| Server IP : 184.154.167.98 / Your IP : 3.138.34.93 Web Server : Apache System : Linux pink.dnsnetservice.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 User : puertode ( 1767) PHP Version : 8.2.26 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON Directory : /usr/src/csf/ConfigServer/ |
Upload File : |
###############################################################################
# Copyright 2006-2023, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
## no critic (RequireUseWarnings, ProhibitExplicitReturnUndef, ProhibitMixedBooleanOperators, RequireBriefOpen)
# start main
package ConfigServer::RegexMain;
use strict;
use lib '/usr/local/csf/lib';
use IPC::Open3;
use ConfigServer::Config;
use ConfigServer::CheckIP qw(checkip);
use ConfigServer::Slurp qw(slurp);
use ConfigServer::Logger qw(logfile);
use ConfigServer::GetEthDev;
use Exporter qw(import);
our $VERSION = 1.03;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw();
our (%config, %cpconfig, $slurpreg, $cleanreg, %globlogs, %brd, %ips);
my $config = ConfigServer::Config->loadconfig();
%config = $config->config;
$slurpreg = ConfigServer::Slurp->slurpreg;
$cleanreg = ConfigServer::Slurp->cleanreg;
if (-e "/etc/wwwacct.conf") {
foreach my $line (slurp("/etc/wwwacct.conf")) {
$line =~ s/$cleanreg//g;
if ($line =~ /^(\s|\#|$)/) {next}
my ($name,$value) = split (/ /,$line,2);
$cpconfig{$name} = $value;
}
}
if (-e "/usr/local/cpanel/version") {
foreach my $line (slurp("/usr/local/cpanel/version")) {
$line =~ s/$cleanreg//g;
if ($line =~ /\d/) {$cpconfig{version} = $line}
}
}
if ($config{LF_APACHE_ERRPORT} == 0) {
my $apachebin = "";
if (-e "/usr/local/apache/bin/httpd") {$apachebin = "/usr/local/apache/bin/httpd"}
elsif (-e "/usr/sbin/httpd") {$apachebin = "/usr/sbin/httpd"}
elsif (-e "/usr/sbin/apache2") {$apachebin = "/usr/sbin/apache2"}
elsif (-e "/usr/sbin/httpd2") {$apachebin = "/usr/sbin/httpd2"}
if (-e $apachebin) {
my ($childin, $childout);
my $mypid = open3($childin, $childout, $childout, $apachebin,"-v");
my @version = <$childout>;
waitpid ($mypid, 0);
chomp @version;
$version[0] =~ /Apache\/(\d+)\.(\d+)\.(\d+)/;
my $mas = $1;
my $maj = $2;
my $min = $3;
if ("$mas.$maj" < 2.4) {$config{LF_APACHE_ERRPORT} = 1}
}
}
unless ($config{LF_APACHE_ERRPORT} == 1) {$config{LF_APACHE_ERRPORT} = 2}
ConfigServer::Logger::logfile("LF_APACHE_ERRPORT: Set to [$config{LF_APACHE_ERRPORT}]");
my $ethdev = ConfigServer::GetEthDev->new();
%brd = $ethdev->brd;
%ips = $ethdev->ipv4;
if (-e "/usr/local/csf/bin/regex.custom.pm") {require "/usr/local/csf/bin/regex.custom.pm"} ##no critic
# end main
###############################################################################
# start processline
sub processline {
my $line = shift;
my $lgfile = shift;
my $globlogs_ref = shift;
%globlogs = %{$globlogs_ref};
$line =~ s/\n//g;
$line =~ s/\r//g;
if (-e "/usr/local/csf/bin/regex.custom.pm") {
my ($text,$ip,$app,$trigger,$ports,$temp,$cf) = &custom_line($line,$lgfile);
if ($text) {
return ($text,$ip,$app,$trigger,$ports,$temp,$cf);
}
}
#openSSH
#RH
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: pam_unix\(sshd:auth\): authentication failure; logname=\S* uid=\S* euid=\S* tty=\S* ruser=\S* rhost=(\S+)\s+(user=(\S+))?/)) {
my $ip = $3;
my $acc = $5;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Failed none for (\S*) from (\S+) port \S+/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Failed password for (invalid user |illegal user )?(\S*) from (\S+)( port \S+ \S+\s*)?/)) {
my $ip = $5;
my $acc = $4;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Failed keyboard-interactive(\/pam)? for (invalid user )?(\S*) from (\S+) port \S+/)) {
my $ip = $6;
my $acc = $4;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Invalid user (\S*) from (\S+)/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: User (\S*) from (\S+)\s* not allowed because not listed in AllowUsers/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Did not receive identification string from (\S+)/)) {
my $ip = $3;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: refused connect from (\S+)/)) {
