Custom REGEX rules for CSF.

[luisfalcon]

A little help here guys.

I created an extremely simple wordpress plugin that creates log of failed login attempts, this way I can target only a brute force attack and not a webmaster login into several sites in an hour for normal work (this is a server with more than a thousand wordpress sites)

I can make the log any way I want, but so far I am appending a timestamp and an the ip of the failed login attempt remote host, as an example:

failed-logins.log

Code: Select all

2022-11-12 18:14:32 192.34.9.3
2022-11-12 18:15:35 170.45.32.2
2022-11-12 18:18:25 238.170.22.1

I don't need to filter these, because ALL of them are already a failed login, so, How would a CSF rule look like?
Also, if you have any suggestion on the log format, please let me hear them.

[Sergio]

this forum is not for creating rules, the main purpose of this forum is to add new REGEX rules.

It will be great if you post this on the regular Config Server Firewall forum.

[luisfalcon]

I will, thank you

[tonerudez]

very helpful thread. Do you know how I could adjust the script to work with ASSP and exim? I have a cpanel server with the ASSP spam filtering proxy sitting in front of exim.

[tim]

Hi,

my litespeed has the log file /usr/local/lsws/admin/logs/error.log with following

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n

how can i block the login fail ?

thanks

[Sergio]

Hi,

my litespeed has the log file /usr/local/lsws/admin/logs/error.log with following

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n

how can i block the login fail ?

thanks

Check on the regular forum a rule that I have created.

Sergio

[alexf]

On our VPS host we have several clients that use their account to for DNS and to host a website but have their email hosted elsewhere. Thus their domains MX record points to a URL or IP elsewhere. We continually see email attempts directed to the domain A record on this VPS host. This use of email is not in keeping with RFC rules and from the logs is an obvious hacking attempt looking for an insecure email server.

I have created a Custom REGEX rule that blocks failed email authorizations for specific listed @domain.tld domains.
The rule immediately does a Permanent block of the sending IP on ports 25 & 465.
This rule works on a CentOS 7 server. Depending on your particular OS you may have to tweak the regex slightly.

Rule: INVALID_MX

Code: Select all

#Block sending IP for emails to @domains with no MX record here
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^.* dovecot_login authenticator failed for .* \[(\S+)\].* \(set_id=(.*\@mydomain1\.com|.*\@mydomain2\.org)/))  {
                return ("Bogus email no MX for $2",$1,"SecmasINVALID_MX","1","25,465","1");
        }

Thank you to the community and Sergio for this message thread and sharing of good rules.
Alex
Lilypad Cloud

[Sergio]

Are you suffering phishing attacks with the email subject "I RECORDED YOU!" or "your account is hacked"?

If you have ConfigServer MailScanner FE in your server then create an spamassassin file at: /etc/mail/spamassassin/
With the file name: blacksubjects.cf

Write on that file the following Code and save it:

Code: Select all

header   SUBJ_PHISHING Subject =~ /i recorded you|your account is hacked/i
score      SUBJ_PHISHING 22
describe SUBJ_PHISHING SUBJ_PHISHING

After you create this rule, remember to restart MailScanner FE.

Then create a REGEX rule and add it in /usr/local/csf/bin/regex.custom.pm to block the offending IP:

Code: Select all

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s\<\=\s\S+\sH\=\S+\s\[(\S+)\]\S+\s\S+\s\S+\s\S+\s(?>\S+\s\S+\s)?T=".*?(?>i recorded you|your account is hacked)/i)) {
		return (" ",$1,"SUBJ_PHISHING","1","1");
	}

After the rule is saved, restart LFD in order for this to work.

If you have any comments on this rule, please write it on the regular forum, thanks.

Sergio

[Sergio]

This rule blocks any connection from census.shodan.io.
(I really don't like attacks from these servers)

Code: Select all

# BLOCKING CENSUS SHODAN

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s\S+\sSMTP\s\D+from\s\S+(?>\.census\.shodan\.io|\.censys\-scanner\.com)\s\[(\S+)\]/i)) {
		return ("",$1,"SECMAS_SHODAN","1","1");
	}

[Sergio]

HAPPY NEW YEAR EVERYBODY!!!

I want to share an SPAM ASSASSIN Rule that I am sure you will like it, I know here is not the place to add SPAMASSASSIN rules as this forum was for CSF REGEX rules, but I am sure you will like it.

Details:
A lot of spam have entered into my servers coming from OUTLOOK IP servers but thanks to the following rule, all of thes SPAM are getting blocked.

Create the following file:
/etc/mail/spamassassin/BlackHEADERs.cf

Add the following lines into that file:
<header SERGIO_ALLHDRSips ALL =~ /\(sender ip is.*(?>45\.33\.38\.115|49\.13\.16\.192|49\.13\.18\.183|49\.13\.71\.236|78\.46\.149\.17|88\.99\.13\.174|128\.140\.80\.202|159\.69\.248\.23)\)/i
score SERGIO_ALLHDRSips 22
describe SERGIO_ALLHDRSips BLKLIST IPs HEADERS>

All of those IPs are really spammers and you can adjust IPs to suit your needs.

Save the file and then restart ConfigServer MailScanner FE

HAPPY NEW YEAR 2024!!

Sergio