Custom Regex for CSF to block bad logins
Posted: Tue Apr 13, 2021 1:28 pm
In case anyone is using CSF/LFD for firewall/bruteforce prevention, I created these rules for 1.34.23 on Ubuntu 20.04 (Apache2) to block IPs that fail to log into ZM. These would go in /etc/csf/regex.custom.pm.
Code: Select all
# Block Bad Zoneminder logins from apache2 error log. These are case insensitive (note the i after the regex).
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^.*\[client\s(\d+\.\d+\.\d+\.\d+):.*?].*ERR.*\[could not retrieve user.*?]/i)) {
return ("Failed ZoneMinder Login (user not found)",$1,"zmnouser","1","80","1","0");
}
if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^.*\[client\s(\d+\.\d+\.\d+\.\d+):.*?].*ERR.*\[login denied for user.*?]/i)) {
return ("Failed ZoneMinder Login (BAD PASSWORD)",$1,"zmbadpass","1","80","1","0");
}