my $ip = $3;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: error: maximum authentication attempts exceeded for (\S*) from (\S+)/)) {
my $ip = $4;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
#Debian/Ubuntu
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Illegal user (\S*) from (\S+)/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
#Gentoo
if (($config{LF_SSHD}) and (($lgfile eq "/var/log/messages") or ($lgfile eq "/var/log/secure") or ($globlogs{SSHD_LOG}{$lgfile})) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: error: PAM: Authentication failure for (\S*) from (\S+)/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SSH login from","$ip|$acc","sshd")} else {return}
}
#courier-imap
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ pop3d(-ssl)?: LOGIN FAILED, user=(\S*), ip=\[(\S+)\]\s*$/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ imapd(-ssl)?: LOGIN FAILED, user=(\S*), ip=\[(\S+)\]\s*$/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
#uw-imap
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ ipop3d\[\d+\]: Login failed user=(\S*) auth=\S+ host=\S+ \[(\S+)\]\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ imapd\[\d+\]: Login failed user=(\S*) auth=\S+ host=\S+ \[(\S+)\]\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
#dovecot
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: pop3-login: (Disconnected: )?(Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(:\s*\S+\sfailed: Connection reset by peer)?(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $12;
my $acc = $10;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: (Disconnected: )?(Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(:\s*\S+\sfailed: Connection reset by peer)?(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $12;
my $acc = $10;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $10;
my $acc = $8;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login( by logging out)?|Connection closed|Disconnected|Disconnected: Inactivity)(\s*\(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $10;
my $acc = $8;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
#Kerio Mailserver
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ POP3(\[\d+\])?: User (\S*) doesn\'t exist\. Attempt from IP address (\S+)\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ POP3(\[\d+\])?: Invalid password for user (\S*)\. Attempt from IP address (\S+)\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ IMAP(\[\d+\])?: User (\S*) doesn\'t exist\. Attempt from IP address (\S+)\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ IMAP(\[\d+\])?: Invalid password for user (\S*)\. Attempt from IP address (\S+)\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ smtp(\[\d+\])?: User (\S*) doesn\'t exist\. Attempt from IP address (\S+)\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
#pure-ftpd
#Nov 10 04:28:04 w212 pure-ftpd[3269638]: (?@152.57.198.52) [WARNING] Authentication failed for user [www]
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ pure-ftpd(\[\d+\])?: \(\?\@(\S+)\) \[WARNING\] Authentication failed for user \[(\S*)\]/)) {
my $ip = $3;
my $acc = $4;
$ip =~ s/^::ffff://;
$ip =~ s/\_/\:/g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
#proftpd
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - no such user \'(\S*)\'/)) {
my $ip = $2;
my $acc = $4;
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? USER (\S*) no such user found from/)) {
my $ip = $2;
my $acc = $4;
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - SECURITY VIOLATION/)) {
my $ip = $2;
my $acc = "";
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password/)) {
my $ip = $2;
my $acc = $4;
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
#vsftpd
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\d+\s+\S+\s+\d+ \[pid \d+] \[(\S+)\] FAIL LOGIN: Client "(\S+)"/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ vsftpd\[\d+\]: pam_unix\(\S+\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=\S*\s+rhost=(\S+)(\s+user=(\S*))?/)) {
my $ip = $2;
