Block IP based on "ylmf-pc" text in logs

[bear]

I had a direct rule just for YLMF-PC attacks and I have just added to the REGEX sticky, please check it at:
http://forum.configserver.com/viewtopic.php?f=6&t=7517&start=10#p22150

Any chance you have a version for Courier? Seems that adds content before the ylmc section that's throwing it off. I'd changed your version to match the line, but can't seem to get the reverse IP bit ( host81-149-19-219.in-addr.btopenworld.com ) to be caught.
[edit]
Just an FYI, it's not always present. About half the time it exists, the rest it goes directly to the ylmf portion after "for".

Sample hit:

Code: Select all

2014-09-23 17:31:00 courier_login authenticator failed for host81-149-19-219.in-addr.btopenworld.com (ylmf-pc) [81.149.19.219]:61469: 535 Incorrect authentication data (set_id=jim)

Latest Cpanel.

[Sergio]

I have posted an addendum to my rule, please check:
viewtopic.php?f=6&t=7517&p=22150#p22150
for a modified rule that could be used in courier or dovecot, please let me know if it works for you.

Sergio

[bear]

please let me know if it works for you.

Thank you, Sergio. Had one come in after this change with the reverse IP in it and it blocked it perfectly. I have seen a few come in with the reverse missing before this change, but looking at your update that should also be caught now. Thank you for all your effort here, pretty great of you.

[Sergio]

No problem, glad it worked.

[bear]

Well, yes and no. The ones with the additional info are being caught, but ones without are being missed. This one was picked up by LFD after the number of attempts specified in the config, but not by this tweak.

Code: Select all

2014-09-24 19:06:53 courier_login authenticator failed for (ylmf-pc) [202.53.73.36]:54355: 535 Incorrect authentication data (set_id=admin)

Strange since the ".*" should see either the space or a longer line...

[Sergio]

try replacing

Code: Select all

.*

with

Code: Select all

\S+?

and let me know if that does the trick.

[bear]

That would match a space, but then we lose the string it has been currently catching.
Will this accept alternation? The following *should* see the space *or* space-string-space, no?

Code: Select all

authenticator failed for.*|\s+\(ylmf-pc\)

Maybe that needs to be enclosed?

Code: Select all

authenticator failed for(.*|\s+)\(ylmf-pc\)

[Sergio]

The code that I wrote has to be a capital S, that means any character the "+" sign means any quantity. So, it should work if you set it: "failed for \S+?", it was my mistake, please try it again.

[bear]

Ok, seems to be working with my experimental alternation.

Code: Select all

authenticator failed for.*|\s+\(ylmf-pc\)

The ".*" catches the reverse IP string, and the "\s+" manages the spaces if the first one fails to match; so it caught two, one after the other.
Example A:

Code: Select all

2014-09-25 09:29:11 courier_login authenticator failed for mailsvr.pce-ltd.co.uk (ylmf-pc) [79.170.75.4]:37410: 535 Incorrect authentication data (set_id=dloptkcu)

Example B:

Code: Select all

2014-09-25 09:22:39 courier_login authenticator failed for (ylmf-pc) [193.0.200.147]:58825: 535 Incorrect authentication data (set_id=jim)

Might wish to experiment to see if you find the same results, and if it works for you, feel free to amend your version with it. Once again, I appreciate the help and push in the right direction.

[Sergio]

unfortunately none of my servers uses courier and I don't have any way to test the rule.

If it is working for you, great!

Any way, with this last amendment "(\S+)?" (without the quotes) is more straight forward and the rule doesn't has to make an "or" that is not necessary.

Please try the following:

Code: Select all

authenticator failed for(\S+\s)?\(ylmf-pc\)
note: there should not be any white space between ?\

This will do the trick and you will not waste a cycle with the "|" and more elegant :-)