Page 1 of 2
rules in regex.custom.pm do not seem to work
Posted: 30 Mar 2014, 19:36
by jvieille
I want to block any offender that generates that kind of message in syslog:
Code: Select all
Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.
I put this rule in /usr/local/csf/bin/regex.cusotm.pm
Code: Select all
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\.{19}drupal: http(s)?:\/\/([a-z-_]*)?\.?[a-z-_]*\.[a-z]*\W\d+\WBOTCHA\W\d+\.\d+\.\d+\.\d+.*$/)) {
return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}
and changed this in /etc/csf/csf.conf
and of course restarted csf+lfd
Nothing happens, the attacks keep going on, nothing in IPTables.
I tried other kinds of rules with no success.
What am I doing wrong or forgetting?
Thanks for help
Re: rules in regex.custom.pm do not seem to work
Posted: 31 Mar 2014, 08:13
by Sergio
You have a bad regex defined, try this:
Mar 30 20:20:43 ns drupal: SOMESITEURL|1396203643|BOTCHA|110.82.153.175|SOMESITEURL/contact|SOMESITEURL/contact|0||contact-mail-page post blocked by BOTCHA: submission looks like from a spambot.
Code: Select all
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+ ns drupal: \S+\|\S+\|BOTCHA\|(\S+)\|.*$/)) {
return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}
in this type of regex variables are inside parenthesis "()", you have enclosed "(s)" and "([a-z-_]*)" and you didn't enclosed the IP, you wrote: "\d+\.\d+\.\d+\.\d+", that is why your regex was not working.
Re: rules in regex.custom.pm do not seem to work
Posted: 31 Mar 2014, 14:12
by jvieille
Sergio,
Thanks for your help.
Actually, my rule was passing the regex test for the string to catch, your's did not.
Because I only have to catch the word "BOTCHA", I tried this very simple one:
Code: Select all
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^.*BOTCHA.*$/)) {
return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}
However, this does not seem to bother attackers - 120 submissions by the same IP in 3 minutes.
I can't find an CSF / LFD activity in logs related to my custom rules.
By the way, how does CSF / LFD gess the offending IP?
Re: rules in regex.custom.pm do not seem to work
Posted: 31 Mar 2014, 15:00
by Sergio
As I don't have any info to work on the rule, I just gave u a starting point. In your rule you don't have the argument to pass to CSF, I mean, the IP enclosed by parenthesis. If you examine the rules that I have in my sticky
viewtopic.php?f=6&t=7517
you will see that in every rule I have the argument \[(\S+)\] that is passed to variable $1. the \[ and \] are used in my rules but the main part is (\S+) if you see the parenthesis are not escaped. That is the info that CSF collects to pass to LFD and block the IP.
Re: rules in regex.custom.pm do not seem to work
Posted: 31 Mar 2014, 22:47
by jvieille
This really needs an explanation, how one can guess that? Nothing like that is said in the help section of the file.
So, as I suspected, ther is no magic, CSF has to be instructed about the IP to block, actually the first non escaped parenthesis set (again a guess: what about several parenthesis in the expresssion?). This makes the regex not a regex.
Now I am better educated, I wrote this rule
Code: Select all
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ ns drupal: \S+\|\S+\|BOTCHA\|(\S+)\|.*$/)) {
return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}
against this message
Code: Select all
Mar 31 23:21:34 ns drupal: SOMEWEBSITE|1396300894|BOTCHA|80.82.65.204|SOMEWEBSITE/comment/reply/8055|SOMEWEBSITE/comment/reply/8055/|0||comment-form post blocked by BOTCHA: submission looks like from a spambot.
But still no luck.
Thanks for help
Re: rules in regex.custom.pm do not seem to work
Posted: 31 Mar 2014, 23:38
by Sergio
Ok, if you have more than one not escaped parenthesis, the pass argument will be $1 or $2 or $3, depending on the set of parenthesis where the IP is set (review my first post on this thread). I have managed to learn on this after doing a lot of testings and with the help of Sarah.
Regarding your rule, I can't test it in my servers, so, I am just give you something to try:
Code: Select all
if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /\S+\s+\S+\s+\S+ ns drupal\:.*BOTCHA\S+(\S+)\S+.*/)) {
return ("Failed Botcha from",$1,"seeblockbotcha","1","80,443","3600");
}
Re: rules in regex.custom.pm do not seem to work
Posted: 01 Apr 2014, 17:22
by jvieille
OK, this one perfectly validates, and should work.
However, I see no effect yet.
What else can prevent CSF to process the rules in this file?
I only receive notice for *Port Flood" blocks.
Thanks very much for help
Re: rules in regex.custom.pm do not seem to work
Posted: 01 Apr 2014, 18:07
by Sergio
After you restart LFD, CSF will start blocking any IP that the triggers your rule, but the IP will be blocked only for 1 hour (3600 sec) and only for ports 80 and 443, all the other ports will remain active for that IP.
If you want to see if the rule has been triggered, go to SEARCH SYSTEM LOG and search for the name of your rule "seeblockbotcha" on /var/log/lfd.log or /var/log/messages
Re: rules in regex.custom.pm do not seem to work
Posted: 01 Apr 2014, 20:42
by jvieille
Almost nothing in logs related to csf / lfd.
in lfd.log, only the startup sequence is logged.
In messages, I get a few firewall blocking notices
Code: Select all
Apr 1 21:34:47 ns kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:30:48:fc:4f:0e:ec:30:91:e0:df:c0:08:00 SRC=207.244.68.148 DST=87.98.176.200 LEN=29 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=UDP SPT=35101 DPT=19 LEN=9
Never my rules or more expressive blocking notices appear in logs.
I really should miss something.
Re: rules in regex.custom.pm do not seem to work
Posted: 01 Apr 2014, 20:59
by Sergio
Sorry to hear that, I can't help you more as I don't have servers like that to try/test.
Hope someone from ConfigServer could read this thread and help you in more detail.
Sergio