All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
regex in NCSA extended/combined log for BAN
Hello guys
Posting this question there because 99% of you are very technical and prepared, according what i've seen in those years.
Using NCSA extended/combined log format = "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"
My goal is (firewall) (rule at /usr/local/csf/bin/regex.custom.pm) to ban wp-login.php fails with CSF.
Example log file:
"151.11.222.111 - - [31/Jan/2021:08:35:51 +0000] "POST /wp-login.php HTTP/1.1" 200 2783 "https://myshinysite.com/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56"
But this IP is not banned because, probably, my regex suck, yes, this regex suck probably, a lot:
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).] "\w(?:GET|POST) \/wp-login.php.*" /)) {return ("wp-login.php WP ban",$1,"WPLOGINorWHATEVER","3","80,443,21,25,22,23","1");}
Are you kind please, to point me in the right direction and to suggest me a good book about Regex ? Thanks
Comments
I haven't used CSF but if it accepts standard RegEx patterns and assuming the first capturing group goes into
$1
, then the simplest pattern for this would be:^(\S+).+wp-login\.php
Here's the unbotched version of your original pattern:
(\S+).+] "(?:GET|POST) \/wp-login.php.*"
, I don't understand why there was a\w
before the(?:GET|POST)
and a lone.
after the IP capturing group.