CSF and Log entries for an Apache version 4

toplisek

Well-Known Member
Jan 7, 2010
255
20
68
I try to fix entries CSF and Log entries for an Apache version 2.4:
CUSTOM1_LOG = "/etc/apache2/logs/domlogs/*/*"
Is it the correct CUSTOM1_LOG = "/etc/apache2/logs/domlogs/*/*"
Need help.
 
Last edited:

ejsolutions

Well-Known Member
Jan 6, 2013
62
26
68
cPanel Access Level
Root Administrator
This would be better asked on a CSF forum. (?)
(I assume that you actually mean Apache 2.4 HTTP Server.)
The standard CSF settings are fine, if you use the recommended combined logs.
  • Home /
  • Service Configuration /
  • Apache Configuration /
  • Piped Log Configuration
 
Last edited by a moderator:

toplisek

Well-Known Member
Jan 7, 2010
255
20
68
I try to secure login inside OpenCart.
I do not know if folder is the correct path. An example: should we use / or without,
\/admin/index\.php.

<!-- CSF/LFD to Block OpenCart Bruteforce Attacks ---->
<!-- 1. Edit the file -->
nano /usr/local/csf/bin/regex.custom.pm
<!-- Add the following code: -->
# XMLRPC
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("WP XMLPRC Attack",$1,"XMLRPC","5","80,443","1");
}

# OC-LOGINS Users
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/admin/index\.php.*" /)) {
return ("OC Login Attack",$1,"OCLOGIN","5","80,443","1");
}

# OC-LOGINS Administrator
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/admin/index\.php.*" /)) {
return ("OC Login Attack",$1,"OCLOGIN","5","80,443","1");
}
<!-- 2. Add the custom log that CSF/LFD will monitor -->
nano /etc/csf/csf.conf
 

ejsolutions

Well-Known Member
Jan 6, 2013
62
26
68
cPanel Access Level
Root Administrator
Why not just use {HTACCESS_LOG} in the regex.custom.pm? The only reason I can think of offhand, for using a custom log, is to monitor a particular cPanel account/domain, in which case use a specific domlog.
I note that your copy/paste of the custom regex appears to be incorrect - the test for user and admin are identical. :-\
Also note that the CSF forum is likely a better venue for these questions.