Custom REGEX rules for CSF.

[keat63]

I don't know where to start here, so maybe someone could point me in the right direction.
Some spam emails are being sent to users who do not exists, and there seems to be a pattern.
tony-at-mydomain.com, alesnn-at-mydomain.com, there are about 10 or 15 which occur quite frequently.
These get bounced of course, but the spam list they have contains some valid emails too.

I'd like a regex, to block the sending IP of any server who tries to send to any email recipient on my custom list.

Lets say the spanner sends emails to:

real-email1@mydomian.com
real-email2@mydomain.com
fake-email@mydomain.com ... his IP is now blocked. (fake email from a custom list)

or

fake-email1@mydomain.com ... ip Blocked (fake email from a custom list)
real-email@mydomain.com .... too late buddy, your ip was blocked already (see above)

It doesn't matter how many emails they send, on the first sign of an email address in the custom list, his IP is banned.

[keat63]

Something which would block this:

2015-02-20 14:16:45 H=(spammer.co.uk) [68.153.70.230]:12837 F=<wendy@spammer.co.uk> rejected RCPT <c.tetlow@mydomain.com>: Sender verify failed

[ratmz]

hello,

I have this log:
Mar 30 18:36:07 myserver pure-ftpd: (?@93.180.177.62) [WARNING] Authentication failed for user [admin]

How to implementation the custom regex because I think my custom regex not complete:
\[WARNING\] Authentication failed for user

Thank you,
Dave

[Sergio]

@rantmz,
this thread is not intended to resolve doubts, please use the regular forum to post your question, thanks.

[Sergio]

I have seen in my servers that there are a lot of attacks of IPs trying to harvest "info@anydomain.com" email accounts. This rule will block that attacks.

I have defined CUSTOM2_LOG = /var/log/exim_rejectlog
Working OS: CLOUDLINUX 6.7 x86_64 standard / WHM 54.0.16
Action: Will permanent block the IP after 3 attempts.

Code: Select all

	if (($lgfile eq $config{POP3D_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+\s+server2 dovecot\: pop3\-login.*auth failed.*user\=\<info\@.*rip\=(\S+)/))  {
		return ("INFO Harvest",$1,"SecmasINFO","3","1");
	}

Example of the LOG lines that the REGEX will use:

Feb 19 11:11:11 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@domain1.com>, method=PLAIN, rip=73.209.48.93, lip=xxx.xxx.xxx.xxx, session=<sg7FkSIsBtNJ0TBd>
Feb 19 11:11:11 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<info@domain2.com>, method=PLAIN, rip=73.209.48.93, lip=xxx.xxx.xxx.xxx, session=<I1jFkSIsC9NJ0TBd>
Feb 19 11:11:15 server dovecot: pop3-login: Disconnected (auth failed, 1 attempts in 6 secs): user=<info@domain3.com>, method=PLAIN, rip=73.209.48.93, lip=xxx.xxx.xxx.xxx, session=<mDrGkSIsENNJ0TBd>

Sergio

[ocahui]

This rule is working on a CENTOS7 server running csf with ipset+iptables, and exim MTA. This server is managed primarily with Webmin, bash terminal using an SSH tunnel, and Filezilla SFTP.

The problem this rule addresses is remote hosts that attempt SMTP AUTH, despite not having AUTH advertised in response to EHLO. This would include the case where is AUTH is advertised to a limited list of hosts using csf configuration settings. This rule was developed in response to recent flooding of port 25 with thousands of unsolicited attempts within a few-minute stretch. Although exim automatically drops the connection with a 503 response, thousands of reconnections in a short period can amount to DOS.

An example of a log line this rule detects and bans:

Code: Select all

2016-04-29 09:51:44 [18093] SMTP protocol error in "AUTH LOGIN" H=(VIVACLIENT) [122.160.51.52]:62638 I=[192.168.1.203]:25 AUTH command used when not advertised

(local ip obfuscated with 192.168.1.203)

The custom rule:

Code: Select all

# Custom REGEX for exim to block hosts that attempt AUTH when not advertised (possibly used in conjunction with SMTPAUTH_RESTRICT = "1")
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\d{4}(\-\d{2}){2} \d{2}(:\d{2}){2} \[\d+\] SMTP protocol error in \"AUTH LOGIN\" H=.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[\d+\.\d+\.\d+\.\d+\]:(\d+) AUTH command used when not advertised$/)) 
	{
		if (checkip(\$3)) { return ("SMTP AUTH attempted when not advertised",$3,"mySMTPauthfail","2",$4,"3600");} else {return}
	}
#   IP is captured in $3
#  The local port is captured in $4
#  The scanned log is /var/log/exim/main.log  (ymmv)
#  Because of other CSF config settings, the IP block in my case is one hour on all ports,
#  but the returned arguments block only on the SMTP port used.

Note that this regex depends on the time stamp format shown:
2016-04-29 09:51:44
Some exim installations use different format time stamps, which would require some editing of the regex.

[Sergio]

This rule is working on a CENTOS7 server running csf with ipset+iptables, and exim MTA. This server is managed primarily with Webmin, bash terminal using an SSH tunnel, and Filezilla SFTP.

The problem this rule addresses is remote hosts that attempt SMTP AUTH, despite not having AUTH advertised in response to EHLO. This would include the case where is AUTH is advertised to a limited list of hosts using csf configuration settings. This rule was developed in response to recent flooding of port 25 with thousands of unsolicited attempts within a few-minute stretch. Although exim automatically drops the connection with a 503 response, thousands of reconnections in a short period can amount to DOS.

An example of a log line this rule detects and bans:

Code: Select all

2016-04-29 09:51:44 [18093] SMTP protocol error in "AUTH LOGIN" H=(VIVACLIENT) [122.160.51.52]:62638 I=[192.168.1.203]:25 AUTH command used when not advertised

(local ip obfuscated with 192.168.1.203)

The custom rule:

Code: Select all

# Custom REGEX for exim to block hosts that attempt AUTH when not advertised (possibly used in conjunction with SMTPAUTH_RESTRICT = "1")
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\d{4}(\-\d{2}){2} \d{2}(:\d{2}){2} \[\d+\] SMTP protocol error in \"AUTH LOGIN\" H=.*\[(\d+\.\d+\.\d+\.\d+)\]:\d+ I=\[\d+\.\d+\.\d+\.\d+\]:(\d+) AUTH command used when not advertised$/)) 
	{
		if (checkip(\$3)) { return ("SMTP AUTH attempted when not advertised",$3,"mySMTPauthfail","2",$4,"3600");} else {return}
	}
#   IP is captured in $3
#  The local port is captured in $4
#  The scanned log is /var/log/exim/main.log  (ymmv)
#  Because of other CSF config settings, the IP block in my case is one hour on all ports,
#  but the returned arguments block only on the SMTP port used.

Note that this regex depends on the time stamp format shown:
2016-04-29 09:51:44
Some exim installations use different format time stamps, which would require some editing of the regex.

Thanks for your contribution, ocahui.

Please name your rule, so, I can put the name and link on the first post.

Sergio

[nbeernink]

Perhaps the regex we shared in DirectAdmin modsecurity denials not blocked by CSF/LFD can be added to this sticky? Hope it's useful to someone!

[Sergio]

Perhaps the regex we shared in DirectAdmin modsecurity denials not blocked by CSF/LFD can be added to this sticky? Hope it's useful to someone!

Thank you, nbeernink.

Please name your rule, so, I can put the name and link on the first post.

Sergio

[nbeernink]

@sergio:
I don't know, something like this? REGEX to block IPs that triggered via COMODO-WAF modsecurity in DirectAdmin Custombuild 2.0