my $acc = $4;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ vsftpd\(pam_unix\)\[\d+\]: authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=\S*\s+rhost=(\S+)(\s+user=(\S*))?/)) {
my $ip = $2;
my $acc = $4;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
#apache htaccess
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[(client|remote) (\S+)\] (\w+: )?user (\S*)(( not found:)|(: authentication failure for))/)) {
my $ip = $5;
my $acc = $7;
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
}
#nginx
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ no user\/password was provided for basic authentication, client: (\S+),/)) {
my $ip = $1;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
}
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ user \"(\S*)\": password mismatch, client: (\S+),/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
}
if (($config{LF_HTACCESS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[error\] \S+ \*\S+ user \"(\S*)\" was not found in \".*?\", client: (\S+),/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed web page login from","$ip|$acc","htpasswd")} else {return}
}
#cxs Apache
if (($config{LF_CXS}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\]( \[client \S+\])? (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with code \d\d\d \(phase 2\)\. File \"[^\"]*\" rejected by the approver script \"\/etc\/cxs\/cxscgi\.sh\"/)) {
my $ip = $4;
my $acc = "";
my $domain = "";
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ("cxs mod_security triggered by","$ip|$acc|$domain","cxs")} else {return}
}
#cxs Litespeed
if (($config{LF_CXS}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\]( \[client \S+\])? (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied with code \d\d\d, \[Rule: 'FILES_TMPNAMES' '\@inspectFile \/etc\/cxs\/cxscgi\.sh'\] \[id "1010101"\]/)) {
my $ip = $4;
my $acc = "";
my $domain = "";
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ("cxs mod_security triggered by","$ip|$acc|$domain","cxs")} else {return}
}
#mod_security v1
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] mod_security: Access denied/)) {
my $ip = $1;
my $acc = "";
my $domain = "";
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("mod_security triggered by","$ip|$acc|$domain","mod_security")} else {return}
}
#mod_security v2 (apache)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\]( \[client \S+\])? (\w+: )?ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
my $ip = $4;
my $acc = "";
my $domain = "";
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
}
#mod_security v2 (nginx)
if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \[\S+\] \S+ \[client (\S+)\] ModSecurity:(( \[[^]]+\])*)? Access denied/)) {
my $ip = $1;
my $acc = "";
my $domain = "";
if ($line =~ /\] \[hostname "([^\"]+)"\] \[/) {$domain = $1}
$ip =~ s/^::ffff://;
my $ruleid = "unknown";
if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}
if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip|$acc|$domain","mod_security")} else {return}
}
#BIND
if (($config{LF_BIND}) and ($globlogs{BIND_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ named\[\d+\]: client( \S+)? (\S+)\#\d+(\s\(\S+\))?\:( view external\:)? (update|zone transfer|query \(cache\)) \'[^\']*\' denied$/)) {
my $ip = $3;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("bind triggered by","$ip|$acc","bind")} else {return}
}
#suhosin
if (($config{LF_SUHOSIN}) and ($globlogs{SUHOSIN_LOG}{$lgfile})and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ suhosin\[\d+\]: ALERT - .* \(attacker \'(\S+)\'/)) {
my $ip = $2;
my $acc = "";
$ip =~ s/^::ffff://;
if ($line !~ /script tried to increase memory_limit/) {
if (checkip(\$ip)) {return ("Suhosin triggered by","$ip|$acc","suhosin")} else {return}
}
}
#cPanel/WHM
if (($config{LF_CPANEL}) and ($globlogs{CPANEL_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\] \w+ \[\w+] (\S+) - (\S+) \"[^\"]+\" FAILED LOGIN/)) {
my $ip = $1;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed cPanel login from","$ip|$acc","cpanel")} else {return}
}
if (($config{LF_CPANEL}) and ($globlogs{CPANEL_LOG}{$lgfile}) and ($line =~ /^(\S+) - (\S+)? \[\S+ \S+\] \"[^\"]*\" FAILED LOGIN/)) {
