Custom REGEX rules for CSF.

BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: Custom REGEX rules for CSF.

Post by BallyBasic79 »

Block junkmailers before they SPAM again.

The following custom REGEX rule is designed to block the IP of any mailer triggering a [Spamassassin] filter, preventing the mailer from sending subsequent messages. Works with any spam filter – check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.

Code: Select all

# Junk Mailer
# 1 try; 3 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel, Spamassassin

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*\[(\S+)\]:\d+\s+.*mail server detected your message as spam.*/)) {
		return ("Junkmail sender",$1,"junkmailer","1","","259200");
	}

Blocks entries such as:
2019-08-01 04:02:04 1ht8qQ-0005Oy-HD H=(baron.tryimmoredfe.world) [67.198.188.215]:60033 F=<6752-26-981051-1766-user=example.com@mail.tryimmoredfe.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 06:54:26 1htBXA-00008g-Ky H=(clarke.resturtived.world) [67.198.188.216]:54497 F=<6761-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 09:27:16 1htDv9-0003By-Cr H=mta4.loomingbrexit.xyz (newark.windowpanning.xyz) [67.198.188.213]:53527 F=<6766-26-981051-1765-user=example.com@mail.windowpanning.xyz> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 10:29:09 1htEsq-0004F4-41 H=(clarke.resturtived.world) [67.198.188.216]:58155 F=<6773-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
This approach won't block the first one, but it will catch subsequent ones.

Why filter spam when you can block it? ;)
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: Custom REGEX rules for CSF.

Post by BallyBasic79 »

Block SMTP Probes.

The following custom REGEX rules are designed to block the IP of probes on your SMTP. Check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.

Code: Select all

# dropped: too many unrecognized commands
# 1 try; 1 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*SMTP call from \S+\s+\[(\S+)\]:\d+\s+dropped: too many unrecognized commands .*/)) {
		return ("Dropped: too many unrecognized commands from",$1,"dropped_commands","1","","86400");
	}

# dropped: too many syntax or protocol errors

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*SMTP call from.*\s+\[(\S+)\]:\d+\s+dropped: too many syntax or protocol errors .*/)) {
		return ("Dropped: too many syntax or protocol errors from",$1,"dropped_commands","1","","86400");
	}

Blocks entries such as:
2019-08-27 08:14:10 SMTP call from scan-42.security.ipip.net [139.162.99.243]:54776 dropped: too many unrecognized commands (last was "Pragma: no-cache")
2019-08-28 12:00:42 SMTP call from [107.170.202.120]:52594 dropped: too many syntax or protocol errors (last command was "\001??S?\005?\005\001?????")
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: Custom REGEX rules for CSF.

Post by BallyBasic79 »

Weed Out WP Whackers

This custom rule immediately blocks any machine probing for wp-login.php or xmlrpc.php.

Note: If you actually have a WP site, make sure that your IP is maintained in csf.ignore so you don't get blocked yourself.

Code: Select all

# 1 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"
# Works on CentOS6/7, Apache, cPanel

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(wp-login|xmlrpc).*/)) {
		return ("WP whacker",$1,"WP_whacker","1","","86400");
	}

Matches:
Oct 6 01:41:46 server lfd[14540]: (WP_whacker) WP whacker 162.214.20.79 (US/United States/Utah/Provo/server.iltc.edu.sa/[AS46606 Unified Layer]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
Oct 6 01:49:56 server lfd[14795]: (WP_whacker) WP whacker 184.73.167.121 (US/United States/Virginia/Ashburn/ec2-184-73-167-121.compute-1.amazonaws.com/[AS14618 Amazon.com, Inc.]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
Oct 6 07:38:29 server lfd[27150]: (WP_whacker) WP whacker 46.101.119.30 (DE/Germany/Hesse/Frankfurt am Main/-/[AS14061 DigitalOcean, LLC]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
BallyBasic79
Junior Member
Posts: 80
Joined: 22 Aug 2019, 21:43

Re: Custom REGEX rules for CSF.

Post by BallyBasic79 »

404 Forever? Nope.

These custom rules block IPs continually probing for sensitive pages that are missed by other methods. Be sure to check the syntax of your logs.

Code: Select all

# Works on CentOS6/7, Apache, cPanel
# file crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(File does not exist).*/)) {
		return ("Crawling: $2",$1,"file_crawler","2","","86400");
	}

# URI crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(Invalid URI in request).*/)) {
		return ("Crawling: $2",$1,"uri_crawler","2","","86400");
	}

# script crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(script not found).*/)) {
		return ("Crawling: $2",$1,"script_crawler","2","","86400");
	}
naeimeht
Junior Member
Posts: 1
Joined: 18 Jan 2020, 09:30

Re: Custom REGEX rules for CSF.

