Ubuntu 20.04 - Virtualmin - SASL Regex Not Working?

wira_soenaryo · Post by **wira_soenaryo** » 15 Jul 2022, 02:53

Hello,

I'm using virtualmin and csf on my Ubuntu 20.04
Recently I get a lot of "SASL LOGIN authentication failed: authentication failure" kind of attack on my server.
I want to setup the custom regex to stop this..

I added my mail.log on custom log in /etc/csf/csf.conf

Code: Select all

# Log file locations
#
# File globbing is allowed for the following logs. However, be aware that the
# more files lfd has to track, the greater the performance hit
#
# Note: File globs are only evaluated when lfd is started
#
HTACCESS_LOG = "/var/log/apache2/error.log"
MODSEC_LOG = "/var/log/apache2/error.log"
SSHD_LOG = "/var/log/auth.log"
SU_LOG = "/var/log/syslog"
SUDO_LOG = "/var/log/secure"
FTPD_LOG = "/var/log/syslog"
SMTPAUTH_LOG = "/var/log/secure"
POP3D_LOG = "/var/log/mail.log"
IMAPD_LOG = "/var/log/mail.log"
IPTABLES_LOG = "/var/log/syslog"
SUHOSIN_LOG = "/var/log/syslog"
BIND_LOG = "/var/log/syslog"
SYSLOG_LOG = "/var/log/syslog"
WEBMIN_LOG = "/var/log/auth.log"

CUSTOM1_LOG = "/var/log/mail.log"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"

Here is my custom regex in /usr/local/csf/bin/regex.custom.pm

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =/^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
           return ("Failed SASL login from $1",$1,"mysaslmatch","1","","3600","0");
}