my $ip = $1;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed cPanel login from","$ip|$acc","cpanel")} else {return}
}
#webmin
if (($config{LF_WEBMIN}) and ($globlogs{WEBMIN_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ webmin\[\d+\]: Invalid login as (\S+) from (\S+)/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed Webmin login from","$ip|$acc","webmin")} else {return}
}
#DirectAdmin
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG}{$lgfile}) and ($line =~ /^\S+ \'(\S+)\' \d+ (failed login attempts\. Account|failed login attempt on account) \'(\S+)\'/)) {
my $ip = $1;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_R}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\]: (<\S+> )?IMAP Error: Login failed for (\S+) (against \S+ )?from (\S+)\. AUTHENTICATE PLAIN: Authentication failed\. in \/var\/www\/html\/roundcubemail/)) {
my $ip = $4;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin Roundcube login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_S}{$lgfile}) and ($line =~ /^\S+\s+\S+ \[LOGIN_ERROR\] (\S+)( \(\S+\))? from (\S+): Unknown user or password incorrect\.\s*$/)) {
my $ip = $3;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin SquirrelMail login from","$ip|$acc","directadmin")} else {return}
}
#Jun 12 10:58:00 phpmyadmin: user denied: bill (mysql-denied) from 192.168.254.10
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_P}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+: pma auth user='(\S+)' status='mysql-denied' ip='(\S+)'\s*$/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin phpMyAdmin login from","$ip|$acc","directadmin")} else {return}
}
if (($config{LF_DIRECTADMIN}) and ($globlogs{DIRECTADMIN_LOG_P}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+ phpmyadmin: user denied: (\S+) \(mysql-denied\) from (\S+)\s*$/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed DirectAdmin phpMyAdmin login from","$ip|$acc","directadmin")} else {return}
}
#Exim SMTP AUTH
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?(\S+) authenticator failed for \S+ (\S+ )?\[(\S+)\](:\S*:?)?( I=\S+| \d+\:)? 535 Incorrect authentication data( \(set_id=(\S+)\))?/)) {
my $ip = $4;
my $acc = $8;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
}
#Exim Syntax Errors
if (($config{LF_EXIMSYNTAX}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP call from (\S+ )?\[(\S+)\](:\S*:?)?( I=\S+)? dropped: too many syntax or protocol errors/)) {
my $ip = $3;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Exim syntax errors from","$ip|$acc","eximsyntax")} else {return}
}
if (($config{LF_EXIMSYNTAX}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP protocol error in \"[^\"]+\" H=\S+ (\S+ )?\[(\S+)\](:\S*:?)?( I=\S+)? AUTH command used when not advertised/)) {
my $ip = $3;
my $acc = "";
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Exim syntax errors from","$ip|$acc","eximsyntax")} else {return}
}
#mod_qos
if (($config{LF_QOS}) and ($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?mod_qos\(\d+\): access denied,/)) {
my $ip = $4;
my $acc = "";
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ("mod_qos triggered by","$ip|$acc","mod_qos")} else {return}
}
#Apache symlink race condition
if (($config{LF_SYMLINK}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?Caught race condition abuser/)) {
my $ip = $4;
my $acc = "";
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if ($line !~ /\/cgi-sys\/suspendedpage\.cgi$/) {
if (checkip(\$ip)) {return ("symlink race condition triggered by","$ip|$acc","symlink")} else {return}
}
}
#courier-imap (Plesk)
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ (courier-)?pop3(?:d|s)(-ssl)?(\[\d+\])?: LOGIN FAILED, user=(\S*), ip=\[(\S+)\]\s*$/)) {
my $ip = $6;
my $acc = $5;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ (courier-)?imap(?:d|s)(-ssl)?(\[\d+\])?: LOGIN FAILED, user=(\S*), ip=\[(\S+)\]\s*$/)) {
my $ip = $6;
my $acc = $5;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
#Qmail SMTP AUTH (Plesk)
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ smtp_auth(?:\[\d+\])?: FAILED: (\S*) - password incorrect from \S+ \[(\S+)\]\s*$/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
