Help with custom regex rules

firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Help with custom regex rules

Post by firewallman »

I just can not get the custom regex rules to work for me. I look in the CSF ip deny section and no IP's are ever blocked due to the rules below. Any help is appreciated. I missed something, just don't know what.

OS: CENTOS 5.11 x86_64 xenhvm
WHM 11.48.4 (build 4)
CSF: v7.69

I have used the custom regex rules posted by Sergio in this thread:
viewtopic.php?f=6&t=7517

I copied and pasted them into /usr/local/csf/bin/regex.custom.pm, below is what I added to that file (between the do not edit before this point and do not edit beyond this point notations):

Code: Select all

# REGEX to block bots that looks for wrong SETID. Below to block all the IPs that comes to the server checking for setids that don't exist

   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/))  {
      return ("smtp_auth attack",$1,"SecmasSETID","1","1");
   }

# REGEX to block bounced spammers that search emails. Below will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.

   if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/))  {
      return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
   }

# REGEX to block IPs that searchs for admin emails.

   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \S+ \[(\S+)\]:\d+: 535 Incorrect authentication data \(set_id=admin\@\S+\)/))  {
      return ("smpt admin attack",$1,"SecmasADMIN","1","1");
   }



# REGEX to block IPs that uses YLMF-PC. Below to block email logins for ylmf-pc

   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
      return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
   }

Other settings:
LF_SELECT=0
LF_TRIGGER=0
CUSTOM2_LOG = /var/log/exim_rejectlog

Restarted CSF and LFD.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

The only thing that this doesn't work, could be that your log files don't comply with the following:
\S+\s+\S+\s+dovecot_login authenticator failed for
nor
\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT

If you have all the CSF suite installed in your server, use the option: SEARCH SYSTEM LOGS and select /var/log/exim_rejectlog, then search for: rejected RCPT
copy 2 or 3 lines and paste them here.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Thanks! Here are the last 5 lines from the /var/log/exim_rejectlog:

2015-06-08 16:33:18 [19321] H=(mx4c25.agonfears.com) [71.19.250.123]:63277 I=[69.xxx.xxx.xxx]:25 F=<info@agonfears.com> rejected RCPT <david@appraisalman.com>: "JunkMail rejected - (mx4c25.agonfears.com) [71.19.250.123]:63277 is in an RBL, see http://www.spamhaus.org/sbl/query/SBLCSS"
2015-06-08 16:34:13 [19434] H=(mxmail.doxyflong.com) [172.246.156.116]:62853 I=[69.xxx.xxx.xxx]:25 F=<no-reply@doxyflong.com> rejected RCPT <david@appraisalman.com>: "JunkMail rejected - (mxmail.doxyflong.com) [172.246.156.116]:62853 is in an RBL, see http://www.spamhaus.org/sbl/query/SBLCSS"
2015-06-08 16:34:31 [19470] H=(home.etheratge.com) [74.201.31.83]:21182 I=[69.xxx.xxx.xxx]:25 F=<goog@etheratge.com> rejected RCPT <david@appraisalman.com>: "JunkMail rejected - (home.etheratge.com) [74.201.31.83]:21182 is in an RBL, see "
2015-06-08 16:35:37 [19613] H=governmentnotice.org (federalcontractnotice.net) [69.65.45.255]:56969 I=[69.xxx.xxx.xxx]:25 F=<bounce862712.1259161@federalcontractnotice.net> rejected RCPT <dra@appraisalexperts.com>: "JunkMail rejected - governmentnotice.org (federalcontractnotice.net) [69.65.45.255]:56969 is in an RBL, see "
2015-06-08 16:36:41 [19731] H=(mx01.janefuran.com) [209.54.34.113]:23794 I=[69.xxx.xxx.xxx]:25 F=<noreply@janefuran.com> rejected RCPT <rob@nyeappraisals.com>: "JunkMail rejected - (mx01.janefuran.com) [209.54.34.113]:23794 is in an RBL, see http://www.spamhaus.org/sbl/query/SBLCSS"
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Well, that rules will not work with my regex rules as the log lines are not what the rules expect.
Also, as these emails are blocked by an RBL it is not a good idea to block them in CSF.

