Page 2 of 10
Re: Custom REGEX rules for CSF.
Posted: 10 Mar 2014, 19:54
by Sergio
Karel wrote:Just another idea. Rule #3 is new so I want to implement this on my other servers.
It's a bit tedious to SSH into every server and modify regex.custom.pm.
Hint for the developers of CSF to edit regex.custom.pm within the CSF UI. (but might have security issues)
Hint 2, Sergio's regex for blocking scans for email addresses (my rule #3) should be included in standard CSF log monitoring and act accordingly.
I hope this thread has the attention of the developers.
No, this thread is just a service to the community, it will be better to write this on the suggestions forum.
REGEX to block IPs that uses YLMF-PC
Posted: 23 Mar 2014, 06:31
by Sergio
This a common attack in a lot of servers, chinese people trying to guess email passwords using YLMF OS.
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first error, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
Example of the attacks this rule will block:
2014-03-22 01:57:40 dovecot_login authenticator failed for (ylmf-pc) [23.31.83.109]:39370: 535 Incorrect authentication data (set_id=info)
2014-03-22 02:19:42 dovecot_login authenticator failed for (ylmf-pc) [59.50.172.84]:54793: 535 Incorrect authentication data
2014-03-22 03:47:32 dovecot_login authenticator failed for (ylmf-pc) [209.141.56.139]:4144: 535 Incorrect authentication data (set_id=info)
2014-03-22 03:53:13 dovecot_login authenticator failed for (ylmf-pc) [59.50.167.6]:34708: 535 Incorrect authentication data (set_id=info)
ADDENDUM 09/24/2014:
If the rule is going to be used in a courier server, the above rule could be modified to:
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+_login authenticator failed for.*\(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
REGEX to block PROXIMIC
Posted: 14 May 2014, 22:00
by Sergio
This regex will block an spider from AMAZONAWS that is trying to hack into ROUNDCUBE, all the IPs from that spider will be blocked at the first attempt.
The regex uses CPANEL_ACCESSLOG = /usr/local/cpanel/logs/access_log
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first attempt.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
Code: Select all
if (($lgfile eq $config{CPANEL_ACCESSLOG}) and ($line =~ /(\S+).*\(compatible\; proximic\;/)) {
return ("BOT PROXIMIC",$1,"SecmasPROXIMIC","1","1");
}
Example of the IPs that this regex will block:
REGEX to block ASTERIX hack attempts.
Posted: 16 May 2014, 21:16
by Sergio
This regex will block any IP that will try to hack into an ASTERIX system at the first attempt.
The regex uses CUSTOM1_LOG = /var/log/asterix/messages
Action: will permanent block any IP at the first wrong login.
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /\[\S+\s+\S+\] NOTICE\[\S+\] chan_sip\.c\: Registration from '(\S+\s?\S+)' failed for '(\S+)\:\d+' \- Wrong password/)) {
return ("Bad Logon: $1",$2,"SecmasASTERIX","1","1");
}
Example of the IPs that this rule will block:
[2014-05-16 11:58:28] NOTICE[30012] chan_sip.c: Registration from '"user"<sip:user@192.168.1.123>' failed for '192.168.1.165:45172' - Wrong password
[2014-05-16 11:21:41] NOTICE[30012] chan_sip.c: Registration from '"X-Lite"<sip:5000@93.219.99.135>' failed for '93.219.99.135:49216' - Wrong password
[2014-03-31 16:31:57] NOTICE[18393] chan_sip.c: Registration from '"turkey" <sip:turkey@24.133.133.51>' failed for '24.133.133.51:60229' - Wrong password
[2014-03-31 16:31:59] NOTICE[18393] chan_sip.c: Registration from '"bosnia" <sip:bosnia@31.176.214.167>' failed for '31.176.214.167:60229' - Wrong password
Re: Custom REGEX rules for CSF.
