Custom REGEX rules for CSF.

[Sergio]

Just another idea. Rule #3 is new so I want to implement this on my other servers.
It's a bit tedious to SSH into every server and modify regex.custom.pm.
Hint for the developers of CSF to edit regex.custom.pm within the CSF UI. (but might have security issues)
Hint 2, Sergio's regex for blocking scans for email addresses (my rule #3) should be included in standard CSF log monitoring and act accordingly.

I hope this thread has the attention of the developers.

No, this thread is just a service to the community, it will be better to write this on the suggestions forum.

[Sergio]

This a common attack in a lot of servers, chinese people trying to guess email passwords using YLMF OS.

Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first error, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/)) {
		return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
	}

Example of the attacks this rule will block:

2014-03-22 01:57:40 dovecot_login authenticator failed for (ylmf-pc) [23.31.83.109]:39370: 535 Incorrect authentication data (set_id=info)
2014-03-22 02:19:42 dovecot_login authenticator failed for (ylmf-pc) [59.50.172.84]:54793: 535 Incorrect authentication data
2014-03-22 03:47:32 dovecot_login authenticator failed for (ylmf-pc) [209.141.56.139]:4144: 535 Incorrect authentication data (set_id=info)
2014-03-22 03:53:13 dovecot_login authenticator failed for (ylmf-pc) [59.50.167.6]:34708: 535 Incorrect authentication data (set_id=info)

ADDENDUM 09/24/2014:
If the rule is going to be used in a courier server, the above rule could be modified to:

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
		return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
	}

[Sergio]

This regex will block an spider from AMAZONAWS that is trying to hack into ROUNDCUBE, all the IPs from that spider will be blocked at the first attempt.

The regex uses CPANEL_ACCESSLOG = /usr/local/cpanel/logs/access_log
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first attempt.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)

Code: Select all

	if (($lgfile eq $config{CPANEL_ACCESSLOG}) and ($line =~ /(\S+).*\(compatible\; proximic\;/))  {
		return ("BOT PROXIMIC",$1,"SecmasPROXIMIC","1","1");
	}

Example of the IPs that this regex will block:

54.211.65.206 - - [05/13/2014:15:58:09 -0000] "GET /cpsess723154000/3rdparty/roundcube/?_task=mail HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"
50.19.11.5 - - [05/13/2014:16:54:54 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"
54.237.15.200 - - [05/13/2014:20:31:19 -0000] "GET /cpsess7478793799/3rdparty/roundcube/?_task=mail HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"
54.81.237.124 - - [05/14/2014:14:56:54 -0000] "GET /cpsess1971800840/3rdparty/roundcube/?_task=mail HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"
54.196.1.207 - - [05/14/2014:14:57:05 -0000] "GET /cpsess684230783/3rdparty/roundcube/?_task=mail HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"
54.82.231.88 - - [05/14/2014:20:26:43 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla/5.0 (compatible; proximic; +http://www.proximic.com/info/spider.php)" "-"

[Sergio]

This regex will block any IP that will try to hack into an ASTERIX system at the first attempt.

The regex uses CUSTOM1_LOG = /var/log/asterix/messages
Action: will permanent block any IP at the first wrong login.

Code: Select all

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] chan_sip\.c\: Registration from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- Wrong password/))  {
		return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
	}

Example of the IPs that this rule will block:

[2014-05-16 11:58:28] NOTICE[30012] chan_sip.c: Registration from '"user"<sip:user@192.168.1.123>' failed for '192.168.1.165:45172' - Wrong password
[2014-05-16 11:21:41] NOTICE[30012] chan_sip.c: Registration from '"X-Lite"<sip:5000@93.219.99.135>' failed for '93.219.99.135:49216' - Wrong password
[2014-03-31 16:31:57] NOTICE[18393] chan_sip.c: Registration from '"turkey" <sip:turkey@24.133.133.51>' failed for '24.133.133.51:60229' - Wrong password
[2014-03-31 16:31:59] NOTICE[18393] chan_sip.c: Registration from '"bosnia" <sip:bosnia@31.176.214.167>' failed for '31.176.214.167:60229' - Wrong password

[ilansch]

The attacks on our servers from the user ylmf-pc are directed to exim, so here is the modified rule for exim on CentOS 6.5 with DirectAdmin:

Code: Select all

   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+login authenticator failed for (\S*)\s?\(ylmf-pc\) \[(\S+)\]/)) {
      return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
   }

where CUSTOM2_LOG = /var/log/exim/rejectlog

and matches both these log lines:

Code: Select all

2014-07-09 07:03:22 login authenticator failed for static-ip-209-126-99-199.inaddr.ip-pool. com (ylmf-pc) [209.126.99.199]: 535 Incorrect authentication data (set_id=webmaster)

2014-07-09 04:49:03 login authenticator failed for (ylmf-pc) [187.6.142.188]: 535 Incorrect authentication data (set_id=info)

(I added a space to allow posting the url of the first log)

Thanks for sharing your list

[lightningbit]

This a common attack in a lot of servers, chinese people trying to guess email passwords using YLMF OS.

Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first error, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

Code: Select all

	if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/)) {
		return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
	}

Example of the attacks this rule will block:

2014-03-22 01:57:40 dovecot_login authenticator failed for (ylmf-pc) [23.31.83.109]:39370: 535 Incorrect authentication data (set_id=info)
2014-03-22 02:19:42 dovecot_login authenticator failed for (ylmf-pc) [59.50.172.84]:54793: 535 Incorrect authentication data
2014-03-22 03:47:32 dovecot_login authenticator failed for (ylmf-pc) [209.141.56.139]:4144: 535 Incorrect authentication data (set_id=info)
2014-03-22 03:53:13 dovecot_login authenticator failed for (ylmf-pc) [59.50.167.6]:34708: 535 Incorrect authentication data (set_id=info)

just fyi for others:
on my setup (CentOS 5.10 64-bit + DirectAdmin),
the logfile is located at /var/log/exim/rejectlog

[olce]

There are spammers that send emails to accounts that doesn't exist on the server to catch the ones that does exist and add them to their data bases. This regex will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.

Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP with 1 bounces, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog

CAUTION:
This regex is so good that will block hundred of IPs that search for valid emails, be prepared.

Code: Select all

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/))  {
		return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
	}

Hi,

I see slightly different entries for bouncing in my logs.

They appear in /var/log/exim/rejectlog
and do not have the string "no such user" or something like that
I've a few with "authentication required" (this is for domains where none of them are on our server):

Code: Select all

2014-07-12 20:52:38 H=(domainname) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: authentication required

and a few without further info (this is where one of the 2 domains is on our server):

Code: Select all

2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: 
2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: 
2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: 
2014-07-12 20:52:38 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: 
2014-07-12 20:52:38 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: 

Is there a safe regex solution for these?
- for the first one, I would add the authentication required string to a regex
- for the second one, I've a feeling, a regex for just "rejected RCPT" is too risky?


(I had to replace all domains and mailadresses because I'm not allowed to post urls it seems)

[kpmedia]

This regex is to block all the IPs that comes to the server checking for setids that don't exist,

What about a rule that rejects all attempts without an @? Example: john, james, admin, etc -- instead of john@domain. For most servers, anything without @ is just bogus traffic, not legit attempts.

And then a second rule to reject certain words before the @? Example, admin@, sales@, info@. Because the existing rule is not helping with those either. @FQDN attempts get through.

That would honestly be more helpful.

I'd do it myself, but I need to brush up on my regex first.

..

[verdonv]

Deleted

[verdonv]

Deleted