Page 1 of 1

SOLVED: It seems like CSF+LFD ignores Custom Log file

Posted: 06 Jan 2021, 21:03
by Sarge
Hello ALL,
I use CSF many years and have created many custom rules based on https://forum.configserver.com/viewtopic.php?t=7517 - but very first time I've met a problem what I can't understand - because everything looks correct - but does not work.

1) I have created a custom log file what is producing by BASH script adding lines like
printf "BadIP 212.3.197.165\n" >> /var/log/blacklist.log
So BLACKLIST.LOG is very simple and looks like
BadIP 212.3.197.165
BadIP 213.3.197.165
BadIP 214.3.197.165
BadIP 212.3.197.165
BadIP 212.3.197.165

2) I've added this log to CSF.CONF
CUSTOM8_LOG = "/var/log/blacklist.log"

3) I've added the rule to regex.custom.pm to catch exactly IP addresses (tested on various online regex testers - all OK - see example https://regex101.com/r/qFE95M/23)

Code: Select all

if (($lgfile eq $config{CUSTOM8_LOG}) and ($line =~ /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/)) {
return ("Own Blacklist",$1,"Blacklisted","2","80","600");
}
But it seems CSF+LFD firewall just ignores this rule (OR MAYBE this custom log file ?) - and does not set the temporary blocks, for example for IP 212.3.197.165 what has appeared in the list 3 times should be blocked after 2 appearances.
I made few restarts, I've set DEBUG = "1" - but nothing.
No notices, no warnings and no effect.
Much more complex Regex rules with Apache log file still work excellent.
But here is very simple log file and simple rule.
Thanks in advance for any idea WHY it does not work and what to try,
Take care,
Regards
Serge

Re: It seems like CSF+LFD ignores Custom Log file

Posted: 08 Jan 2021, 15:14
by Sergio
Hi, Serge.
Happy New Year 2021!

It seems that the error that you have is that you are not passing the variable $1 on the rule, you have:
if (($lgfile eq $config{CUSTOM8_LOG}) and ($line =~ /[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/)) {
return ("Own Blacklist",$1,"Blacklisted","2","80","600");
}
But you have to add parenthesis to get the variable to pass it to $1, so, made the change from:
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
to:
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
The complete rule should be:
if (($lgfile eq $config{CUSTOM8_LOG}) and ($line =~ /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/)) {
return ("Own Blacklist",$1,"Blacklisted","2","80","600");
}
Best Regards,
Sergio

Re: SOLVED: It seems like CSF+LFD ignores Custom Log file

Posted: 08 Jan 2021, 15:37
by Sarge
Dear Sergio, my great thanks !
Yes, I've missed the parenthesis ! Now everything works like a breeze :)
Best regards,
Serge