Custom REGEX rules for CSF.

54 posts Page 6 of 6
BallyBasic79
Junior Member
Posts: 79
Joined: 22 Aug 2019, 21:43


Block junkmailers before they SPAM again.

The following custom REGEX rule is designed to block the IP of any mailer triggering a [Spamassassin] filter, preventing the mailer from sending subsequent messages. Works with any spam filter – check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.
Code: Select all
# Junk Mailer
# 1 try; 3 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel, Spamassassin

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*\[(\S+)\]:\d+\s+.*mail server detected your message as spam.*/)) {
		return ("Junkmail sender",$1,"junkmailer","1","","259200");
	}

Blocks entries such as:
2019-08-01 04:02:04 1ht8qQ-0005Oy-HD H=(baron.tryimmoredfe.world) [67.198.188.215]:60033 F=<6752-26-981051-1766-user=example.com@mail.tryimmoredfe.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 06:54:26 1htBXA-00008g-Ky H=(clarke.resturtived.world) [67.198.188.216]:54497 F=<6761-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 09:27:16 1htDv9-0003By-Cr H=mta4.loomingbrexit.xyz (newark.windowpanning.xyz) [67.198.188.213]:53527 F=<6766-26-981051-1765-user=example.com@mail.windowpanning.xyz> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
2019-08-01 10:29:09 1htEsq-0004F4-41 H=(clarke.resturtived.world) [67.198.188.216]:58155 F=<6773-26-981051-1768-user=example.com@mail.resturtived.world> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (50)."
This approach won't block the first one, but it will catch subsequent ones.

Why filter spam when you can block it? ;)
BallyBasic79
Junior Member
Posts: 79
Joined: 22 Aug 2019, 21:43


Block SMTP Probes.

The following custom REGEX rules are designed to block the IP of probes on your SMTP. Check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.
Code: Select all
# dropped: too many unrecognized commands
# 1 try; 1 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*SMTP call from \S+\s+\[(\S+)\]:\d+\s+dropped: too many unrecognized commands .*/)) {
		return ("Dropped: too many unrecognized commands from",$1,"dropped_commands","1","","86400");
	}

# dropped: too many syntax or protocol errors

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*SMTP call from.*\s+\[(\S+)\]:\d+\s+dropped: too many syntax or protocol errors .*/)) {
		return ("Dropped: too many syntax or protocol errors from",$1,"dropped_commands","1","","86400");
	}

Blocks entries such as:
2019-08-27 08:14:10 SMTP call from scan-42.security.ipip.net [139.162.99.243]:54776 dropped: too many unrecognized commands (last was "Pragma: no-cache")
2019-08-28 12:00:42 SMTP call from [107.170.202.120]:52594 dropped: too many syntax or protocol errors (last command was "\001??S?\005?\005\001?????")
BallyBasic79
Junior Member
Posts: 79
Joined: 22 Aug 2019, 21:43


Weed Out WP Whackers

This custom rule immediately blocks any machine probing for wp-login.php or xmlrpc.php.

Note: If you actually have a WP site, make sure that your IP is maintained in csf.ignore so you don't get blocked yourself.
Code: Select all
# 1 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"
# Works on CentOS6/7, Apache, cPanel

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(wp-login|xmlrpc).*/)) {
		return ("WP whacker",$1,"WP_whacker","1","","86400");
	}

Matches:
Oct 6 01:41:46 server lfd[14540]: (WP_whacker) WP whacker 162.214.20.79 (US/United States/Utah/Provo/server.iltc.edu.sa/[AS46606 Unified Layer]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
Oct 6 01:49:56 server lfd[14795]: (WP_whacker) WP whacker 184.73.167.121 (US/United States/Virginia/Ashburn/ec2-184-73-167-121.compute-1.amazonaws.com/[AS14618 Amazon.com, Inc.]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
Oct 6 07:38:29 server lfd[27150]: (WP_whacker) WP whacker 46.101.119.30 (DE/Germany/Hesse/Frankfurt am Main/-/[AS14061 DigitalOcean, LLC]): 1 in the last 86400 secs - *Blocked in csf* for 86400 secs [LF_CUSTOMTRIGGER]
BallyBasic79
Junior Member
Posts: 79
Joined: 22 Aug 2019, 21:43


404 Forever? Nope.

These custom rules block IPs continually probing for sensitive pages that are missed by other methods. Be sure to check the syntax of your logs.
Code: Select all
# Works on CentOS6/7, Apache, cPanel
# file crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(File does not exist).*/)) {
		return ("Crawling: $2",$1,"file_crawler","2","","86400");
	}

# URI crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(Invalid URI in request).*/)) {
		return ("Crawling: $2",$1,"uri_crawler","2","","86400");
	}

# script crawler
# 2 try; 1 day ban
# CUSTOM3_LOG = "/etc/apache2/logs/error_log"

	if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /^.*\[client (\S+):\d+\].*(script not found).*/)) {
		return ("Crawling: $2",$1,"script_crawler","2","","86400");
	}
54 posts Page 6 of 6