Try to search for other log lines that are not already blocked by any RBL and post them.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Sergio, thank you for your help.

Since the exim_rejectlog is a log of mail that is ALREADY rejected, wouldn't it be better to have CUSTOM2_LOG set to /var/log/exim_mainlog?

Just seems to me that would find the instances that would match the custom regex.

Am I missing something?
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

Well, that rule that checks over /var/log/exim_rejectlog is to look for IPs like this one:

2015-06-09 07:51:04 dovecot_login authenticator failed for (USER) [182.48.66.118]:58105: 535 Incorrect authentication data (set_id=test)

The action of this rule is to block IPs like this one that usually connects hundred of times trying to get the password of an account making the server to waste a lot of time. So, one time is so many and the IP is blocked.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Okay the below is an example of what is already blocked by CSF:

2015-06-09 09:03:53 [19545] courier_login authenticator failed for sbrands.arvixevps.com (ylmf-pc) [192.169.54.249]:61377 I=[69.xxx.xxx.xxx}:25: 535 Incorrect authentication data (set_id=dale@xxxxxxxxxxxxxx.com)

That got blocked after 3 failure to smtpauth, but it was already happening before I added the custom regex.
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Help with custom regex rules

Post by Sergio »

It could be that a rule like mine was already installed, mine does exactly the same for that log line, but the difference is that the IP on mine is blocked at the first attempt:

# REGEX to block IPs that uses YLMF-PC.
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}

One more thing, my rule will block this:
2014-03-22 01:57:40 dovecot_login authenticator failed for (ylmf-pc) [23.31.83.109]:39370: 535 Incorrect authentication data (set_id=info)

but not this:
2015-06-09 09:03:53 [19545] courier_login authenticator failed for sbrands.arvixevps.com (ylmf-pc) [192.169.54.249]:61377 I=[69.xxx.xxx.xxx}:25: 535 Incorrect authentication data (set_id=dale@xxxxxxxxxxxxxx.com)

The difference is how the log line is written, in my log lines there is no [#####] before "\S+_login", so, the rule has to be changed a little like this:

# REGEX to block IPs that uses YLMF-PC, modified:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\[\S+\]\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

There was no rule already installed that blocked because the user was YLMF-PC. The only custom regex rules I have installed are yours, and they are listed in the first post of this thread.

CSF blocked the attempt because someone made 3 attempts to log into smtp auth and failed the login each time. I had set LF_SMTPAUTH =3 and LF_SMTPAUTH_PERM=1 in CSF settings. Which is good, it blocks them after 3 login failures, but I would like to block then in one attempt just BECAUSE the user is YLMF-PC regardless of the failed logins.

I have no users that would have YLMF-PC as an operating system so it is people trying to hack the server.

Thanks again for helping me. I will try the last regex you listed above and see what happens.
firewallman
Junior Member
Posts: 27
Joined: 10 Apr 2007, 21:24

Re: Help with custom regex rules

Post by firewallman »

Here are 3 more log lines from today from exim_rejectlog that had ylmf-pc as user:

2015-06-09 07:19:44 [9321] courier_login authenticator failed for (ylmf-pc) [104.43.205.119]:14075 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=dean)
2015-06-09 08:54:15 [18206] courier_login authenticator failed for (ylmf-pc) [142.54.162.215]:63149 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=d.recht)
2015-06-09 09:03:53 [19545] courier_login authenticator failed for sbrands.arvixevps.com (ylmf-pc) [192.169.54.249]:61377 I=[69.xxx.xxx.xxx]:25: 535 Incorrect authentication data (set_id=dale@lapeerappraisal.com)

Note that the last one is a little different from the first two.
Post Reply