Custom REGEX rules for CSF.

luisfalcon
Junior Member
Posts: 9
Joined: 12 Nov 2022, 18:22

Re: Custom REGEX rules for CSF.

Post by luisfalcon »

A little help here guys.

I created an extremely simple wordpress plugin that creates log of failed login attempts, this way I can target only a brute force attack and not a webmaster login into several sites in an hour for normal work (this is a server with more than a thousand wordpress sites)

I can make the log any way I want, but so far I am appending a timestamp and an the ip of the failed login attempt remote host, as an example:

failed-logins.log

Code: Select all

2022-11-12 18:14:32 192.34.9.3
2022-11-12 18:15:35 170.45.32.2
2022-11-12 18:18:25 238.170.22.1
I don't need to filter these, because ALL of them are already a failed login, so, How would a CSF rule look like?
Also, if you have any suggestion on the log format, please let me hear them.
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

this forum is not for creating rules, the main purpose of this forum is to add new REGEX rules.

It will be great if you post this on the regular Config Server Firewall forum.
luisfalcon
Junior Member
Posts: 9
Joined: 12 Nov 2022, 18:22

Re: Custom REGEX rules for CSF.

Post by luisfalcon »

I will, thank you
tonerudez
Junior Member
Posts: 2
Joined: 24 Feb 2023, 11:12

Re: Custom REGEX rules for CSF.

Post by tonerudez »

very helpful thread. Do you know how I could adjust the script to work with ASSP and exim? I have a cpanel server with the ASSP spam filtering proxy sitting in front of exim.
tim
Junior Member
Posts: 4
Joined: 27 Jul 2022, 09:15

Re: Custom REGEX rules for CSF.

Post by tim »

Hi,

my litespeed has the log file /usr/local/lsws/admin/logs/error.log with following

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n
how can i block the login fail ?

thanks
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

tim wrote: 13 Apr 2023, 11:01 Hi,

my litespeed has the log file /usr/local/lsws/admin/logs/error.log with following

Code: Select all

2023-04-09 12:01:15.648057 [NOTICE] [18726] [T0] [x.x.x.x:40398-153#_AdminVHost:lsapi] [STDERR] [WebAdmin Console] Failed Login Attempt - username: admin ip: x.x.x.x url: https://server:7080/login.php\n
how can i block the login fail ?

thanks
Check on the regular forum a rule that I have created.

Sergio
alexf
Junior Member
Posts: 22
Joined: 27 May 2023, 15:49

Re: Custom REGEX rules for CSF.

Post by alexf »

On our VPS host we have several clients that use their account to for DNS and to host a website but have their email hosted elsewhere. Thus their domains MX record points to a URL or IP elsewhere. We continually see email attempts directed to the domain A record on this VPS host. This use of email is not in keeping with RFC rules and from the logs is an obvious hacking attempt looking for an insecure email server.

I have created a Custom REGEX rule that blocks failed email authorizations for specific listed @domain.tld domains.
The rule immediately does a Permanent block of the sending IP on ports 25 & 465.
This rule works on a CentOS 7 server. Depending on your particular OS you may have to tweak the regex slightly.

Rule: INVALID_MX

Code: Select all

#Block sending IP for emails to @domains with no MX record here
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^.* dovecot_login authenticator failed for .* \[(\S+)\].* \(set_id=(.*\@mydomain1\.com|.*\@mydomain2\.org)/))  {
                return ("Bogus email no MX for $2",$1,"SecmasINVALID_MX","1","25,465","1");
        }
Thank you to the community and Sergio for this message thread and sharing of good rules.
Alex
Lilypad Cloud
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

Are you suffering phishing attacks with the email subject "I RECORDED YOU!" or "your account is hacked"?

If you have ConfigServer MailScanner FE in your server then create an spamassassin file at: /etc/mail/spamassassin/
With the file name: blacksubjects.cf

Write on that file the following Code and save it:

Code: Select all

header   SUBJ_PHISHING Subject =~ /i recorded you|your account is hacked/i
score      SUBJ_PHISHING 22
describe SUBJ_PHISHING SUBJ_PHISHING
After you create this rule, remember to restart MailScanner FE.

Then create a REGEX rule and add it in /usr/local/csf/bin/regex.custom.pm to block the offending IP:

Code: Select all

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s\<\=\s\S+\sH\=\S+\s\[(\S+)\]\S+\s\S+\s\S+\s\S+\s(?>\S+\s\S+\s)?T=".*?(?>i recorded you|your account is hacked)/i)) {
		return (" ",$1,"SUBJ_PHISHING","1","1");
	}
After the rule is saved, restart LFD in order for this to work.

If you have any comments on this rule, please write it on the regular forum, thanks.

Sergio
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

REGEX Rule to block census.shodan.io

Post by Sergio »

This rule blocks any connection from census.shodan.io.
(I really don't like attacks from these servers)

Code: Select all

# BLOCKING CENSUS SHODAN

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s\S+\sSMTP\s\D+from\s\S+(?>\.census\.shodan\.io|\.censys\-scanner\.com)\s\[(\S+)\]/i)) {
		return ("",$1,"SECMAS_SHODAN","1","1");
	}

Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: Custom REGEX rules for CSF.

Post by Sergio »

HAPPY NEW YEAR EVERYBODY!!!

I want to share an SPAM ASSASSIN Rule that I am sure you will like it, I know here is not the place to add SPAMASSASSIN rules as this forum was for CSF REGEX rules, but I am sure you will like it.

Details:
A lot of spam have entered into my servers coming from OUTLOOK IP servers but thanks to the following rule, all of thes SPAM are getting blocked.

Create the following file:
/etc/mail/spamassassin/BlackHEADERs.cf

Add the following lines into that file:
<header SERGIO_ALLHDRSips ALL =~ /\(sender ip is.*(?>45\.33\.38\.115|49\.13\.16\.192|49\.13\.18\.183|49\.13\.71\.236|78\.46\.149\.17|88\.99\.13\.174|128\.140\.80\.202|159\.69\.248\.23)\)/i
score SERGIO_ALLHDRSips 22
describe SERGIO_ALLHDRSips BLKLIST IPs HEADERS>

All of those IPs are really spammers and you can adjust IPs to suit your needs.

Save the file and then restart ConfigServer MailScanner FE

HAPPY NEW YEAR 2024!!

Sergio
Post Reply