rules in regex.custom.pm do not seem to work

[jvieille]

I want to block any offender that generates that kind of message in syslog:

Code: Select all

Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.

(SOMESITEURL = what is says, because this forum is absolutely paranoid, not allowing an URL to appear in posts)

I put this rule in /usr/local/csf/bin/regex.cusotm.pm

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\.{19}drupal: http(s)?:\/\/([a-z-_]*)?\.?[a-z-_]*\.[a-z]*\W\d+\WBOTCHA\W\d+\.\d+\.\d+\.\d+.*$/)) {
    return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}

and changed this in /etc/csf/csf.conf

Code: Select all

CUSTOM3_LOG = "/var/log/syslog"

and of course restarted csf+lfd

Nothing happens, the attacks keep going on, nothing in IPTables.

I tried other kinds of rules with no success.

What am I doing wrong or forgetting?
Thanks for help

[Sergio]

You have a bad regex defined, try this:

Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+ ns drupal: \S+\|\S+\|BOTCHA\|(\S+)\|.*$/)) {
    return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}

in this type of regex variables are inside parenthesis "()", you have enclosed "(s)" and "([a-z-_]*)" and you didn't enclosed the IP, you wrote: "\d+\.\d+\.\d+\.\d+", that is why your regex was not working.

[jvieille]

Sergio,
Thanks for your help.
Actually, my rule was passing the regex test for the string to catch, your's did not.
Because I only have to catch the word "BOTCHA", I tried this very simple one:

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^.*BOTCHA.*$/)) {
    return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}

However, this does not seem to bother attackers - 120 submissions by the same IP in 3 minutes.
I can't find an CSF / LFD activity in logs related to my custom rules.

By the way, how does CSF / LFD gess the offending IP?

[Sergio]

As I don't have any info to work on the rule, I just gave u a starting point. In your rule you don't have the argument to pass to CSF, I mean, the IP enclosed by parenthesis. If you examine the rules that I have in my sticky viewtopic.php?f=6&t=7517
you will see that in every rule I have the argument \[(\S+)\] that is passed to variable $1. the \[ and \] are used in my rules but the main part is (\S+) if you see the parenthesis are not escaped. That is the info that CSF collects to pass to LFD and block the IP.

[jvieille]

This really needs an explanation, how one can guess that? Nothing like that is said in the help section of the file.

So, as I suspected, ther is no magic, CSF has to be instructed about the IP to block, actually the first non escaped parenthesis set (again a guess: what about several parenthesis in the expresssion?). This makes the regex not a regex.

Now I am better educated, I wrote this rule

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ ns drupal: \S+\|\S+\|BOTCHA\|(\S+)\|.*$/)) {
    return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}

against this message

Code: Select all

Mar 31 23:21:34 ns drupal: SOMEWEBSITE|1396300894|BOTCHA|80.82.65.204|SOMEWEBSITE/comment/reply/8055|SOMEWEBSITE/comment/reply/8055/|0||comment-form post blocked by BOTCHA: submission looks like from a spambot.

But still no luck.

Thanks for help

[Sergio]

Ok, if you have more than one not escaped parenthesis, the pass argument will be $1 or $2 or $3, depending on the set of parenthesis where the IP is set (review my first post on this thread). I have managed to learn on this after doing a lot of testings and with the help of Sarah.

Regarding your rule, I can't test it in my servers, so, I am just give you something to try:

Code: Select all

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /\S+\s+\S+\s+\S+ ns drupal\:.*BOTCHA\S+(\S+)\S+.*/)) {
    return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}

[jvieille]

OK, this one perfectly validates, and should work.
However, I see no effect yet.
What else can prevent CSF to process the rules in this file?

I only receive notice for *Port Flood" blocks.

Thanks very much for help

[Sergio]

After you restart LFD, CSF will start blocking any IP that the triggers your rule, but the IP will be blocked only for 1 hour (3600 sec) and only for ports 80 and 443, all the other ports will remain active for that IP.

If you want to see if the rule has been triggered, go to SEARCH SYSTEM LOG and search for the name of your rule "seeblockbotcha" on /var/log/lfd.log or /var/log/messages

[jvieille]

Almost nothing in logs related to csf / lfd.
in lfd.log, only the startup sequence is logged.
In messages, I get a few firewall blocking notices

Code: Select all

Apr  1 21:34:47 ns kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:fc:4f:0e:ec:30:91:e0:df:c0:08:00 SRC=207.244.68.148 DST=87.98.176.200 LEN=29 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=35101 DPT=19 LEN=9 

Never my rules or more expressive blocking notices appear in logs.

I really should miss something.

[Sergio]

Sorry to hear that, I can't help you more as I don't have servers like that to try/test.

Hope someone from ConfigServer could read this thread and help you in more detail.

Sergio