I've decided to re-start this project and here are my updated rules.
This rules is for Exim, Invalid HELO
http://rubular.com/r/i6qKKbmqSY
Code: Select all
# Exim_RFC
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* rejected MAIL <.*>: Access denied - Invalid HELO name \(See RFC2821 .*\)$/)) {
return ("RFC Hit from",$1,"EXIMRFC","1","25;tcp,465;tcp,587;tcp","3600");
}
I have yet to see it working, can anyone confirm? Based on Rubular its valid, but CSF doesn't seem to trigger it.
-- update
Confirmed working
Code: Select all
(EXIMRFC) EXIM RFC Hit from 114.43.241.151 (TW/Taiwan/-/-/-/[AS3462 Data Communication Business Group]): 1 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]
Based on the current logs;
Code: Select all
2015-10-19 07:14:32 H=(GAOERAUJJ) [41.162.49.20]:2092 rejected MAIL <miasmata8@rockofages.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:43:48 H=(DCBLRIFI) [175.206.109.172]:9351 rejected MAIL <yodelerc2@reresources.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:44:34 H=(ZVOFFEKXKZ) [175.206.109.172]:9519 rejected MAIL <releasingdjn8@rostolis.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 22:53:17 H=(abouliau) [12.147.144.133]:54314 rejected MAIL <boomstera@abouliau.pps-time.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Proof
Code: Select all
csf -g 114.43.241.151
Chain num pkts bytes target prot opt in out source destination
DENYIN 37 0 0 DROP tcp -- !lo * 114.43.241.151 0.0.0.0/0 tcp dpt:25
DENYIN 38 0 0 DROP tcp -- !lo * 114.43.241.151 0.0.0.0/0 tcp dpt:465
DENYIN 39 0 0 DROP tcp -- !lo * 114.43.241.151 0.0.0.0/0 tcp dpt:587
IPSET: No matches found for 114.43.241.151
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for 114.43.241.151 in ip6tables
Temporary Blocks: IP:114.43.241.151 Port:25;tcp,465;tcp,587;tcp Dir:in TTL:3600 (lfd - (EXIMRFC) EXIM RFC Hit from 114.43.241.151 (TW/Taiwan/-/-/-/[AS3462 Data Communication Business Group]): 1 in the last 3600 secs)
OS: CentOS 6 // CPANEL 11.52.0
LF_TRIGGER = "0"
LF_SELECT = "1"
Here is another rule that has yet to trigger;
http://rubular.com/r/lirfiIDZdr
Code: Select all
# Exim_RBL
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\]:.* .*F=.* rejected RCPT <(\S+)>: \"JunkMail rejected - .* \[(\S+)\]:.* is in an RBL.*$/)) {
if ($3 eq "") { # To avoid 'Blocked by ...'
return ("RBL Hit",$1,"EXIM_RBL","1","25,465,587","3600");
}
}
-- update 2 RBL Regex is confirmed working
Code: Select all
Time: Wed Oct 21 06:04:21 2015 -0400
IP: 94.231.126.245 (RU/Russian Federation/Ryazan/Ryazan/-/[AS41854 Nlink Telecommunications LLC])
Failures: 1 (EXIMRBL)
Interval: 3600 seconds
Blocked: Temporary Block
Logs that it catches -- We often get brute forces for RFC rules, in this case drpeng-cb03e432 hit the server 25+ times, i could set the rule to x hits but i've yet to see any valid traffic from clients hitting this rule.
Code: Select all
2015-10-19 05:42:27 H=(drpeng-cb03e432) [1.93.19.216]:3379 rejected MAIL <lvckx@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:33 H=(drpeng-cb03e432) [1.93.19.216]:2588 rejected MAIL <rjgpe@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:43 H=(drpeng-cb03e432) [1.93.19.216]:4195 rejected MAIL <wvh@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:42:47 H=(drpeng-cb03e432) [1.93.19.216]:4596 rejected MAIL <rgjyb@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:43:31 H=(drpeng-cb03e432) [1.93.19.216]:3349 rejected MAIL <eenv@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 05:44:38 H=(drpeng-cb03e432) [1.93.19.216]:3918 rejected MAIL <cqxojm@zenithmedia.net>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:12:59 H=(QHWHFOVDC) [88.119.254.194]:1378 rejected MAIL <undercharging95@rollcoater.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:13:03 H=(NQURXTBEEE) [88.119.254.194]:1449 rejected MAIL <betided20@rouenstsever.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:14:20 H=(YHBDPVAOF) [41.162.49.20]:1894 rejected MAIL <electroplatingkbv158@rccn.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 07:14:32 H=(GAOERAUJJ) [41.162.49.20]:2092 rejected MAIL <miasmata8@rockofages.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:43:48 H=(DCBLRIFI) [175.206.109.172]:9351 rejected MAIL <yodelerc2@reresources.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 21:44:34 H=(ZVOFFEKXKZ) [175.206.109.172]:9519 rejected MAIL <releasingdjn8@rostolis.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2015-10-19 22:53:17 H=(abouliau) [12.147.144.133]:54314 rejected MAIL <boomstera@abouliau.pps-time.com>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Proof
Code: Select all
csf -g 94.231.126.245
Chain num pkts bytes target prot opt in out source destination
DENYIN 10 8 356 DROP tcp -- !lo * 94.231.126.245 0.0.0.0/0 tcp dpt:25
DENYIN 11 0 0 DROP tcp -- !lo * 94.231.126.245 0.0.0.0/0 tcp dpt:465
DENYIN 12 0 0 DROP tcp -- !lo * 94.231.126.245 0.0.0.0/0 tcp dpt:587
IPSET: No matches found for 94.231.126.245
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for 94.231.126.245 in ip6tables
Temporary Blocks: IP:94.231.126.245 Port:25;tcp,465;tcp,587;tcp Dir:in TTL:3600 (lfd - (EXIMRBL) EXIM RBL Hit 94.231.126.245 (RU/Russian Federation/Ryazan/Ryazan/-/[AS41854 Nlink Telecommunications LLC]): 1 in the last 3600 secs)
The only problem i can see is that CUSTOM_LOG is set to both /var/log/exim_rejectlog for both.. not sure if that could be a problem..
Any suggestions and advise would be nice.