Custom REGEX rules for CSF.

[Bosen]

CUSTOM2_LOG = /usr/local/assp/maillog.txt

Code: Select all

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+\s+(\S+)+\s+info: found invalid helo 'ylmf-pc'/g)) {
        return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}

Hi Sergio

very helpful thread. Do you know how I could adjust the script to work with ASSP and exim? I have a cpanel server with the ASSP spam filtering proxy sitting in front of exim.

thanks!
John

[iodisciple]

Block brute force failed SASL attempts. Debian 9, dovecot / postfix server.

Error:

Code: Select all

Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[85.219.80.99]: SASL PLAIN authentication failed:

Edit in /etc/csf/csf.conf:

Code: Select all

CUSTOM1_LOG = "/var/log/mail.log"

Regular expression in /usr/local/csf/bin/regex.custom.pm:

Code: Select all

if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
	    return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
    }

Permanently blocks an IP with 10 failed SASL attempts.

[JoeAndroidDeveloper]

Thanks for your guidelines.

[keat63]

Using Host Access Control in WHM, its possible to restrict Cpanel login to specific IP or range of IP's.
However, any unauthorised log in attempts will generate the following warning: "Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line ####"
There are no restrictions as to how many times the unauthorised person or bot can try.

The following regex will block these unauthorised attempts after 5 failed tries.

In /etc/csf/csf.conf at about line 2600 add:
CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"

In /usr/local/csf/bin/regex.custom.pm add:
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of tcp_wrappers/)) {
return ("5 cPanel login attempts from IP not in Host Access Control list",$1,"hammer_4","5","2077,2078,2082,2083,2086,2087,2095,2096","1");
}

Restart csf and lfd.

I cannot take any credit for this, the regex was kindly created by fuzzylogic on the cpanel forum.

[panel123]

I am very happy with this post Thank you for sharing this

تابلو استيل

[panel123]

Custom regex rules for CSF/LFD and NginX plus Wordpress fail2ban plugin
#!/usr/bin/perl
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL:
# Email:
###############################################################################
sub custom_line {
my $line = shift;
my $lgfile = shift;
تابلو استيل
# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
# }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled


# NginX security rules trigger (Default: 4 errors bans for 24 hours)
# Catch ip that attempts to access a URL that is forbidden by NginX rules
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_security","4","80,443","86400");
}

# NginX 404 errors (Default: 4 errors bans for 24 hours)
# Catch ip that accesses non-existant files and directories
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","4","80,443","86400");
}

#Trying to download htaccess or htpasswd (Default: 1 error bans for 24 hours)
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) {
return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 5 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Authentication attempt for unknown user .* from (.*)\n/)) {
return ("Wordpress unknown user from",$1,"fail2ban_unknownuser","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Blocked user enumeration attempt from (.*)\n/)) {
return ("WordPress user enumeration attempt from",$1,"fail2ban_userenum","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Pingback error .* generated from (.*)\n/)) {
return ("WordPress pingback error",$1,"fail2ban_pingback","2","80,443","86400");
}

# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*Spammed comment from (.*)\n/)) {
return ("WordPress spam comments from",$1,"fail2ban_spam","2","80,443","86400");
}
# Wordpress fail2ban plugin (Default: 2 errors bans for 24 hours)
if (($globlogs{SYSLOG_LOG}{$lgfile}) and ($line =~ /.*XML-RPC multicall authentication failure (.*)\n/)) {
return ("WordPress XML-RPC multicall fail from",$1,"fail2ban_xmlrpc","5","80,443","86400");
}


# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's
###############################################################################
# Do not edit beyond this point

return 0;
}

1;

[autonine]

I use the excellent regex website rubular.com.

[LukeDouglas]

I was looking at this thread as I use UptimeRobot for all of my client websites that I host on my server.

