Custom Regex for CSF to block bad logins

If you've made a patch to quick fix a bug or to add a new feature not yet in the main tree then post it here so others can try it out.
Post Reply
haus
Posts: 213
Joined: Thu Oct 11, 2007 5:10 am

Custom Regex for CSF to block bad logins

Post by haus »

In case anyone is using CSF/LFD for firewall/bruteforce prevention, I created these rules for 1.34.23 on Ubuntu 20.04 (Apache2) to block IPs that fail to log into ZM. These would go in /etc/csf/regex.custom.pm.

Code: Select all

# Block Bad Zoneminder logins from apache2 error log. These are case insensitive (note the i after the regex).
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^.*\[client\s(\d+\.\d+\.\d+\.\d+):.*?].*ERR.*\[could not retrieve user.*?]/i)) {
               return ("Failed ZoneMinder Login (user not found)",$1,"zmnouser","1","80","1","0");
}

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^.*\[client\s(\d+\.\d+\.\d+\.\d+):.*?].*ERR.*\[login denied for user.*?]/i)) {
               return ("Failed ZoneMinder Login (BAD PASSWORD)",$1,"zmbadpass","1","80","1","0");
}
Post Reply