edit /etc/csf/csf.conf, find these lines, and make modification so will look lithe this
CUSTOM1_LOG = "/var/log/maillog"
CUSTOM2_LOG = "/var/log/cwp_client_login.log"
CUSTOM3_LOG = "/var/log/dovecot-info.log"
and you can replace the whole content of your current /etc/csf/regex.custom.pm with code bellow.
#!/usr/bin/perl
sub custom_line {
my $line = shift;
my $lgfile = shift;
# Do not edit before this point
#Postfix/smtpd SASL authentication failure
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","5","25,465,587","3600");
}
# CWP Login failure
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {
return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","3600");
}
# POP3 Brute force
if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /\S+\s+\d+\s+\S+ pop3-login: Info: (Aborted login|Disconnected)( \(auth failed, \d+ attempts\):)? user=<\S*>, method=\S+, rip=(\S+),/)) {
return ("POP3 bruteforce login from",$3,"pop3-login","5","110,995","3600");
}
# Do not edit beyond this point
return 0;
}
1;