Custom REGEX rules for CSF.

54 posts Page 4 of 6
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56


nbeernink wrote:
@sergio:
I don't know, something like this? REGEX to block IPs that triggered via COMODO-WAF modsecurity in DirectAdmin Custombuild 2.0
I will use the name of your post "REGEX for DirectAdmin modsecurity denials not blocked by CSF/LFD"
ethical
Junior Member
Posts: 10
Joined: 12 Nov 2010, 01:59


Hi Sergio

very helpful thread. Do you know how I could adjust the script to work with ASSP and exim? I have a cpanel server with the ASSP spam filtering proxy sitting in front of exim.

thanks!
John
vhortex
Junior Member
Posts: 3
Joined: 24 Apr 2017, 11:42


Hi,

Can we adjust the rules/regex to scan for a longer time. I am not sure if there is any way to do it via customs.regex

Scenario is
Attacker will randomly attack once or twice an hour to avoid being blacklisted.

If there is anyway that this can be achieve, please give an idea. I don't want to tamper the main CSF scripts.
ethanpil
Junior Member
Posts: 3
Joined: 16 May 2017, 21:00


Here are some rules I recently developed. I will try and keep them updated here: https://gist.github.com/ethanpil/97b62d ... 8b3837843d

NginX Security to block bad behaving web visitors
These rules have helped me block vulnerability scanners, and bots/hackers scanning for varios versions of PHP tools, etc.
Code: Select all
# NginX security rules trigger (Default: 4 errors bans for 24 hours)
# Catch ip that attempts to access a URL that is forbidden by NginX rules
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
    return ("NGINX Security rule triggered from",$1,"nginx_security","4","80,443","86400");
}
Code: Select all
# NginX 404 errors (Default: 4 errors bans for 24 hours)
# Catch ip that accesses non-existant files and directories
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
    return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400");
}
Code: Select all
#Trying to download htaccess or htpasswd  (Default: 1 error bans for 24 hours)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) {
    return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400");
}
WordPress fail2Ban
The below five rules below work well with the WordPress fail2ban plugins https://wordpress.org/plugins/wp-fail2ban-redux/ plugin. Instead of a custom log file, these plugins write into the syslog which is already defined as SYSLOG_LOG

These rules are the equivalent of the wordpress Hard ruleset in the fail2ban plugins. You still need to install and activate the fail2ban plugin, but it will work with LFD (without fail2ban installed) with the below custom regex.
Code: Select all
# Wordpress fail2ban plugin (Default: 5 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) {
  return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) {
  return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) {
  return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) {
  return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400");
}
# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) {
  return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400");
}
Paarsch
Junior Member
Posts: 5
Joined: 05 Apr 2017, 11:00


Hello!

I am trying to implement a new custom Regex rule, To specifically target crawlerbots. i formulated the following:
Code: Select all
# MJ12-Bot / Baidu / Ahrefs
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD).* (MJ12bot|Baiduspider|AhrefsBot|UptimeRobot).*" /)) {
         return ("LFD - MJ12-Baidu-Ahrefs-bot Overuse",$1,"BOTOVERUSE","15","80,443,21,25,22,23","48800");
}
When i parse it through my tester it does pickup the correct rules out of the following example:
Code: Select all
69.162.111.222 - - [07/Feb/2017:15:54:14 +0200] "HEAD / HTTP/1.1" 200 296 "http://dummydomain.nl/" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
185.119.111.222 - - [07/Feb/2017:15:55:37 +0200] "GET /wp-login.php HTTP/1.1" 200 2860 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
185.119.111.222 - - [07/Feb/2017:15:55:37 +0200] "POST /wp-login.php HTTP/1.1" 200 3610 "http://www.dummydomain.nl/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
149.210.111.222 - - [07/Feb/2017:15:59:13 +0200] "POST /wp-cron.php?doing_wp_cron=1496930353.4784278869628906250000 HTTP/1.1" 200 181 "http://www.dummydomain.nl/wp-cron.php?doing_wp_cron=1496930353.4784278869628906250000" "WordPress/4.7.5; http://www.dummydomain.nl"
69.162.111.222 - - [07/Feb/2017:15:59:12 +0200] "HEAD / HTTP/1.1" 301 229 "http://dummydomain.nl/" "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)"
However it simply won't add the targetted IP-adresses to the blacklist. What am i missing? Any suggestions are very welcome!
ethanpil
Junior Member
Posts: 3
Joined: 16 May 2017, 21:00


