Custom REGEX rules for CSF.

[Sergio]

Hi all,
this thread is to add working REGEX that we can share with the community. To add them to this sticky, you should have the regex working in your server, this thread is not intended to solve any issues related with no working regex, the intention is to give users of CSF REGEXs that could make CSF with more security options.

If you want to collaborate, please add your rule to this thread and I will add a link to it on the first post, a note about what the REGEX do will be great in your post.

All these REGEX are to be run in "regex.custom.pm", please check the readme file to know what is this.

NOTE:
Use of the regex in this thread are at your own risk, we don't assume any responsibility.

RULES:
- ONLY working REGEX, please.
- Tell us what OS you installed the REGEX or works for.
- Tell us what hosting panel was created for (cpanel, webmin, DA, etc).
- A little explanation on what it does.
- Some examples of what will be blocking.

Hope this thread will help to have a more secure server with the aid of this great product.

Sergio


LIST OF REGEX:
REGEX to block bots that looks for wrong SETID by Sergio

REGEX to block bounced spammers that search emails by Sergio

REGEX to block IPs that searchs for admin emails by Sergio

BOTTRAP by Karel

Bruteforce protection login, register, contact, etc trigger by Karel

Scan for email addresses by Karel

REGEX to block IPs that uses YLMF-PC by Sergio

REGEX to block PROXIMIC by Sergio
viewtopic.php?f=6&t=7517&p=22698#p22698

REGEX to block ASTERIX hack attempts by Sergio
viewtopic.php?f=6&t=7517&p=22708#p22708

REGEX to block info email harvesting by Sergio
viewtopic.php?f=6&t=7517&p=25938#p25938

REGEX for DirectAdmin modsecurity denials not blocked by CSF/LFD
https://forum.configserver.com/viewtopic.php?f=6&t=9951

[Sergio]

This regex is to block all the IPs that comes to the server checking for setids that don't exist,
I have defined CUSTOM2_LOG = /var/log/exim_rejectlog
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first attempt, you can add or delete words that works better for you.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/))  {
		return ("smtp_auth attack",$1,"SecmasSETID","1","1");
	}

Example of IPs that this rule will block:

2014-02-18 14:53:52 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.114]:51435: 535 Incorrect authentication data (set_id=admin)
2014-02-20 11:45:27 dovecot_login authenticator failed for (127.0.0.1) [67.222.134.215]:64421: 535 Incorrect authentication data (set_id=admin)

[Sergio]

There are spammers that send emails to accounts that doesn't exist on the server to catch the ones that does exist and add them to their data bases. This regex will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.

Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP with 1 bounces, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

CAUTION:
This regex is so good that will block hundred of IPs that search for valid emails, be prepared.

Code: Select all

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/))  {
		return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
	}

Example of spammers that this rule will block:

2014-02-16 03:21:21 H=(oneshow.showdowninteractive.com) [74.52.89.106]:47077 F=<> rejected RCPT <TCkXNbEHN@domain1.com>: No Such User Here"
2014-02-16 03:24:31 H=(out.smtpout.orange.fr) [193.252.22.213]:45526 F=<> rejected RCPT <bdc53a570@domain2.com>: No Such User Here"
2014-02-16 03:27:03 H=(mc1.xedhost.net) [31.207.19.21]:35830 F=<> rejected RCPT <bd1e98f9c@domain3.com>: No Such User Here"
2014-02-16 03:28:06 H=(remote.lrmrmarketing.com) [74.219.121.190]:29602 F=<> rejected RCPT <7e78da573@domain1.com>: No Such User Here"
2014-02-16 03:30:15 H=(coderesearch.com) [85.214.131.51]:40303 F=<> rejected RCPT <12d38204@domain4.com>: No Such User Here"
2014-02-16 03:30:58 H=(pcKlinix.com) [24.123.214.129]:20565 F=<> rejected RCPT <69197a000@domain5.com>: No Such User Here"
2014-02-16 03:31:03 H=(kapalua.jimy.org) [66.135.59.219]:47957 F=<> rejected RCPT <eec26f5@domain5.com>: No Such User Here"

[Sergio]

There are spammers that looks for "admin@anydomain.com" email addresses, this rule blocks permanently the IP at the first error.

Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first error, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \S+ \[(\S+)\]:\d+: 535 Incorrect authentication data \(set_id=admin\@\S+\)/))  {
		return ("smpt admin attack",$1,"SecmasADMIN","1","1");
	}

[Black Tiger]

Thanks for sharing!

[Karel]

Excellent idea Sergio!
I got 2 working rules for custom regex and working on some other rules but they don't do what I want. When they are finished I will post them too.

My OS: CentOS 6.5 with Direct Admin

Working rule #1:

Code: Select all

# Bottrap
if (($config{LF_HTACCESS}) and ($lgfile eq $config{HTACCESS_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] Bot protection (
    return ("Bottrap triggerd",$1,"bottrap",1,"80,443","3600");
}

For this to work you need to set up a trap. Exclude directory abc in robots.txt
Put index.php in abc dir and make an invisable link to it. This link will be read by bots, but not by normal users.
Content of index.php

Code: Select all

<?php
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $trueip = ($_SERVER['HTTP_X_FORWARDED_FOR']); } else { $trueip = ($_SERVER['REMOTE_ADDR']); }
error_log("Bot protection ".$_SERVER['SERVER_NAME']." banned IP: ".$trueip."");
?>

The above reacts on a log entry like this:

[Sat Feb 08 18:16:00 2014] [error] [client 216.152.249.242] Bot protection http://www.domain.eu banned IP: 216.152.249.242

Working rule #2:

Code: Select all

# Bruteforce protection login, register, contact, etc trigger
if (($config{LF_HTACCESS}) and ($lgfile eq $config{HTACCESS_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] Bruteforce prote
    return ("Logintrap triggerd",$1,"logintrap",10,"80,443","3600");
}

You'll need to add:

Code: Select all

error_log("Bruteforce protection failed login attempt on ".$_SERVER['SERVER_NAME']."");

Somewhere in your files where an error message is generated.
Example:

Code: Select all

case 1:
echo $locale['global_196'];
error_log("Bruteforce protection failed login attempt on ".$_SERVER['SERVER_NAME']."");
break;

The above reacts on a log entry like this:

[Mon Mar 10 08:17:20 2014] [error] [client 109.233.114.34] Bruteforce protection failed login attempt on http://www.domain.eu

Added rule
Working rule #3:
This is a modified regex that Sergio posted above. But now for CentOs and DA specific.
CUSTOM2_LOG = /var/log/exim/rejectlog

Code: Select all

# Scan for email addresses
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\[(\S+)\] F=\<\>\s+rejected RCPT/))  {
      return ("No Such User Here",$1,"ScanForEmail","1","1");
}

The above reacts on a log entry like this:

2014-03-10 19:23:09 H=thelowreygroup.com [72.47.195.30] F=<> rejected RCPT <9ff2d6d@domain.eu>:

[Sergio]

Thanks Karel for sharing your regexs.

Please write in your post what OS you have them working on, if you can add a few example lines that will trigger the regex will be great.

Sergio

[Karel]

Added OS info and hosting panel info. I think hosting panel info is also important because cpanel, webmin, DA all use different locations and names for files.

Added a #3 regex to my first post in this thread based upon your idea about blocking bots searching for mail addresses.

Tip! I use the excellent regex website rubular.com.
To modify your scan for email addresses regex I came up with this regex with the help of rubular.com
See my saved work: http://rubular.com/r/KyiUahGB6H

[Sergio]

Added OS info and hosting panel info. I think hosting panel info is also important because cpanel, webmin, DA all use different locations and names for files....

Thanks for pointing that out, I will add this in the first post.

[Karel]

Just another idea. Rule #3 is new so I want to implement this on my other servers.
It's a bit tedious to SSH into every server and modify regex.custom.pm.
Hint for the developers of CSF to edit regex.custom.pm within the CSF UI. (but might have security issues)
Hint 2, Sergio's regex for blocking scans for email addresses (my rule #3) should be included in standard CSF log monitoring and act accordingly.

I hope this thread has the attention of the developers.