Sample of mail.log log file

Code: Select all

Jul 15 03:49:01 mars postfix/smtpd[920563]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:02 mars postfix/smtpd[920563]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:04 mars postfix/smtpd[920545]: warning: unknown[87.246.7.215]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:05 mars postfix/smtpd[920563]: connect from unknown[5.34.207.222]
Jul 15 03:49:06 mars postfix/smtpd[920545]: disconnect from unknown[87.246.7.215] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:07 mars postfix/smtpd[920557]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:07 mars postfix/smtpd[911228]: warning: unknown[87.246.7.247]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:08 mars postfix/smtpd[920557]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:08 mars postfix/smtpd[911228]: disconnect from unknown[87.246.7.247] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:10 mars postfix/smtpd[920545]: connect from unknown[5.34.207.222]
Jul 15 03:49:11 mars postfix/smtpd[920557]: warning: hostname net6-ip215.linkbg.com does not resolve to address 87.246.7.215: Name or service not known
Jul 15 03:49:11 mars postfix/smtpd[920557]: connect from unknown[87.246.7.215]
Jul 15 03:49:11 mars postfix/smtpd[910870]: warning: hostname ip247.tervelnet.com does not resolve to address 87.246.7.247: Name or service not known
Jul 15 03:49:11 mars postfix/smtpd[910870]: connect from unknown[87.246.7.247]
Jul 15 03:49:12 mars postfix/smtpd[920563]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:13 mars postfix/smtpd[920563]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:16 mars postfix/smtpd[920563]: connect from unknown[5.34.207.222]
Jul 15 03:49:17 mars postfix/smtpd[920545]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:18 mars postfix/smtpd[920545]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:19 mars postfix/smtpd[910870]: warning: unknown[87.246.7.247]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:20 mars postfix/smtpd[910870]: disconnect from unknown[87.246.7.247] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:21 mars postfix/smtpd[920545]: connect from unknown[5.34.207.222]
Jul 15 03:49:22 mars postfix/smtpd[910634]: warning: hostname ip247.tervelnet.com does not resolve to address 87.246.7.247: Name or service not known
Jul 15 03:49:22 mars postfix/smtpd[910634]: connect from unknown[87.246.7.247]
Jul 15 03:49:22 mars postfix/smtpd[920557]: warning: unknown[87.246.7.215]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:22 mars postfix/smtpd[920563]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:23 mars postfix/smtpd[920563]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:23 mars postfix/smtpd[920557]: disconnect from unknown[87.246.7.215] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:27 mars postfix/smtpd[920563]: connect from unknown[5.34.207.222]
Jul 15 03:49:28 mars postfix/smtpd[920545]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:29 mars postfix/smtpd[920557]: warning: hostname net6-ip215.linkbg.com does not resolve to address 87.246.7.215: Name or service not known
Jul 15 03:49:29 mars postfix/smtpd[920557]: connect from unknown[87.246.7.215]
Jul 15 03:49:29 mars postfix/smtpd[920545]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:32 mars postfix/smtpd[910634]: warning: unknown[87.246.7.247]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:32 mars postfix/smtpd[920545]: connect from unknown[5.34.207.222]
Jul 15 03:49:32 mars postfix/smtpd[910634]: disconnect from unknown[87.246.7.247] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:33 mars postfix/smtpd[920563]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:33 mars postfix/smtpd[920563]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:34 mars postfix/smtpd[910398]: warning: hostname ip247.tervelnet.com does not resolve to address 87.246.7.247: Name or service not known
Jul 15 03:49:34 mars postfix/smtpd[910398]: connect from unknown[87.246.7.247]
Jul 15 03:49:38 mars postfix/smtpd[920563]: connect from unknown[5.34.207.222]
Jul 15 03:49:39 mars postfix/smtpd[920545]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:40 mars postfix/smtpd[920545]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:41 mars postfix/smtpd[920557]: warning: unknown[87.246.7.215]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:43 mars postfix/smtpd[920545]: connect from unknown[5.34.207.222]
Jul 15 03:49:43 mars postfix/smtpd[920557]: disconnect from unknown[87.246.7.215] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:44 mars postfix/smtpd[910398]: warning: unknown[87.246.7.247]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:44 mars postfix/smtpd[910398]: disconnect from unknown[87.246.7.247] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:45 mars postfix/smtpd[920563]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure
Jul 15 03:49:46 mars postfix/smtpd[920563]: disconnect from unknown[5.34.207.222] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4
Jul 15 03:49:46 mars postfix/smtpd[910923]: warning: hostname ip247.tervelnet.com does not resolve to address 87.246.7.247: Name or service not known
Jul 15 03:49:46 mars postfix/smtpd[910923]: connect from unknown[87.246.7.247]
Jul 15 03:49:48 mars postfix/smtpd[920557]: warning: hostname net6-ip215.linkbg.com does not resolve to address 87.246.7.215: Name or service not known
Jul 15 03:49:48 mars postfix/smtpd[920557]: connect from unknown[87.246.7.215]
Jul 15 03:49:48 mars postfix/anvil[910404]: statistics: max connection rate 12/60s for (smtp:5.34.207.222) at Jul 15 08:40:47
Jul 15 03:49:48 mars postfix/anvil[910404]: statistics: max connection count 2 for (smtp:5.34.207.222) at Jul 15 08:39:48
Jul 15 03:49:48 mars postfix/smtpd[920563]: connect from unknown[5.34.207.222]
Jul 15 03:49:50 mars postfix/smtpd[920545]: warning: unknown[5.34.207.222]: SASL LOGIN authentication failed: authentication failure

I have checked the regex on https://regex101.com/ seems all correct.
But it's not catching the SASL failed on mail.log. May I know what's wrong?

Do we need to set any specific setting on CSF to make Custom Log works?
For example
* LF_TRIGGER has to be 0
* LF_SELECT has to be enabled

Is that right?
Thank You.

Sergio · Post by **Sergio** » 21 Jul 2022, 17:44

Usually when I wrote a custom filter I start the rule using:

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line

if you see, I use the operand "eq" between the variables.

In your case I don't see any operand:

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line

Regards,
Sergio

ConfigServer Community Forum

Ubuntu 20.04 - Virtualmin - SASL Regex Not Working?

Ubuntu 20.04 - Virtualmin - SASL Regex Not Working?

Re: Ubuntu 20.04 - Virtualmin - SASL Regex Not Working?