Block IP based on "ylmf-pc" text in logs

[fonewiz]

Any suggestions to block IP addresses based on the text "ylmf-pc" within log entries or packets?

I would say about 90 percent of our CSF alerts look like this and contain this text. They are getting blocked but by other means.

Not sure what to do with this but it seems that this text is common in the majority of the log entries where people are trying to guess SMTP passwords and such. All different IP's from all different countries but they all have this common text "ylmf-pc".

Thanks in advance for any thoughts, opinions, ideas etc.

Sample Log Entry from the CSF email alert for SMTPauth:
2014-03-21 10:14:53 login authenticator failed for (ylmf-pc) [106.242.30.26]: 535 Incorrect authentication data (set_id=tlcr)

[curriertech]

Check out the second post in this thread, I think if you cut the list of IDs down to just ylmf-pc and any others you're having trouble with, it will do what you need. viewtopic.php?f=6&t=7517

[fonewiz]

Check out the second post in this thread, I think if you cut the list of IDs down to just ylmf-pc and any others you're having trouble with, it will do what you need. Blocked, new user

Do you mean this one?:
REGEX to block bots that looks for wrong SETID.
Postby Sergio » Fri Feb 21, 2014 9:03 am

This regex is to block all the IPs that comes to the server checking for setids that don't exist,

[curriertech]

Yes but you have to actually specify the IDs you consider bad, so if you just specify ylmf-pc it should block these for you.

Code: Select all

  if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(ylmf-pc)\)/))  {
      return ("smtp_auth attack",$1,"SecmasSETID","1","1");
   }

[fonewiz]

Cool, thanks. I have no idea how to do REGEX stuff in CSF but I will read up. Thanks!!

[curriertech]

I had some conversations with Sergio about this stuff because I was actually looking for a way to block IPs that were attempting to authenticate as IDs that don't actually exist. I didn't want to have to maintain a list. Unfortunately because CSF is just watching the log for the errors, it has no idea how to determine if the failure was due to a bad password or a nonexistent account. That was my takeaway from it, anyway.

To set this up - first go into /etc/csf/csf.conf and scroll almost all the way to the bottom, and set CUSTOM2_LOG to /var/log/exim_rejectlog. Then modify /etc/csf/regex.custom.pm and add the code I just posted somewhere between the "don't edit before..." and "don't edit after..." lines. I'm not sure if restarting CSF is required at this point but I did it just to be safe.

The custom log setting is a restricted UI item so it might be easier to edit with a shell editor.

[fonewiz]

Thanks again, I will give it a shot when I get back to working on that server.

[Sergio]

I had a direct rule just for YLMF-PC attacks and I have just added to the REGEX sticky, please check it at:

viewtopic.php?f=6&t=7517&start=10#p22150

[Sergio]

Yes but you have to actually specify the IDs you consider bad, so if you just specify ylmf-pc it should block these for you.

Code: Select all

  if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(ylmf-pc)\)/))  {
      return ("smtp_auth attack",$1,"SecmasSETID","1","1");
   }

Unfortunately the YLMF-PC attack is not a SETID, and this rule will not block any YLMF-PC, it will be better to use the new REGEX that I have posted as they are not the same.

Regards,

Sergio

[curriertech]

Yeah I shouldn't post when I've been drinking. Thanks for the new regex, this should help with a lot of attacks.