CSF not blocking postfix/smtpd brute force on centOS 7
Posted: 15 Sep 2019, 14:22
Hi,
I recently installed csf on CENTOS 7, however it, it seems it is not able to block postfix/smtpd sasl auth errors.
Here is the log from /var/log/maillog
I have observed for long enough and can say its not blocking these attempts.
I read around and found regex but can't get it work as I am bad at regex.
This is what I found and used:
Added this to to /etc/csf/csf.conf
Added following to /usr/local/csf/bin/regex.custom.pm
Can anyone help me to get it working ?
I recently installed csf on CENTOS 7, however it, it seems it is not able to block postfix/smtpd sasl auth errors.
Here is the log from /var/log/maillog
Code: Select all
Sep 15 14:31:06 LinuxServer postfix/smtpd[26850]: warning: hostname mobiup.climberjumbo.com does not resolve to address 141.98.9.195
Sep 15 14:31:06 LinuxServer postfix/smtpd[26850]: connect from unknown[141.98.9.195]
Sep 15 14:31:07 LinuxServer postfix/smtpd[25442]: disconnect from unknown[92.118.38.52]
Sep 15 14:31:08 LinuxServer postfix/smtpd[25587]: warning: hostname ip-38-52.ZervDNS does not resolve to address 92.118.38.52: Name or service not known
Sep 15 14:31:08 LinuxServer postfix/smtpd[25587]: connect from unknown[92.118.38.52]
Sep 15 14:31:09 LinuxServer postfix/smtpd[26072]: warning: unknown[141.98.9.5]: SASL LOGIN authentication failed: authentication failure
Sep 15 14:31:10 LinuxServer postfix/smtpd[26072]: disconnect from unknown[141.98.9.5]
Sep 15 14:31:10 LinuxServer postfix/smtpd[25876]: warning: unknown[92.118.38.52]: SASL LOGIN authentication failed: authentication failure
Sep 15 14:31:11 LinuxServer postfix/smtpd[25876]: disconnect from unknown[92.118.38.52]
Sep 15 14:31:11 LinuxServer postfix/smtpd[26850]: warning: unknown[141.98.9.195]: SASL LOGIN authentication failed: authentication failure
Sep 15 14:31:11 LinuxServer postfix/smtpd[26850]: disconnect from unknown[141.98.9.195]
Sep 15 14:31:13 LinuxServer postfix/smtpd[32625]: warning: unknown[141.98.9.42]: SASL LOGIN authentication failed: authentication failure
Sep 15 14:31:14 LinuxServer postfix/smtpd[32625]: disconnect from unknown[141.98.9.42]
I read around and found regex but can't get it work as I am bad at regex.
This is what I found and used:
Added this to to /etc/csf/csf.conf
Code: Select all
CUSTOM10_LOG = "/var/log/maillog"
Code: Select all
if (($lgfile eq $config{CUSTOM10_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");
}