Page 1 of 2

How can I block this kind of exim spam attck?

Posted: 07 Oct 2022, 12:18
by pepsi
2022-10-07 18:32:31 H=(lnyd) [223.240.209.1] F=<elo@myserver.com> rejected RCPT <3123827806@qq.com>: R1: HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)

I got lot of this kind of spam everyday, how can I use csf to auto block them?
Thank you

My exim part setting:
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 1
SMTP_REDIRECT = 0
SMTPAUTH_RESTRICT = 1

I just want my server and php send mail only,

Thank you so much

Re: How can I block this kind of exim spam attck?

Posted: 07 Oct 2022, 19:15
by Sergio
You can create your own regex rule and add it to:
/usr/local/csf/bin/regex.custom.pm

if that is the log line, then the main regex could be something like this:

Code: Select all

^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN
you should follow the instructions inside regex.custom.pm in order to have this rule in production.

Once the rule is in production, it will block any IP on $1 that triggered the rule.

Sergio

Re: How can I block this kind of exim spam attck?

Posted: 09 Oct 2022, 05:50
by pepsi
Thank you so much, but I'm a new about csf rule, It would be grateful if you could check this complete rule

SMTPAUTH_LOG = /var/log/exim/mainlog
CUSTOM1_LOG = /var/log/exim/rejectlog

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}
Is that right?
Thank you so much

Re: How can I block this kind of exim spam attck?

Posted: 09 Oct 2022, 16:43
by Sergio
Looks ok, the only thing I usually add on my REGEXs is an "i" at the end of the rule like the following, that is to ignore capitals:

Code: Select all

HELO should be a FQDN/i
Also, it is better to check at REGEX101 if the rule works using one line of your log lines.

Then to fully know if it is working set in production.
Remember for the rule to work you should restart LFD.

Re: How can I block this kind of exim spam attck?

Posted: 10 Oct 2022, 03:57
by pepsi
Sergio wrote: 09 Oct 2022, 16:43 Looks ok, the only thing I usually add on my REGEXs is an "i" at the end of the rule like the following, that is to ignore capitals:

Code: Select all

HELO should be a FQDN/i
Also, it is better to check at REGEX101 if the rule works using one line of your log lines.

Then to fully know if it is working set in production.
Remember for the rule to work you should restart LFD.
Thank you so much

I think REGEX101 with a bug with backslash (\):

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s\S+\s\S+\s\[(\S+)\].*HELO should be a FQDN/i))  {     
    return ("CUSTOM_Batch Spam Attack",$1,"Exim","2","25,465,587","3600");
}
/
All the errors detected are listed below, from left to right, as they appear in the pattern.
/ An unescaped delimiter must be escaped; in most languages with a backslash (\)
/ An unescaped delimiter must be escaped; in most languages with a backslash (\)

also I have another question:
someone is trying to hack my phpmyadmin and I got a lot of error by my modsec block:

Code: Select all

[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]
can I just use this code to ban it?

Code: Select all

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}
Thank you so much

Re: How can I block this kind of exim spam attck?

Posted: 11 Oct 2022, 01:49
by Sergio
In regex101 you don't have to write the full CSF rule as if you do REGEX will show a lot of errors.
You just have to check the REGEX that you are trying to set in production.

Per example if you have the full rule like this:

Code: Select all

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}
In regex101 you just need to test this part:

Code: Select all

^(\S+)(.*) Access denied with code 406
One thing that you have to have in mind is that everything that you wrote on the "return" part will be written in the csf.deny file only and if you write a lot of words that file will have a very heavy size, also, anything that you write there are not shown to any one, the people that tried to hack your site will never get "Get lost please", per example.

Try to do your rules very simple without a lot of text, just something for you to know what is the rule about.

Per example, it is better to have something like this on the return part:

Code: Select all

("",$1,"HTACCESS406","2","80,443","604800")
Just my advice for you that are starting to create CSF rules.

Re: How can I block this kind of exim spam attck?

Posted: 11 Oct 2022, 02:08
by pepsi
Sergio wrote: 11 Oct 2022, 01:49 In regex101 you don't have to write the full CSF rule as if you do REGEX will show a lot of errors.
You just have to check the REGEX that you are trying to set in production.

Per example if you have the full rule like this:

Code: Select all

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)/)) {
    return ("Get lost please",$1,"HTACCESS406","2","80,443","604800");
}
In regex101 you just need to test this part:

Code: Select all

^(\S+)(.*) Access denied with code 406
One thing that you have to have in mind is that everything that you wrote on the "return" part will be written in the csf.deny file only and if you write a lot of words that file will have a very heavy size, also, anything that you write there are not shown to any one, the people that tried to hack your site will never get "Get lost please", per example.

Try to do your rules very simple without a lot of text, just something for you to know what is the rule about.

Per example, it is better to have something like this on the return part:

Code: Select all

("",$1,"HTACCESS406","2","80,443","604800")
Just my advice for you that are starting to create CSF rules.
Thank you for keep helping and teach me about how to write a good rule

Re: How can I block this kind of exim spam attck?

