Custom REGEX rules for CSF.

Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

@dascos
in $1 you are saving the full IP xxx.yyy.zzz.www because of "(\S+)" and then you save that into $ipblock, so, $ipblock = "$1\.0/24" will be like xxx.yyy.zzz.www.0/24

I think you should try this instead:

Code: Select all

($line =~ /^(\d+\.\d+\.\d+\.).*(?:GET|HEAD...
Sergio
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Custom REGEX rules for CSF.

Post by sahostking »

Something strange is happening. This rule used to work but not its not stopping attacks:

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Get lost please",$1,"WPLOGINorWHATEVER","5","80,443","600");
}

---------------------

13.89.63.38 - - [14/Apr/2022:06:52:19 +0200] "POST //wp-login.php HTTP/2" 200 2211 "https://www.example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
20.118.172.88 - - [14/Apr/2022:06:52:26 +0200] "POST //wp-login.php HTTP/2" 200 2217 "https://example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

I see it showing in the csf -t

DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs

However its still populating logs and causing some load for this client, almost like its not stopping at all.
This is on our directadmin servers.
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Custom REGEX rules for CSF.

Post by sahostking »

sahostking wrote: 14 Apr 2022, 05:57 Something strange is happening. This rule used to work but not its not stopping attacks:

# WP-LOGINS
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(wp-login\.php|xmlrpc\.php).* (200|401)/)) {
return ("Get lost please",$1,"WPLOGINorWHATEVER","5","80,443","600");
}

---------------------

13.89.63.38 - - [14/Apr/2022:06:52:19 +0200] "POST //wp-login.php HTTP/2" 200 2211 "https://www.example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
20.118.172.88 - - [14/Apr/2022:06:52:26 +0200] "POST //wp-login.php HTTP/2" 200 2217 "https://example.com//wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

I see it showing in the csf -t

DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 13.89.63.38 80,443 in 6m 11s lfd - (WPLOGINorWHATEVER) Get lost please 13.89.63.38 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs
DENY 20.118.172.88 80,443 in 8m 51s lfd - (WPLOGINorWHATEVER) Get lost please 20.118.172.88 (US/United States/-): 5 in the last 3600 secs

However its still populating logs and causing some load for this client, almost like its not stopping at all.
This is on our directadmin servers.
removed nftables and then reinstalled iptables and ipset. Lets see if this works better.
sahostking
Junior Member
Posts: 44
Joined: 29 May 2013, 19:07
Location: Cape Town, South Africa
Contact:

Re: Custom REGEX rules for CSF.

Post by sahostking »

will this block any attacks on joomla and opencart admin and administrator folders? or will it block legitimate customers too?

Code: Select all


# ADMIN FOLDER
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(\/admin).* (200|401)/)) {
    return ("admin folder",$1,"ADMINFOLDER","5","80,443","600");
    }

# ADMINISTRATOR FOLDER
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^(\S+).*POST.*(\/administrator).* (200|401)/)) {
    return ("administrator folder",$1,"ADMINISTRATORFOLDER","5","80,443","600");
    }

Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

Is not possible to know, we will need at least one log example of each, one of an attack and one of a legitimate access.
moriso12
Junior Member
Posts: 2
Joined: 19 Oct 2022, 15:40

Re: Custom REGEX rules for CSF.

Post by moriso12 »

For /phpmyadmin Debian 11

Code: Select all

CUSTOM1_LOG = "/var/log/apache2/access.log"

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/phpmyadmin\/.*" /)) { 
return ("phpmyadmin Login Attack",$1,"phpmyadmin","5","80,443","1");
}
mazi
Junior Member
Posts: 7
Joined: 08 Jan 2013, 02:34

Re: Custom REGEX rules for CSF.

Post by mazi »

Hello,

On my cPanel/LiteSpeed server,
when visitor login WordPress fail,
It will generate the error record with modsecurity id 33332,
I want to use csf to deny the ip.
2022-11-07 13:35:20.833580 [NOTICE] [1041882] [T7] [1.2.3.4:4902:HTTP2-33#APVH_sitedomain.com:443:MODSEC] mod_security rule [id "33332"] at [/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/003_i360_2_bruteforce.conf:17] triggered!
I write the code,
It seems no effect,
Do you mind help me check/correct it ?
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\S+\s+\S+\.\S+ \[NOTICE\] \[\S+\] \[\S+\] \[(\S+)\:.*\] mod_security rule \[id \"33332\"\].* /)) { return ("mod_security attack id",$1,"myftpmatch","5","80,443","1","1"); }
Thanks
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

Hi.

There are two ModSecurity rules that are mostly used:
- Comodo
- OWASP

The rule that you were trying to use was created for COMODO and the LOG structure is completely different to OWASP.
So, I have created this rule that will work for OWASP:

Code: Select all

# BLOCKING ModSec OWASP Rules attacks by Secmas

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\S+\.\S+ \[NOTICE\] \[\S+\] \[\S+\] \[(\d+\.\d+\.\d+\.\d+):.*\] mod_security rule \[id \"(33332)\"\]/i)) {
		return ("$2",$1,"Secmas_OWASP","1","1");
	}
	
Test it before using in production.

Sergio
mazi
Junior Member
Posts: 7
Joined: 08 Jan 2013, 02:34

Re: Custom REGEX rules for CSF.

Post by mazi »

Hello,Sergio,

really thanks from your help.

may i ask you some questions ?

1. if i hope to learn the "Custom REGEX rules for CSF" writting,do you recommend any article or keyword to search ?
2. if i want to put more rule id,such as 33332 and 55555,can i change [id \"(33332)\"\] as [id \"(33332|55555)\"\] ?

thanks
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

@Mazi,
search in google for: RegexOne, I have found that site and looks interesting for learning Regex.

About adding more MODSEC IDs to block, yes, you can use "or" "|" to add any rule you want the rule to block, just remember to have all of them inside the parenthesis.

I you have the ConfigServer ModSecurity Control installed in your server, go to "ModSecurity Log" and in there you will see the most attacked IDs and you can get the IDs from there to add it to your rule.

Sergio
Post Reply