Post by naeimeht »

There are spammers that send emails to accounts that doesn't exist on the server to catch the ones that does exist and add them to their data bases.
petersphilo
Junior Member
Posts: 2
Joined: 24 Jan 2020, 17:33

Re: Custom REGEX rules for CSF.

Post by petersphilo »

Hello,
i am looking for a way to whitelist IP addresses of users who successfully log into Dovecot..

i have too many cases of one user within an office who blocks the entire office's access to the server because their phone is configured with an erroneous login.
ideally, these IP addresses would be whitelisted (sort of like in csf.ignore), but only for 24 hours or so..

i can do the regex to find the IP, the part after '$line', but i can't figure out what to do with the IP once i have it..
i suppose it's in the 'return' section..

also, it seems like whatever you do in usr/local/csf/bin/regex.custom.pm is only to block; there seems to be no option to allow..

i'd be immensely grateful for any help as to where to go next..
Thank you all!

PS:
basically, looking at the log file '/var/log/maillog', the '$line' part would look something like this (super-simplified):

Code: Select all

$line =~ /^.*dovecot: imap-login: Login: user=<.*>, method=.*, rip=(\d+\.\d+\.\d+\.\d+)
where $1 is the IP to whitelist
but i've no idea what to do in the 'return' section, nor how to avoid having the same IP listed a million times, nor how to clear the list occasionally..

is it possible to 'include' a file in csf.allow or in csf.ignore?
petersphilo
Junior Member
Posts: 2
Joined: 24 Jan 2020, 17:33

Re: Custom REGEX rules for CSF.

Post by petersphilo »

Hi all,

Just a quick (or not so much) follow-up on my question..
i've got it working nearly exactly as i like -- i can't figure out how to capture and print the timestamp in human-readable format--

here it is for anyone curious:

First, the jail.local file:

Code: Select all

[csf-my-allow]
enabled = true
bantime=86400
findtime=600
usedns = raw
filter=csf-my-allow-filter
action=csf-my-allow[name=%(__name__)s]
maxretry = 1
logpath = /var/log/maillog
backend = polling
Next, the filter (note that the timestamp does not work as of yet) called csf-my-allow-filter:

Code: Select all

[Definition]
failregex = ^<F-TIMESTAMP>.*</F-TIMESTAMP> host dovecot: imap-login: Login: user=<<F-USER>\S+@\S+</F-USER>>, method=\S+, rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}, mpid=\S+, \S+, session=<\S+>$
mode = normal
maxlines = 1
ignoreregex =
And, finally, the action, called csf-my-allow:

Code: Select all

[Definition]
actionstart =
actionstop =
actioncheck =
actionban=csf --tempallow <ip> 86400 IMAP login <F-USER>
# eventually:
# actionban=csf --tempallow <ip> 86400 IMAP login <F-USER> - <F-TIMESTAMP>

PS: i am the only WHM admin on these servers, which is why i'm taking the liberty of reporting the email account along with the IP..
i suppose it might be better to do this, to just capture the domain name:
\S+@<F-USER>\S+</F-USER>
nibb
Junior Member
Posts: 12
Joined: 20 Apr 2013, 03:15

Re: Custom REGEX rules for CSF.

Post by nibb »

iodisciple wrote: 16 Feb 2018, 09:58 Block brute force failed SASL attempts. Debian 9, dovecot / postfix server.

Error:

Code: Select all

Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[85.219.80.99]: SASL PLAIN authentication failed:
Edit in /etc/csf/csf.conf:

Code: Select all

CUSTOM1_LOG = "/var/log/mail.log"
Regular expression in /usr/local/csf/bin/regex.custom.pm:

Code: Select all

if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
	    return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
    }
Permanently blocks an IP with 10 failed SASL attempts.
Thank you works perfectly.
nibb
Junior Member
Posts: 12
Joined: 20 Apr 2013, 03:15

Re: Custom REGEX rules for CSF.

Post by nibb »

Is there some bug with the latest release?

I noticed that the custom regex does not work on version 14. Same config on servers, except it works on installations running CSF 12 but not 14.
nullmem
Junior Member
Posts: 7
Joined: 13 Jun 2017, 23:12

Re: Custom REGEX rules for CSF.

Post by nullmem »

If you are running Mod Security 3 rule sets on Open Litespeed, LFD won't automatically ban IP based on LF_MODSEC. You still need to make sure you specify your Open Litespeed error.log file using MODSEC_LOG

Code: Select all

# Fix lack of support for ModSecurity with Open Litespeed
if (($lgfile eq $config{MODSEC_LOG}) and ($line =~ /\[Module:Mod_Security\]Log\sMessage:\s\[client\s(\S+)\]\sModSecurity:\sAccess\sdenied\swith\scode\s403/))  {
        return ("ModSecurity: 403 triggered by",$1,"mod_security","1","1");
}
Post Reply