}
#Postfix SMTP AUTH (Plesk)
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/(submission\/)?smtpd(?:\[\d+\])?: warning: \S+\[(\S+)\]: SASL (?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed/)) {
my $ip = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SMTP AUTH login from","$ip","smtpauth")} else {return}
}
#InterWorx (dovecot, proftpd, qmail)
if (($config{LF_POP3D}) and ($globlogs{POP3D_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login(\[\d+\])?: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $9;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed POP3 login from","$ip|$acc","pop3d")} else {return}
}
if (($config{LF_IMAPD}) and ($globlogs{IMAPD_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login(\[\d+\])?: Info: (Aborted login|Disconnected|Disconnected: Inactivity)( \(auth failed, \d+ attempts( in \d+ secs)?\))?: (user=(<\S*>)?, )?(method=\S+, )?rip=(\S+), lip=/)) {
my $ip = $9;
my $acc = $7;
$ip =~ s/^::ffff://;
$acc =~ s/^<|>$//g;
if (checkip(\$ip)) {return ("Failed IMAP login from","$ip|$acc","imapd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \S+ proftpd\[\d+\]:? \S+ \(\S+?[^\[]+\[(\S+)\]\)( -)?:? USER (\S*): no such user found from/)) {
my $ip = $1;
my $acc = $3;
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_FTPD}) and ($globlogs{FTPD_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \S+ proftpd\[\d+\]:? \S+ \(\S+?[^\[]+\[(\S+)\]\)( -)?:? USER (\S*) \(Login failed\): Incorrect password/)) {
my $ip = $1;
my $acc = $3;
$ip =~ s/^::ffff://;
$acc =~ s/:$//g;
if (checkip(\$ip)) {return ("Failed FTP login from","$ip|$acc","ftpd")} else {return}
}
if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+ qmail-smtpd\[\d+\]: AUTH failed \[(\S+)\] (\S+)/)) {
my $ip = $1;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed SMTP AUTH login from","$ip|$acc","smtpauth")} else {return}
}
if (($config{LF_INTERWORX}) and ($globlogs{INTERWORX_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ (\S+) (\S+) (\S+)/)) {
my $iw = "SiteWorx";
if ($1 eq "NW") {$iw = "NodeWorx"}
my $ip = $2;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed $iw login from","$ip|$acc","interworx")} else {return}
}
# CWP
if (($config{LF_CWP}) and ($globlogs{CWP_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on:/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed CWP login from","$ip|$acc","cwp")} else {return}
}
# VestaCP
if (($config{LF_VESTA}) and ($globlogs{VESTA_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+(\S+) failed to login/)) {
my $ip = $2;
my $acc = $1;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("Failed VestaCP login from","$ip|$acc","vesta")} else {return}
}
}
# end processline
###############################################################################
# start processloginline
sub processloginline {
my $line = shift;
#courier-imap
if (($config{LT_POP3D}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ pop3d(-ssl)?: LOGIN, user=(\S*), ip=\[(\S+)\], port=\S+/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("pop3d",$acc,$ip)} else {return}
}
if (($config{LT_IMAPD}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ imapd(-ssl)?: LOGIN, user=(\S*), ip=\[(\S+)\], port=\S+/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("imapd",$acc,$ip)} else {return}
}
#dovecot
if (($config{LT_POP3D}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: pop3-login: Login: user=<(\S*)>, method=\S+, rip=(\S+), lip=/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("pop3d",$acc,$ip)} else {return}
}
if (($config{LT_IMAPD}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ dovecot(\[\d+\])?: imap-login: Login: user=<(\S*)>, method=\S+, rip=(\S+), lip=/)) {
my $ip = $4;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("imapd",$acc,$ip)} else {return}
}
#InterWorx (dovecot)
if (($config{LT_POP3D}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) pop3-login: Info: Login: user=<(\S*)>, method=\S+, rip=(\S+), lip=/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("pop3d",$acc,$ip)} else {return}
}
