Can you suggest a modification for the other 3 below to fit the logging style of my server?
# REGEX to block bots that looks for wrong SETID. Below to block all the IPs that comes to the server checking for setids that don't exist
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=(a|aaaaaa|aamaro|aaron|abc1?2?3?|abel?|access|accounti?n?g?s?|acer?|b?e?s?admi?n?|administracion1|advent|advertising|agency|antigua|apple|asus|avahi|bank|ba?c?kupe?p?p?c?x?e?c?|bbuser|benq|biblioteca|bill|business|bux|carlos|charles|ciclobasico|clamav|clevo|clients?|comenta?|compaq|confirm|confixx|consult|contactu?s?|controller|copier|customer|cvsadmin|cvsroot|cyrus|daemon|data|david|dbadmin|demo|dell|dialer|director|dnscache|doctor|doel|download|drweb|edi|edition|edu|esalguero|estudioazurdia|everest|expe?o?rt|falcon|fax|finance|franciscos|ftp|ftpuser|fujitsu|games|gigabyte|gonzalo.mejia|guest|helpdesk|holding|home|hp|ibm|ice|iloveyou|imac|info|install|internet|iphone|jabber|jc|jefaturaventas|jeremy|jgarcia|job|john|jorge|jude|kattytoc|kim|laboratorio|ldap|lenovo|lsarmiento|lschoenstedt|manager|margarita|marketing|monkey|mpalma|municipal|multimedia|news|newsletter|nobody|office|pastores|pos|postmaster|princess|printer|PXF.info|reception|sales|samsung|scann?e?r?|security|shadow|shop|spam|student|sunshine|support|sys|tech|temp|test1?u?s?e?r?|toshiba|training|user1?s?|wzarate|xerox)\)/)) {
return ("smtp_auth attack",$1,"SecmasSETID","1","1");
}
# REGEX to block bounced spammers that search emails. Below will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/)) {
return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
}
# REGEX to block IPs that searchs for admin emails.
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /\S+\s+\S+\s+dovecot_login authenticator failed for \S+ \[(\S+)\]:\d+: 535 Incorrect authentication data \(set_id=admin\@\S+\)/)) {
return ("smpt admin attack",$1,"SecmasADMIN","1","1");
}
firewallman wrote:Here is a log line from exim+rejectlog with set_id in it:
2015-06-10 04:24:23 [28631] courier_login authenticator failed for lt57-196.hrz.tu-darmstadt.de (LT57-196) [130.83.57.196]:59107 I=[69.xxx.xxx.xxx]:587: 535 Incorrect authentication data (set_id=apple)
As I said, you have to modify the regex for this to work, replace this:
/\S+\s+\S+\s+dovecot_login authenticator failed for \(\[?\S+\]?\) \[(\S+)\]:\d+: \d+ Incorrect authentication data \(set_id=
by this:
/\S+\s+\S+\s+.*_login authenticator failed for.*\(\[?\S+\]?\) \[(\S+)\]:\d+.*Incorrect authentication data \(set_id=