being blocked, not appearing in CloudFlare but are appearing the local csf.

    Jan 17 15:01:21 sstd lfd[13728]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
    Jan 17 15:09:58 sstd lfd[14685]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
    Jan 17 15:12:31 sstd lfd[15039]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* [LF_TRIGGER]
    Jan 17 15:15:25 sstd lfd[15465]: (CustLoginFailMyApp) MyApp Login Failure 49.195.194.247 (AU/Australia/pa49-195-194-247.pa.nsw.optusnet.com.au): 10 in the last 3600 secs - *Blocked in csf* for 86400 secs [LF_TRIGGER]

    I have since removed from the local csf with csf -dr and csf -tr after I checked they were not present in CloudFlare.

    My custom regex similar to this:

    if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*"GET \/index\.php\/(site\/login).*" (401|403)/))
    {
    return ("MyApp Login Failure",$1,"CustLoginFailMyApp","80,443",86400)
    }

    Is there a simple configuration problem I have here or do Custom Logs not trigger CloudFlare blocks, or do I need to include something else inside the regex match before returning, or do I need to return different parameters to the function in return on the custom regex?

    Thanks in advance
    Regards
    Todd
Top
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: Custom Logs not triggering CloudFlare block

Post by ForumAdmin »

The cloudflare blocking will only trigger on LF_MODSEC and LF_CXS, not the custom triggers.
Top
Post Reply

Return to “General Discussion (csf)”