if (($config{LT_IMAPD}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) imap-login: Info: Login: user=<(\S*)>, method=\S+, rip=(\S+), lip=/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ("imapd",$acc,$ip)} else {return}
}
}
# end processloginline
###############################################################################
# start processsshline
sub processsshline {
my $line = shift;
if (($config{LF_SSH_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sshd\[\d+\]: Accepted (\S+) for (\S+) from (\S+) port \S+/)) {
my $ip = $5;
my $acc = $4;
my $how = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($acc,$ip,$how)} else {return}
}
}
# end processsshline
###############################################################################
# start processsuline
sub processsuline {
my $line = shift;
#RH + Debian/Ubuntu
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su(\[\d+\])?: pam_unix\(su(-l)?:session\): session opened for user\s+(\S+)\s+by\s+(\S+)\s*$/)) {
return ($5,$6,"Successful login");
}
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su(\[\d+\])?: pam_unix\(su(-l)?:auth\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S+)+\s+\S+\s+user=(\S+)\s*$/)) {
return ($6,$5,"Failed login");
}
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su(\[\d+\])?: pam_unix\(su(-l)?:session\): session opened for user\s+(\S+)\s+by\s+(\S+)\s*$/)) {
return ($5,$6,"Successful login");
}
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su(\[\d+\])?: pam_unix\(su(-l)?:auth\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S+)+\s+\S+\s+user=(\S+)\s*$/)) {
return ($6,$5,"Failed login");
}
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su\(pam_unix\)\[\d+\]: session opened for user\s+(\S+)\s+by\s+(\S+)\s*$/)) {
return ($3,$4,"Successful login");
}
if (($config{LF_SU_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?su\(pam_unix\)\[\d+\]: authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S+)+\s+\S+\s+user=(\S+)\s*$/)) {
return ($4,$3,"Failed login");
}
return;
}
# end processsuline
###############################################################################
# start processsudoline
sub processsudoline {
my $line = shift;
if (($config{LF_SUDO_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sudo(\[\d+\])?: pam_unix\(sudo(-l)?:auth\): authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S+)+\s+\S+\s+user=(\S+)\s*$/)) {
return ($6,$5,"Failed login");
}
if (($config{LF_SUDO_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sudo\(pam_unix\)\[\d+\]: authentication failure; logname=\S*\s+\S+\s+\S+\s+\S+\s+ruser=(\S+)+\s+\S+\s+user=(\S+)\s*$/)) {
return ($4,$3,"Failed login");
}
if (($config{LF_SUDO_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) (\S+ )?sudo(\[\d+\])?:\s+(\S+)\s+:\s+(.*)$/)) {
my $from = $4;
my @items = split(/\s+;\s+/, $5);
if ($items[0] =~ /^TTY/) {
if ($items[2] =~ /^USER=(\S+)$/) {
return ($1,$from,"Successful login");
}
}
elsif ($items[0] =~ /^user NOT in sudoers/) {
if ($items[3] =~ /^USER=(\w+)$/) {
return ($1,$from,"Failed login");
}
}
}
return;
}
# end processsudoline
###############################################################################
# start processconsoleline
sub processconsoleline {
my $line = shift;
if (($config{LF_CONSOLE_EMAIL_ALERT}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ login(\[\d+\])?: ROOT LOGIN/)) {
return 1;
}
}
# end processconsoleline
###############################################################################
# start processcpanelline
sub processcpanelline {
my $line = shift;
if ($config{LF_CPANEL_ALERT} and ($line =~ /^(\S+)\s+\-\s+(\w+)\s+\[[^\]]+\]\s\"[^\"]+\"\s200\s/)) {
my $ip = $1;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$acc)} else {return}
}
}
# end processcpanelline
###############################################################################
# start processwebminline
sub processwebminline {
my $line = shift;
if ($config{LF_WEBMIN_EMAIL_ALERT} and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ webmin\[\d+\]: Successful login as (\S+) from (\S+)/)) {
my $ip = $3;
my $acc = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($acc,$ip)} else {return}
