Page 1 of 1

I've Given up. Please help. Custom Regex

Posted: 24 Dec 2023, 15:52
by coled
I've pounded on this for quite some time now with the two following custom rules. Log locations set in the conf file, but nothing working. Please make recommendations if you run across this post.

The built in IMAP rules in CSF do not work on my server. Never have. Non standard Debian/Postfix/Dovecot setup to blame I suppose.

Trying to prevent the following. Below are errors, followed by regex attempt to identify/block them. I've tried both (\var\log\auth.log setup as custom1, and \var\log\dovecot.log setup as custom2) thinking something is not being read properly. Still no joy. I don't give up very easily, but....

I'm convinced that either my logs aren't being read at all, or I am completely incapable at regex. Sidenote....My SSH rules work. Bad guys blocked and emails submitted so I know CSF is working somewhat. Just cannot get the following two going.


###### Dec 19 08:31:59 server auth: pam_unix(dovecot:auth): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=someone@somewhere.com rhost=99.196.128.141

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+\s+server auth: pam_unix\(dovecot:auth\): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=\S+ rhost=\d+\.\d+\.\d+\.\d+/)) {
return ("BS IMAP Attempt",$1,"imapbf","5","","1","0");
}



###### Dec 24 10:14:12 auth-worker(18771): Info: pam(someone@somewhere.com,172.56.69.214,<GRG/5kINVqSsOEXW>): pam_authenticate() failed: Authentication failure (Password mismatch?)

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+\s+auth-worker \(S+\): Info: pam\(S+\): pam_authentication\(\) failed; Authentication failure \(Password mismatch?/)) {
return ("BS DC Attempt",$1,"DCbf","5","","1","0");
}


Thanks.

Cole

Re: I've Given up. Please help. Custom Regex

Posted: 26 Dec 2023, 15:37
by coled
Nevermind. I was actually able to resolve this myself. Needed to wrap my ip catch in parentheses. (\d+\.\d+\.\d+\.\d+)

Fix:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+\s+server auth: pam_unix\(dovecot:auth\): authentication failure; logname= uid=5000 euid=5000 tty=dovecot ruser=\S+ rhost=(\d+\.\d+\.\d+\.\d+)/)) {
return ("BS IMAP Attempt",$1,"imapbf","5","","1","0");
}