Is anyone good with CSF custom regex ?

I reguarly see the follwing error in my logs.

Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622

I believe caused by unauthorised cpanel login attempts.

Whilst I have HAC configured to only allow a small number of IP's cpanel access, i'd still like CSF to add the offending IP to the blocklist, but i've absolutely no idea how to write a custom regex.
I've asked a few times on the CSF forum, but never had a reply.

Are there any regex guru's on here who could help ?

 

I too have seen that thread, however, it might as well be written in a foriegn langauge as it means absolutely nothing to me.
It's just a series of numbers and commas.

 

I recreated this using my mobile phone, which is not included in HAC.

The message appears in usr/local/cpanel/logs/error_log

No server names or time stamps just the following message.

Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622.

 

I followed the instructions, but it CSF doesn't seem to block the IP.
Initially, I used the echo method, and after a few attempts discovered a slight syntax error. (missing from)
After it still didn't add the IP, i tried from my phone.
I can see my IP is generating the string, but still doesn't seem to add my IP to CSF block list.

LF_TRIGGER = 0
LF_TRIGGER_PERM = 1

Code:

CUSTOM1_LOG = "usr/local/cpanel/logs/error_log"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"

Code:

#!/usr/local/cpanel/3rdparty/bin/perl
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
sub custom_line {
   my $line = shift;
   my $lgfile = shift;

# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
#   if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#       return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#   }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled
# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's


if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of tcp_wrappers/)) {
    return ("5 cPanel login attempts from IP not in Host Access Control list",$1,"keats_hammer_4","5","2077,2078,2082,2083,2086,2087,2095,2096","1");
}

###############################################################################
# Do not edit beyond this point

   return 0;
}

1;

I can see the string in the email though.
Maybe I put the regex in the wrong place ??

 

Code:

You have...
CUSTOM1_LOG = "usr/local/cpanel/logs/error_log"
in /etc/csf/csf.conf
I posted...
CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"

I looked at that for about 2 minutes, thinking, I don't see where the problem is.
Then I spotted the preceeding /

Guess what, it now works.

Code:

123.123.123.123 # lfd: (keats_hammer_4) 5 cPanel login attempts from IP not in Host Access Control list 123.123.123.123 (CN/China/Beijing/Beijing/-): 5 in the last 3600 secs - Tue Apr 10 13:10:33 2018

This issue has taken me at least 2 years to finally get a resolution.
I owe you a beer.

Would you mind me sharing this on the CSF forum. ?