Posted: 09 Jul 2014, 18:38
by ilansch
The attacks on our servers from the user ylmf-pc are directed to exim, so here is the modified rule for exim on CentOS 6.5 with DirectAdmin:
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+login authenticator failed for (\S*)\s?\(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
where CUSTOM2_LOG = /var/log/exim/rejectlog
and matches both these log lines:
Code: Select all
2014-07-09 07:03:22 login authenticator failed for static-ip-209-126-99-199.inaddr.ip-pool. com (ylmf-pc) [209.126.99.199]: 535 Incorrect authentication data (set_id=webmaster)
2014-07-09 04:49:03 login authenticator failed for (ylmf-pc) [187.6.142.188]: 535 Incorrect authentication data (set_id=info)
(I added a space to allow posting the url of the first log)
Thanks for sharing your list
Re: REGEX to block IPs that uses YLMF-PC
Posted: 13 Jul 2014, 12:59
by lightningbit
Sergio wrote:This a common attack in a lot of servers, chinese people trying to guess email passwords using YLMF OS.
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP at the first error, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog
Code: Select all
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\S+\s+dovecot_login authenticator failed for \(ylmf-pc\) \[(\S+)\]/)) {
return ("smtp_auth attack",$1,"SecmasYLMF","1","1");
}
Example of the attacks this rule will block:
2014-03-22 01:57:40 dovecot_login authenticator failed for (ylmf-pc) [23.31.83.109]:39370: 535 Incorrect authentication data (set_id=info)
2014-03-22 02:19:42 dovecot_login authenticator failed for (ylmf-pc) [59.50.172.84]:54793: 535 Incorrect authentication data
2014-03-22 03:47:32 dovecot_login authenticator failed for (ylmf-pc) [209.141.56.139]:4144: 535 Incorrect authentication data (set_id=info)
2014-03-22 03:53:13 dovecot_login authenticator failed for (ylmf-pc) [59.50.167.6]:34708: 535 Incorrect authentication data (set_id=info)
just fyi for others:
on my setup (CentOS 5.10 64-bit + DirectAdmin),
the logfile is located at /var/log/exim/rejectlog
Re: REGEX to block bounced spammers that search emails.
Posted: 13 Jul 2014, 18:44
by olce
Sergio wrote:There are spammers that send emails to accounts that doesn't exist on the server to catch the ones that does exist and add them to their data bases. This regex will block IPs that generates 1 bounce when sending email to accounts that doesn't exist on the server and the From address is nill.
Working OS: REDHAT Enterprise 64 bits / CPANEL 11.42.X
Action: Will permanent block the IP with 1 bounces, you can modify that number.
LF_SELECT = 0 (this means that the rule doesn't need to add ports to block)
CUSTOM2_LOG = /var/log/exim_rejectlog
CAUTION:
This regex is so good that will block hundred of IPs that search for valid emails, be prepared.
Code: Select all
if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /\S+\s+\S+\s+H=\S+\s+\[(\S+)\]:\d+\s+F=\<\>\s+rejected RCPT \S+: No Such User Here/)) {
return ("Bounced messages",$1,"SecmasBOUNCE","1","1");
}
Hi,
I see slightly different entries for bouncing in my logs.
They appear in /var/log/exim/rejectlog
and do not have the string "no such user" or something like that
I've a few with "authentication required" (this is for domains where none of them are on our server):
Code: Select all
2014-07-12 20:52:38 H=(domainname) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>: authentication required
and a few without further info (this is where one of the 2 domains is on our server):
Code: Select all
2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>:
2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>:
2014-07-12 20:52:37 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>:
2014-07-12 20:52:38 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>:
2014-07-12 20:52:38 H=(xxxxx) [46.158.29.159] F=<xxxxx> rejected RCPT <xxxxx>:
Is there a safe regex solution for these?
- for the first one, I would add the authentication required string to a regex
- for the second one, I've a feeling, a regex for just "rejected RCPT" is too risky?
(I had to replace all domains and mailadresses because I'm not allowed to post urls it seems)
Re: Custom REGEX rules for CSF.
Posted: 05 Oct 2014, 03:22
by kpmedia
Sergio wrote:This regex is to block all the IPs that comes to the server checking for setids that don't exist,
What about a rule that rejects all attempts without an @? Example: john, james, admin, etc -- instead of john@domain. For most servers, anything without @ is just bogus traffic, not legit attempts.
And then a second rule to reject certain words before the @? Example, admin@, sales@, info@. Because the existing rule is not helping with those either. @FQDN attempts get through.
That would honestly be more helpful.
I'd do it myself, but I need to brush up on my regex first.
..
Re: Custom REGEX rules for CSF.
Posted: 25 Nov 2014, 15:00
by verdonv
Deleted
Re: Custom REGEX rules for CSF.
Posted: 27 Nov 2014, 19:19
by verdonv
Deleted