Vesta Control Panel - Forum

asdcxz wrote:Hi,

the url is not working, could you recheck the original post.

Thanks

jonn wrote:Share customlog entry to block failed vestacp login attempts.

on debian 7

open. /etc/csf/regex.custom.pm
add after # "1" = n/temporary (n = number of seconds ...

Code: Select all

#vestacp
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+\s+\S+\s+failed to login/)) {
  return ("Failed vestacp control-panel login from",$1,"VESTAloginAttempt","5","8083","60");
}

"5" is count of failed logins
"8083" the port to block
"60" how long to deny (60 is 1 minute) so change to what you want, or 1 for permanent.

open /etc/csf/csf.conf
add where you find CUSTOM1_LOG

Code: Select all

CUSTOM1_LOG = "/var/log/vesta/auth.log"

dont block yourself, keep the deny time to low for testing
if you change regex a little, please share changes..
and any other csf customlog blocking that may be helpful to all of us related only to vestacp control panel...
dont forget to add your OS

#vestacp
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*/)) {
  return ("Failed vestacp control-panel login from",$1,"VESTAloginAttempt","5","8083","60");
}

moucho wrote:

jonn wrote:Share customlog entry to block failed vestacp login attempts.

on debian 7

open. /etc/csf/regex.custom.pm
add after # "1" = n/temporary (n = number of seconds ...

Code: Select all

#vestacp
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+\S+\s+\S+\s+failed to login/)) {
  return ("Failed vestacp control-panel login from",$1,"VESTAloginAttempt","5","8083","60");
}

"5" is count of failed logins
"8083" the port to block
"60" how long to deny (60 is 1 minute) so change to what you want, or 1 for permanent.

open /etc/csf/csf.conf
add where you find CUSTOM1_LOG

Code: Select all

CUSTOM1_LOG = "/var/log/vesta/auth.log"

dont block yourself, keep the deny time to low for testing
if you change regex a little, please share changes..
and any other csf customlog blocking that may be helpful to all of us related only to vestacp control panel...
dont forget to add your OS

I've tried several times this rule, and every variation a could think of, with no success whatsoever.
I've enabled debug on csf, and I can see the file auth.log being parsed and and checked but it never logs any wrong try.
I've gone as far as this:

Code: Select all

#vestacp
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*/)) {
  return ("Failed vestacp control-panel login from",$1,"VESTAloginAttempt","5","8083","60");
}

So every line on the log file should be considered as a failed login attempt, but it doesn't matter.

Can anyone help with this? My OS is Centos 7 with VestaCP 0.9.8-16 and I'm out of ideas :/
I can share any configuration you may need to figure this out, and any help or tip that can steer me in the right direction would be greatly appreciated.

moucho wrote:This is an example (I've changed my IP):

Code: Select all

  asdfasdf 10.0.0.0 failed to login
  asdfasdf 10.0.0.0 failed to login
  asdfasdf 10.0.0.0 failed to login
  asdfasdf 10.0.0.0 failed to login
  asdfasdf 10.0.0.0 failed to login
  asdfasdf 10.0.0.0 failed to login

Firstly two white spaces, then the username, IP and error message

#vestacp
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+) failed to login/)) {
  return ("Failed vestacp control-panel login from",$1,"VESTAloginAttempt","5","8083","60");
}

moucho wrote:Thanks so much!!!

I'm speechless, I can't really thank you enough, I've tried for hours without success.

May I ask you to explain to me that why this works? Is this syntax different from any other regex syntax, because I check and the lines where being interpreted correctly by other tools but not csf?
Is there some way to check that the syntax is valid, or some guide I can use for csf?

Thanks again.

RamMae wrote:There's a weired problem on my csf.