Page 2 of 2
Re: Block IP based on "ylmf-pc" text in logs
Posted: 23 Sep 2014, 22:44
by bear
Sergio wrote:I had a direct rule just for YLMF-PC attacks and I have just added to the REGEX sticky, please check it at:
http://forum.configserver.com/viewtopic.php?f=6&t=7517&start=10#p22150
Any chance you have a version for Courier? Seems that adds content before the ylmc section that's throwing it off. I'd changed your version to match the line, but can't seem to get the reverse IP bit ( host81-149-19-219.in-addr.btopenworld.com ) to be caught.
[edit]
Just an FYI, it's not always present. About half the time it exists, the rest it goes directly to the ylmf portion after "for".
Sample hit:
Code: Select all
2014-09-23 17:31:00 courier_login authenticator failed for host81-149-19-219.in-addr.btopenworld.com (ylmf-pc) [81.149.19.219]:61469: 535 Incorrect authentication data (set_id=jim)
Latest Cpanel.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 24 Sep 2014, 21:19
by Sergio
I have posted an addendum to my rule, please check:
viewtopic.php?f=6&t=7517&p=22150#p22150
for a modified rule that could be used in courier or dovecot, please let me know if it works for you.
Sergio
Re: Block IP based on "ylmf-pc" text in logs
Posted: 24 Sep 2014, 22:36
by bear
Sergio wrote:please let me know if it works for you.
Thank you, Sergio. Had one come in after this change with the reverse IP in it and it blocked it perfectly. I have seen a few come in with the reverse missing before this change, but looking at your update that should also be caught now. Thank you for all your effort here, pretty great of you.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 24 Sep 2014, 23:10
by Sergio
No problem, glad it worked.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 02:05
by bear
Well, yes and no. The ones with the additional info are being caught, but ones without are being missed. This one was picked up by LFD after the number of attempts specified in the config, but not by this tweak.
Code: Select all
2014-09-24 19:06:53 courier_login authenticator failed for (ylmf-pc) [202.53.73.36]:54355: 535 Incorrect authentication data (set_id=admin)
Strange since the ".*" should see either the space or a longer line...
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 04:14
by Sergio
try replacing
with
and let me know if that does the trick.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 12:39
by bear
That would match a space, but then we lose the string it has been currently catching.
Will this accept alternation? The following *should* see the space *or* space-string-space, no?
Code: Select all
authenticator failed for.*|\s+\(ylmf-pc\)
Maybe that needs to be enclosed?
Code: Select all
authenticator failed for(.*|\s+)\(ylmf-pc\)
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 13:48
by Sergio
The code that I wrote has to be a capital S, that means any character the "+" sign means any quantity. So, it should work if you set it: "failed for \S+?", it was my mistake, please try it again.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 14:37
by bear
Ok, seems to be working with my experimental alternation.
Code: Select all
authenticator failed for.*|\s+\(ylmf-pc\)
The ".*" catches the reverse IP string, and the "\s+" manages the spaces if the first one fails to match; so it caught two, one after the other.
Example A:
Code: Select all
2014-09-25 09:29:11 courier_login authenticator failed for mailsvr.pce-ltd.co.uk (ylmf-pc) [79.170.75.4]:37410: 535 Incorrect authentication data (set_id=dloptkcu)
Example B:
Code: Select all
2014-09-25 09:22:39 courier_login authenticator failed for (ylmf-pc) [193.0.200.147]:58825: 535 Incorrect authentication data (set_id=jim)
Might wish to experiment to see if you find the same results, and if it works for you, feel free to amend your version with it. Once again, I appreciate the help and push in the right direction.
Re: Block IP based on "ylmf-pc" text in logs
Posted: 25 Sep 2014, 15:47
by Sergio
unfortunately none of my servers uses courier and I don't have any way to test the rule.
If it is working for you, great!
Any way, with this last amendment "(\S+)?" (without the quotes) is more straight forward and the rule doesn't has to make an "or" that is not necessary.
Please try the following:
Code: Select all
authenticator failed for(\S+\s)?\(ylmf-pc\)
note: there should not be any white space between ?\
This will do the trick and you will not waste a cycle with the "|" and more elegant :-)