csf custom regex not working

[redbaron]

I'm trying to get this regex working properly and having no luck at doing so.

The logfile looks like this:

Code: Select all

2016-01-26 15:33:19 Authentication failed for user "mrfakeuser" from 126.16.117.42

In /etc/csf/csf.conf I've set:

Code: Select all

CUSTOM1_LOG = "/var/log/pmta/log"

In /etc/csf/regex.custom.pm my code looks like this:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\S+\s+Authentication failed for user .* from (\S+)\./)) {
    return ("Failed pmta login from",$1,"pmtalogin","3","2525","5");
}

Here's the strange part. At one point this did work, now it is not working. I can try to connect hundred of times from 126.16.117.42 as "mrfakeuser" and nothing is showing up in /var/log/lfd.log nor is it showing up when I run:

Code: Select all

csf -g 126.16.117.42

To be completely clear, pmta is an MTA that I have running on port 2525.

Can somebody help me out? Is my regex messed up or am I missing something in my /etc/csf/csf.conf ?

[redbaron]

Regex was incorrect. If anybody cares, the proper solution is:

Code: Select all

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~/\S+ \S+ Authentication failed for user "\S+" from (\S+)/)) {
    return ("Failed pmta login from",$1,"pmtalogin","3","2525","5");
}

If/when you write these things, I would highly suggest testing them out via regex101.com.

[infinitech07]

Hello, I have the similar issue.

I would like to catch the pattern in the log file as below:

Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>

In /etc/csf/csf.conf I've set:

CUSTOM2_LOG = "/var/log/postfix_reject.log"

In /etc/csf/regex.custom.pm, I set as below. I did test the rule at regex101.com (https://regex101.com/r/uQ6wY0/4).:

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.* reject: RCPT from (\S+)\[(\S+)\]: 450 4.1.1 <(\S+)>.*$/)) {
#It will block anyone with more than 1 matches for 1 day.
return ("SMTP spam attack - $3",$1,"SMTP","1","25,587,465","1");
}

But nothing being catched in lfd.log and postfix_reject.log. Anyone can advise me on what I have missed out? Many thanks.

[Sergio]

Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.* reject: RCPT from (\S+)\[(\S+)\]: 450 4.1.1 <(\S+)>.*$/)) {
#It will block anyone with more than 1 matches for 1 day.
return ("SMTP spam attack - $3",$1,"SMTP","1","25,587,465","1");
}

Hi infinitech07.
Your issue is the $1 that you are trying to block. Remeber that anything inside each pair of "( )" will be saved as $1, $2, $3, etc.
So, in your log:
$1="mona.bmstech.com.au"
$2="203.33.248.10"
$3="Raymond_Elmo@domain.com"
With that in mind, if you review your rule, you are setting:
"SMTP spam attack - Raymond_Elmo@domain.com",mona.bmstech.com.au,"SMTP","1","25,587,465","1"

So, just replace $1 by $2 at ...$3",$2,"SMTP"...
and your rule will look like this:
"SMTP spam attack - Raymond_Elmo@domain.com",203.33.248.10,"SMTP","1","25,587,465","1"
and this will block the offending IP.

Sergio

[infinitech07]

Hi infinitech07.
Your issue is the $1 that you are trying to block. Remeber that anything inside each pair of "( )" will be saved as $1, $2, $3, etc.
So, in your log:
$1="mona.bmstech.com.au"
$2="203.33.248.10"
$3="Raymond_Elmo@domain.com"
With that in mind, if you review your rule, you are setting:
"SMTP spam attack - Raymond_Elmo@domain.com",mona.bmstech.com.au,"SMTP","1","25,587,465","1"

So, just replace $1 by $2 at ...$3",$2,"SMTP"...
and your rule will look like this:
"SMTP spam attack - Raymond_Elmo@domain.com",203.33.248.10,"SMTP","1","25,587,465","1"
and this will block the offending IP.

Hi Sergio, thanks for the reply.

I had done what you mentioned to replace $1 by $2, but still nothing captured in log file /var/log/postfix_reject.log.

And, in /var/log/lfd.log, only got the following shown.

May 3 14:26:05 server lfd[6723]: TERM
May 3 14:26:05 server lfd[6723]: daemon stopped
May 3 14:26:05 server lfd[7264]: daemon started on server.domain.com - csf v8.23 (generic)
May 3 14:26:05 server lfd[7264]: CSF Tracking...
May 3 14:26:05 server lfd[7264]: IPv6 Enabled...
May 3 14:26:05 server lfd[7264]: LOAD Tracking...
May 3 14:26:05 server lfd[7264]: Country Code Lookups...
May 3 14:26:05 server lfd[7264]: System Integrity Tracking...
May 3 14:26:05 server lfd[7264]: Exploit Tracking...
May 3 14:26:05 server lfd[7264]: Directory Watching...
May 3 14:26:05 server lfd[7264]: Temp to Perm Block Tracking...
May 3 14:26:05 server lfd[7264]: Connection Tracking...
May 3 14:26:05 server lfd[7264]: Process Tracking...
May 3 14:26:05 server lfd[7264]: Account Tracking...
May 3 14:26:05 server lfd[7264]: SSH Tracking...
May 3 14:26:05 server lfd[7264]: Webmin Tracking...
May 3 14:26:05 server lfd[7264]: SU Tracking...
May 3 14:26:05 server lfd[7264]: Console Tracking...
May 3 14:26:05 server lfd[7264]: Watching /var/log/messages...
May 3 14:26:05 server lfd[7264]: Watching /var/log/secure...
May 3 14:26:05 server lfd[7264]: Watching /var/log/postfix_reject.log...
May 3 14:26:05 server lfd[7264]: Watching /var/log/customlog...
May 3 14:26:05 server lfd[7264]: Watching /var/log/cwp_client_login.log...
May 3 14:26:05 server lfd[7264]: Watching /var/log/httpd/error_log...

I noticed that there is no "Watching /var/log/maillog...", is this normal? I guess this could be the reason why nothing being caught in log file.

Any help will be much appreciated. Thanks.

[infinitech07]

Okay I know the reason why now, my mistake.
I need to set the value of CUSTOM2_LOG to /var/log/maillog, it is working now.

Thanks again.

[Sergio]

Okay I know the reason why now, my mistake.
I need to set the value of CUSTOM2_LOG to /var/log/maillog, it is working now.

Thanks again.

Yes, that is important, you will always need to define from what log you want to get the info.

Nice to hear you issue is solved.

Sergio