I tweaked the regex little, but you should be getting the IP in $1 even with your original code.... not sure why you aren't. Are you sure you are reading the correct log file with
Code: Select all
CUSTOM2_LOG
?
Code: Select all
# MJ12-Bot / Baidu / Ahrefs
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\"*(?:GET|POST|HEAD).* (MJ12bot|Baiduspider|AhrefsBot|UptimeRobot).*/)) {
         return ("LFD - MJ12-Baidu-Ahrefs-bot Overuse",$1,"BOTOVERUSE","15","80,443,21,25,22,23","48800");
}


Take a look here: https://regex101.com/r/JagOJb/1

You can also probably add the exact bot name in the log line
Code: Select all
return ("LFD - $2 bot Overuse",$1,"BOTOVERUSE","15","80,443,21,25,22,23","48800");
Paarsch
Junior Member
Posts: 5
Joined: 05 Apr 2017, 11:00


Groovy, that did the trick! Thank you for your help, also good suggestion on the bot name parameter!
dswimr615
Junior Member
Posts: 3
Joined: 09 Aug 2017, 18:36


Hello,

Here is my current rule for anti WordPress attacks to the wp-login and xmlrpc pages:
Code: Select all
if (($globlogs{CUSTOM4_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
    return ("Failed wordpress login from",$1,"wordpress","2","80,443","3600");
}
This rule is very strict but it works well for when a server is getting hammered or when attackers are savvy. It is only meant for temporary use until the attacks subside.
Sergio
Junior Member
Posts: 1381
Joined: 12 Dec 2006, 14:56


Hi, all.

I have been using CSF to block massive spammers on my servers, the same REGEX rules are used simultaneously with SPAMASSASSIN and the results have been very satisfactory. Here is an example of a rule that blocks spam that the subject comes with names of TV or Movie related people:

ANTI SPAM REGEX RULE:

DOS: CloudLINUX
Use this rule on CSF: regex.custom.pm
Execution time: -1MS / Interaction: 104 steps
LOG: /var/log/exim_mainlog
Code: Select all
	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s<=\s\S+\sH=(?>\S+\s)+?\[(\S+)\](?>\S+\s)+?T="(?>\S*\s*)*?(angelina jolie|beyonce|brad pitt|eva longoria|dr\.? seuss|jessica alba| kanye |mark cuban|megyn kelly|melissa mccarthy|shark tank|sharon stone|taylor swift|vanna white|warren buffett|zuckerb.rg)/i)) {
		return ("SPAM BLKList $2",$1,"SPAM_BLK_LISTMovies","1","1");
	}
Example that will trigger the rule:
2017-08-18 14:02:33 email-ID-obfuscated <= Sara-Shaffer@debris.azurespecials.bid H=debris.azurespecials.bid [37.28.158.14]:55744 P=esmtp S=7554 T="Cosmo: Sharon Stone's Gorgeous Skin Secret." for email@domain.com

SPAMASSASSIN RULE:
Code: Select all
header   SECMAS_BLKMovies  Subject =~ /angelina jolie|beyonce|brad pitt|eva longoria|dr\.? seuss|jessica alba| kanye |mark cuban|megyn kelly|melissa mccarthy|shark tank|sharon stone|taylor swift|vanna white|warren buffett|zuckerb.rg/i
describe SECMAS_BLKMovies  SPAM_BLKMovies
score    SECMAS_BLKMovies  22
To use this rule in SPAMASSASSIN, you should create a file called "MyRules.cf" inside directory /etc/mail/spamassassin and copy this and any other home made rules in there.

DISCLAIMER:
Any use of my rules are at your own risk, Don't use them if you don't know what the rules are intended for.
awalilko
Junior Member
Posts: 1
Joined: 05 Jan 2018, 17:15


I made a bit of regex to monitor failed plesk logins (which also seems to work for failed webmail logins on plesk)

Working OS: RHEL7
Action: Block IP address after 5 failed Plesk login attempts over 3600s
CUSTOM1_LOG = "/var/log/plesk/panel.log"
Code: Select all
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*Failed\slogin\sattempt\swith\slogin\s\S+\sfrom\sIP\s(\d+\.\d+\.\d+\.\d+)/)) {
                return ("Failed plesk login from",$1,"plesk","5","8443","1");
        }
Sample blocked lines:
[2018-01-01 20:11:18] ERR [panel] [Action Log] Failed login attempt with login 'username' from IP 123.45.67.89
54 posts Page 4 of 6