Code: Select all

# MJ12-Bot / Baidu / Ahrefs
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\"*(?:GET|POST|HEAD).* (MJ12bot|Baiduspider|AhrefsBot|UptimeRobot).*/)) {
         return ("LFD - MJ12-Baidu-Ahrefs-bot Overuse",$1,"BOTOVERUSE","15","80,443,21,25,22,23","48800");
}

I believe this is designed to 'block' bots. However, I would like to whitelist UptimeRobt. Regretfully, I don't know enough 'yet' to understand how to configure this to accomplish what I want it to do as well as would this go in the "modsec2.whitelist.conf" file?

Any assistance would be great!

[keat63]

For UptimeRobot add the list of it's IP's to your IP allow whitelist.
https://uptimerobot.com/locations

[BallyBasic79]

Import DNS-based RBLs in to CSF – one block at a time.

Most RBLs are available only via DNS and few have a download option needed for CSF import. The following custom REGEX rule is designed to block the IP of any mailer triggering an RBL block preventing the mailer from sending subsequent messages. Works with any RBL – check the exact verbiage of your log entries. Adjust trigger and temp/perm result to taste.

Code: Select all

# RBL Mailer
# 1 try; 3 day ban
# CUSTOM1_LOG = "/var/log/exim_rejectlog"
# Works on CentOS6/7, exim MTA, cPanel

	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.*\[(\S+)\]:\d+\s+.*is in an RBL.*/)) {
		return ("RBL sender",$1,"RBLmailer","1","","259200");
	}

Blocks entries such as:

2019-08-11 13:50:13 H=(papa.goldi.live) [67.198.188.218]:41133 F=<13333-59-58683-2647-user=example.com@mail.goldi.live> rejected RCPT <user@example.com>: "JunkMail rejected - (papa.goldi.live) [67.198.188.218]:41133 is in an RBL: listed, see https://spameatingmonkey.com/lookup/67.198.188.218"
2019-08-11 15:35:02 H=(moreno.eractiithatoun250505h.top) [67.198.188.219]:40207 F=<13335-59-58683-2830-user=example.com@mail.eractiithatoun250505h.top> rejected RCPT <user@example.com>: "JunkMail rejected - (moreno.eractiithatoun250505h.top) [67.198.188.219]:40207 is in an RBL: listed, see https://spameatingmonkey.com/lookup/67.198.188.219"
2019-08-13 05:10:47 H=(grid.rounhatsrovbanhs5f0.top) [67.198.188.168]:48147 F=<13397-8410-74129-2876-user=example.com@mail.rounhatsrovbanhs5f0.top> rejected RCPT <user@example.com>: "JunkMail rejected - (grid.rounhatsrovbanhs5f0.top) [67.198.188.168]:48147 is in an RBL: listed, see https://spameatingmonkey.com/lookup/67.198.188.168"
2019-08-13 14:47:05 H=(rouge.tingdrivi.trade) [67.198.130.45]:44267 F=<7139-26-981051-1853-user=example.com@mail.tingdrivi.trade> rejected RCPT <user@example.com>: "JunkMail rejected - (rouge.tingdrivi.trade) [67.198.130.45]:44267 is in an RBL: Listed in PSBL, see http://psbl.org/listing?ip=67.198.130.45"
2019-07-14 09:48:59 H=xdavp.multiplyallown.com (stream.betwwn210uhd.xyz) [67.198.130.58]:55949 F=<19014-97-14183219-4030-user=example.com@mail.betwwn210uhd.xyz> rejected RCPT <user@example.com>: "JunkMail rejected - xdavp.multiplyallown.com (stream.betwwn210uhd.xyz) [67.198.130.58]:55949 is in an RBL: Client host blocked using Barracuda Reputation, see http://www.barracudanetworks.com/reputa ... 198.130.58"

I't not quite the same thing as having access to the entire RBL, but it's close! This approach won't catch the first one, but it will catch subsequent ones. And it's fine if they want to roll their IPs; it just works toward a netblock.

Why filter spam when you can block it?