}
}
# end processwebminline
###############################################################################
# start scriptlinecheck
sub scriptlinecheck {
my $line = shift;
if ($config{LF_SCRIPT_ALERT}) {
my $fulldir;
if ($line =~ /^\S+\s+\S+\s+(\[\d+\]\s)?cwd=(.*) \d+ args:/) {$fulldir = $2}
elsif ($line =~ /^\S+\s+\S+\s+(\[\d+\]\s)?\S+ H=localhost (.*)PWD=(.*) REMOTE_ADDR=\S+$/) {$fulldir = $3}
if ($fulldir ne "") {
my (undef,$dir,undef) = split(/\//,$fulldir);
if ($dir eq "home") {return $fulldir}
if ($cpconfig{HOMEDIR} and ($fulldir =~ /^$cpconfig{HOMEDIR}/)) {return $fulldir}
if ($cpconfig{HOMEMATCH} and ($dir =~ /$cpconfig{HOMEMATCH}/)) {return $fulldir}
}
}
}
# end scriptlinecheck
###############################################################################
# start relaycheck
sub relaycheck {
my $line = shift;
my $tline = $line;
$tline =~ s/".*"/""/g;
my @bits =split(/\s+/,$tline);
my $ip;
if ($tline !~ /^\S+\s+\S+\s+(\[\d+\]\s)?\S+ <=/) {return}
#exim
if ($tline =~ / U=(\S+) P=local /) {
return ($1, "LOCALRELAY");
}
if ($tline =~ / H=[^=]*\[(\S+)\]/) {
$ip = $1;
unless (checkip(\$ip) or $ip eq "127.0.0.1" or $ip eq "::1") {return}
} else {
return;
}
if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain|login|plain):/) and ($tline =~ / P=(esmtpa|esmtpsa) /)) {
return ($ip, "AUTHRELAY");
}
if ($tline =~ / P=(smtp|esmtp|esmtps) /) {
return ($ip, "RELAY");
}
}
# end relaycheck
###############################################################################
# start pslinecheck
sub pslinecheck {
my $line = shift;
if ($line !~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall:/) {return}
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?Firewall: \*INVALID\*/ and $config{PS_PORTS} !~ /INVALID/) {return}
if ($line =~ /IN=\S+.*SRC=(\S+).*DST=(\S+).*PROTO=(\w+).*DPT=(\d+)/) {
my $ip = $1;
my $dst = $2;
my $proto = $3;
my $port = $4;
$ip =~ s/^::ffff://;
if ($config{PS_PORTS} !~ /BRD/ and $proto eq "UDP" and $brd{$dst} and !$ips{$dst}) {return}
if ($config{PS_PORTS} !~ /OPEN/) {
my $hit = 0;
if ($proto eq "TCP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*TCP_IN Blocked\*/) {
foreach my $ports (split(/\,/,$config{TCP_IN})) {
if ($ports =~ /\:/) {
my ($start,$end) = split(/\:/,$ports);
if ($port >= $start and $port <= $end) {$hit = 1}
}
elsif ($port == $ports) {$hit = 1}
if ($hit) {last}
}
if ($hit) {
if ($config{DEBUG} >= 1) {ConfigServer::Logger::logfile("debug: *Port Scan* ignored TCP_IN port: $ip:$port")}
return;
}
}
elsif ($proto eq "UDP" and $line =~ /kernel:\s(\[[^\]]+\]\s)?Firewall: \*UDP_IN Blocked\*/) {
foreach my $ports (split(/\,/,$config{UDP_IN})) {
if ($ports =~ /\:/) {
my ($start,$end) = split(/\:/,$ports);
if ($port >= $start and $port <= $end) {$hit = 1}
}
elsif ($port == $ports) {$hit = 1}
if ($hit) {last}
}
if ($hit) {
if ($config{DEBUG} >= 1) {ConfigServer::Logger::logfile("debug: *Port Scan* ignored UDP_IN port: $ip:$port")}
return;
}
}
}
if (checkip(\$ip)) {return ($ip,$port)} else {return}
}
if ($line =~ /IN=\S+.*SRC=(\S+).*PROTO=(ICMP)/) {
my $ip = $1;
my $port = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$port)} else {return}
}
if ($line =~ /IN=\S+.*SRC=(\S+).*PROTO=(ICMPv6)/) {
my $ip = $1;
my $port = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$port)} else {return}
}
}
# end pslinecheck
###############################################################################
# start uidlinecheck
sub uidlinecheck {
my $line = shift;
if ($line !~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel(\[\d+\])?:\s(\[[^\]]+\]\s)?Firewall:/) {return}
if ($line =~ /OUT=\S+.*DPT=(\S+).*UID=(\d+)/) {return ($1,$2)}
}
# end uidlinecheck
###############################################################################
# start portknockingcheck
sub portknockingcheck {
my $line = shift;
if ($line !~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel(\[\d+\])?:\s(\[[^\]]+\]\s)?Knock: \*\d+_IN\*/) {return}
if ($line =~ /SRC=(\S+).*DPT=(\d+)/) {
my $ip = $1;
my $port = $2;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$port)} else {return}
}
}
