Custom REGEX rules for CSF.

46 posts Page 5 of 5
Bosen
Junior Member
Posts: 1
Joined: 05 Jan 2018, 18:45


CUSTOM2_LOG = /usr/local/assp/maillog.txt
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+\s+(\S+)+\s+info: found invalid helo 'ylmf-pc'/g)) {
        return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
06 Apr 2017, 18:51ethical wrote:
Hi Sergio

very helpful thread. Do you know how I could adjust the script to work with ASSP and exim? I have a cpanel server with the ASSP spam filtering proxy sitting in front of exim.

thanks!
John
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52


Block brute force failed SASL attempts. Debian 9, dovecot / postfix server.

Error:
Code: Select all
Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[85.219.80.99]: SASL PLAIN authentication failed:
Edit in /etc/csf/csf.conf:
Code: Select all
CUSTOM1_LOG = "/var/log/mail.log"
Regular expression in /usr/local/csf/bin/regex.custom.pm:
Code: Select all
if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
	    return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
    }
Permanently blocks an IP with 10 failed SASL attempts.
JoeAndroidDeveloper
Junior Member
Posts: 1
Joined: 26 Feb 2018, 09:48


Thanks for your guidelines.
keat63
Junior Member
Posts: 66
Joined: 17 Dec 2014, 14:50


Using Host Access Control in WHM, its possible to restrict Cpanel login to specific IP or range of IP's.
However, any unauthorised log in attempts will generate the following warning: "Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line ####"
There are no restrictions as to how many times the unauthorised person or bot can try.

The following regex will block these unauthorised attempts after 5 failed tries.

In /etc/csf/csf.conf at about line 2600 add:
CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"

In /usr/local/csf/bin/regex.custom.pm add:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of tcp_wrappers/)) {
return ("5 cPanel login attempts from IP not in Host Access Control list",$1,"hammer_4","5","2077,2078,2082,2083,2086,2087,2095,2096","1");
}

Restart csf and lfd.

I cannot take any credit for this, the regex was kindly created by fuzzylogic on the cpanel forum.
panel123
Junior Member
Posts: 4
Joined: 20 Dec 2017, 14:45


I am very happy with this post Thank you for sharing this

تابلو استيل
panel123
Junior Member
Posts: 4
Joined: 20 Dec 2017, 14:45


Custom regex rules for CSF/LFD and NginX plus Wordpress fail2ban plugin
#!/usr/bin/perl
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL:
# Email:
###############################################################################
sub custom_line {
my $line = shift;
my $lgfile = shift;
تابلو استيل
# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
# }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled


# NginX security rules trigger (Default: 4 errors bans for 24 hours)
# Catch ip that attempts to access a URL that is forbidden by NginX rules
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_security","4","80,443","86400");
}

# NginX 404 errors (Default: 4 errors bans for 24 hours)
# Catch ip that accesses non-existant files and directories
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400");
}

#Trying to download htaccess or htpasswd (Default: 1 error bans for 24 hours)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) {
return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 5 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) {
return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) {
return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) {
return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) {
return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400");
}
# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) {
return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400");
}


# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's
###############################################################################
# Do not edit beyond this point

return 0;
}

1;
46 posts Page 5 of 5