Posted: 11 Oct 2022, 12:21
by pepsi

Code: Select all

[Fri Oct 07 16:49:21.175272 2022] [:error] [pid 19771:tid 139824933398272] [client 129.45.123.27:57113] [client 129.45.123.27] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma|/sql|/mysql|/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin/index.php"] [unique_id "Yz_oETe_TOecHbx-z5kMOwAAAL0"]
May I ask for a advanced requirements?
I want auto ban with "Access denied with code 406" and "phpMyAdmin hacking" with 2 main conditions in above error, is this rule run without problem? thank you

Code: Select all

if (($globlogs{HTACCESS_LOG}{$lgfile}) and ($line =~ /^(\S+)(.*) Access denied with code 406 (.*)phpMyAdmin hacking(.*)/)) {
    return ("",$1,"HTACCESS406","2","80,443","604800");
}

Re: How can I block this kind of exim spam attck?

Posted: 11 Oct 2022, 20:06
by Sergio
To know if the rule is good, I need at least 2 log lines to check the rule.

But as far as I have checked with what you gave, that rule is not good. It takes a lot of time to check, I will never use this rule in my servers.
You have to remember that the server will be checking hundred of log lines in a few minutes and then your rules should be less than 1 or 2 milliseconds to run.

Your rule takes 1,060 steps that uses 5ms to run.

On my servers I have a rule just for ModSecurity that runs faster 712 steps and 1ms:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704)"\]
on the ID you can OR different rules like this:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704|999999|1010101)"\]

Re: How can I block this kind of exim spam attck?

Posted: 12 Oct 2022, 01:24
by pepsi
Sergio wrote: 11 Oct 2022, 20:06 To know if the rule is good, I need at least 2 log lines to check the rule.

But as far as I have checked with what you gave, that rule is not good. It takes a lot of time to check, I will never use this rule in my servers.
You have to remember that the server will be checking hundred of log lines in a few minutes and then your rules should be less than 1 or 2 milliseconds to run.

Your rule takes 1,060 steps that uses 5ms to run.

On my servers I have a rule just for ModSecurity that runs faster 712 steps and 1ms:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704)"\]
on the ID you can OR different rules like this:

Code: Select all

^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(77704|999999|1010101)"\]
thank you so much, Unfortunately..I just confirm my rule is not working, they keep coming to try to get my phpmyadmin location,

Code: Select all

[Wed Oct 12 05:58:53.551238 2022] [:error] [pid 18439:tid 140710636349184] [client 173.31.99.186:46742] [client 173.31.99.186] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "127.0.0.1"] [uri "/shell"] [unique_id "Y0XnHRxbEtm5AecnAZ806wAAANc"]
[Wed Oct 12 07:48:04.470811 2022] [:error] [pid 18141:tid 140710518851328] [client 141.94.21.70:53302] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin2011/index.php"] [unique_id "Y0YAtHtoSYxh7XknsKNG5QAAAWU"]
[Wed Oct 12 07:48:04.958461 2022] [:error] [pid 18439:tid 140710745454336] [client 141.94.21.70:53372] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/mysql/dbadmin/index.php"] [unique_id "Y0YAtBxbEtm5AecnAZ81fgAAAMo"]
[Wed Oct 12 07:48:05.441270 2022] [:error] [pid 18141:tid 140710502065920] [client 141.94.21.70:53442] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin2019/index.php"] [unique_id "Y0YAtXtoSYxh7XknsKNG5gAAAWc"]
[Wed Oct 12 07:48:05.918142 2022] [:error] [pid 18439:tid 140710728668928] [client 141.94.21.70:53506] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin3/index.php"] [unique_id "Y0YAtRxbEtm5AecnAZ81fwAAAMw"]
[Wed Oct 12 07:48:06.400111 2022] [:error] [pid 18141:tid 140710485280512] [client 141.94.21.70:53578] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpMyAdmin4/index.php"] [unique_id "Y0YAtntoSYxh7XknsKNG5wAAAWk"]
[Wed Oct 12 07:48:06.879420 2022] [:error] [pid 18141:tid 140710460102400] [client 141.94.21.70:53800] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpmyadmin2022/index.php"] [unique_id "Y0YAtntoSYxh7XknsKNG6AAAAWw"]
[Wed Oct 12 07:48:07.854927 2022] [:error] [pid 18439:tid 140710720276224] [client 141.94.21.70:53966] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpMyAdmin-5.2.0/index.php"] [unique_id "Y0YAtxxbEtm5AecnAZ81gAAAAM0"]
[Wed Oct 12 07:48:08.341196 2022] [:error] [pid 18439:tid 140710703490816] [client 141.94.21.70:54036] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/phpMyAdmin5.2/index.php"] [unique_id "Y0YAuBxbEtm5AecnAZ81gQAAAM8"]
[Wed Oct 12 07:48:08.821670 2022] [:error] [pid 18141:tid 140710434924288] [client 141.94.21.70:54104] [client 141.94.21.70] ModSecurity: Access denied with code 406 (phase 1). Pattern match "^.*(/pma/phpMyAdmin).*$" at REQUEST_URI. [file "/usr/local/cwaf/etc/httpd/custom_user.conf"] [line "6"] [id "77704"] [msg "phpMyAdmin hacking"] [severity "CRITICAL"] [hostname "123.123.123.123"] [uri "/mysqladmin/index.php"] [unique_id "Y0YAuHtoSYxh7XknsKNG6gAAAW8"]
thant very annoying and bored, even I set LF_MODSEC = 2, but csf can't block this one.

Is that only deny with modsecurity enough for protection? thanks

Hope your rule will work for me, Thank you so much