# end portknockingcheck
###############################################################################
# start processdistftpline
sub processdistftpline {
my $line = shift;
#pure-ftpd
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ pure-ftpd(\[\d+\])?: \(\?\@(\S+)\) \[INFO\] (\S*) is now logged in$/) {
my $ip = $3;
my $acc = $4;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$acc)} else {return}
}
#proftpd
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]: \S+ \([^\[]+\[(\S+)\]\) - USER (\S*): Login successful\.\s*$/) {
my $ip = $2;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$acc)} else {return}
}
#InterWorx proftpd
if ($line =~ /^\S+ \S+ \S+ proftpd\[\d+\]:? \S+ \(\S+?[^\[]+\[(\S+)\]\)( -)?:? USER (\S*): Login successful/) {
my $ip = $1;
my $acc = $3;
$ip =~ s/^::ffff://;
if (checkip(\$ip)) {return ($ip,$acc)} else {return}
}
}
# end processdistftpline
###############################################################################
# start processdistsmtpline
sub processdistsmtpline {
my $line = shift;
my $tline = $line;
$tline =~ s/".*"/""/g;
my @bits =split(/\s+/,$tline);
my $ip;
#postfix
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/(submission\/)?smtpd(?:\[\d+\])?: \w+: client=\S+\[(\S+)\], sasl_method=(?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5), sasl_username=(\S+)$/) {
$ip = $3; my $account = $4; $ip =~ s/^::ffff://;
if (checkip(\$ip) and $ip ne "127.0.0.1" and $ip ne "::1") {return ($ip,$account)} else {return}
}
#InterWorx qmail
if ($line =~ /^\S+ qmail-smtpd\[\d+\]: AUTH successful \[(\S+)\] (\S+)/) {
$ip = $1; my $account = $2; $ip =~ s/^::ffff://;
if (checkip(\$ip) and $ip ne "127.0.0.1" and $ip ne "::1") {return ($ip,$account)} else {return}
}
#exim
if ($tline !~ /^\S+\s+\S+\s+(\[\d+\]\s)?\S+ <=/) {return}
if ($tline =~ / U=(\S+) P=local /) {return}
if ($tline =~ / H=[^=]*\[(\S+)\]/) {
$ip = $1;
unless (checkip(\$ip) or $ip eq "127.0.0.1" or $ip eq "::1") {return}
} else {
return;
}
if (($tline =~ / A=(courier_plain|courier_login|dovecot_plain|dovecot_login|fixed_login|fixed_plain|login|plain):(\S+)/)){
my $account = $2;
if (($tline =~ / P=(esmtpa|esmtpsa) /)) {return ($ip, $account)}
}
}
# end processdistsmtpline
###############################################################################
# start loginline404
sub loginline404 {
my $line = shift;
if ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?(error|info)\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?File does not exist\:/) {
my $ip = $5;
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ($ip)} else {return}
}
}
# end loginline404
###############################################################################
# start loginline403
sub loginline403 {
my $line = shift;
if ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?client denied by server configuration\:/) {
my $ip = $4;
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ($ip)} else {return}
}
}
# end loginline403
###############################################################################
# start loginline401
sub loginline401 {
my $line = shift;
if ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[(\S*:)?error\] (\[pid \d+(:tid \d+)?\] )?\[client (\S+)\] (\w+: )?(user not found|user \w+ not found|user \w+: authentication failure for "\/\w+\/")\:/) {
my $ip = $4;
$ip =~ s/^::ffff://;
if ($config{LF_APACHE_ERRPORT} == 2 and $ip =~ /(.*):\d+$/) {$ip = $1}
if (checkip(\$ip)) {return ($ip)} else {return}
}
}
# end loginline401
###############################################################################
# start statscheck
sub statscheck {
my $line = shift;
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ kernel:\s(\[[^\]]+\]\s)?(Firewall|Knock):/) {return 1}
}
# end statscheck
###############################################################################
# start syslogcheckline
sub syslogcheckline {
my $line = shift;
my $syslogcheckcode = shift;
if ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ lfd\[\d+\]: SYSLOG check \[(\S+)\]\s*$/) {
if ($2 eq $syslogcheckcode) {return 1} else {return}
}
}
# end syslogcheckline
###############################################################################
1;