# been passed.
foreach my $line (@message) {
# This will catch brute-force attacks against htaccess logins (username).
- if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
+ if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
# Store the grabbed IP-address.
$address = $1;
}
# Detect htaccess password brute-forcing against a username.
- elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
+ elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
# Store the extracted IP-address.
$address = $1;
# Check if at least the IP-address information has been extracted.
if (defined ($address)) {
+ # Check if the address also contains a port value.
+ if ($address =~ m/:/) {
+ my ($add_address, $port) = split(/:/, $address);
+
+ # Only process the address.
+ $address = $add_address;
+ }
+
# Add the extracted values and event message to the actions array.
push(@actions, "count $address $name $message");
}