Page 1 of 1
csf custom regex not working
Posted: 26 Jan 2016, 21:22
by redbaron
I'm trying to get this regex working properly and having no luck at doing so.
The logfile looks like this:
Code: Select all
2016-01-26 15:33:19 Authentication failed for user "mrfakeuser" from 126.16.117.42
In /etc/csf/csf.conf I've set:
In /etc/csf/regex.custom.pm my code looks like this:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\S+\s+Authentication failed for user .* from (\S+)\./)) {
return ("Failed pmta login from",$1,"pmtalogin","3","2525","5");
}
Here's the strange part. At one point this did work, now it is not working. I can try to connect hundred of times from 126.16.117.42 as "mrfakeuser" and nothing is showing up in /var/log/lfd.log nor is it showing up when I run:
To be completely clear, pmta is an MTA that I have running on port 2525.
Can somebody help me out? Is my regex messed up or am I missing something in my /etc/csf/csf.conf ?
Re: csf custom regex not working
Posted: 26 Jan 2016, 23:56
by redbaron
Regex was incorrect. If anybody cares, the proper solution is:
Code: Select all
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~/\S+ \S+ Authentication failed for user "\S+" from (\S+)/)) {
return ("Failed pmta login from",$1,"pmtalogin","3","2525","5");
}
If/when you write these things, I would highly suggest testing them out via regex101.com.
Re: csf custom regex not working
Posted: 03 May 2016, 04:11
by infinitech07
Hello, I have the similar issue.
I would like to catch the pattern in the log file as below:
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <
Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<
Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
In /etc/csf/csf.conf I've set:
CUSTOM2_LOG = "/var/log/postfix_reject.log"
In /etc/csf/regex.custom.pm, I set as below. I did test the rule at regex101.com (
https://regex101.com/r/uQ6wY0/4).:
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.* reject: RCPT from (\S+)\[(\S+)\]: 450 4.1.1 <(\S+)>.*$/)) {
#It will block anyone with more than 1 matches for 1 day.
return ("SMTP spam attack - $3",$1,"SMTP","1","25,587,465","1");
}
But nothing being catched in lfd.log and postfix_reject.log. Anyone can advise me on what I have missed out? Many thanks.
Re: csf custom regex not working
Posted: 03 May 2016, 05:05
by Sergio
infinitech07 wrote:
Apr 29 21:50:41 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from mona.bmstech.com.au[203.33.248.10]: 450 4.1.1 <
Raymond_Elmo@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<
Raymond_Elmo@domain.com> proto=ESMTP helo=<mail.bmstech.com.au>
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.* reject: RCPT from (\S+)\[(\S+)\]: 450 4.1.1 <(\S+)>.*$/)) {
#It will block anyone with more than 1 matches for 1 day.
return ("SMTP spam attack - $3",$1,"SMTP","1","25,587,465","1");
}
Hi infinitech07.
Your issue is the $1 that you are trying to block. Remeber that anything inside each pair of "( )" will be saved as $1, $2, $3, etc.
So, in your log:
$1="mona.bmstech.com.au"
$2="203.33.248.10"
$3="
Raymond_Elmo@domain.com"
With that in mind, if you review your rule, you are setting:
"SMTP spam attack -
Raymond_Elmo@domain.com",mona.bmstech.com.au,"SMTP","1","25,587,465","1"
So, just replace $1 by $2 at ...$3",$2,"SMTP"...
and your rule will look like this:
"SMTP spam attack -
Raymond_Elmo@domain.com",203.33.248.10,"SMTP","1","25,587,465","1"
and this will block the offending IP.
Sergio
Re: csf custom regex not working
Posted: 03 May 2016, 07:41
by infinitech07
Sergio wrote:infinitech07 wrote:
Hi infinitech07.
Your issue is the $1 that you are trying to block. Remeber that anything inside each pair of "( )" will be saved as $1, $2, $3, etc.
So, in your log:
$1="mona.bmstech.com.au"
$2="203.33.248.10"
$3="
Raymond_Elmo@domain.com"
With that in mind, if you review your rule, you are setting:
"SMTP spam attack -
Raymond_Elmo@domain.com",mona.bmstech.com.au,"SMTP","1","25,587,465","1"
So, just replace $1 by $2 at ...$3",$2,"SMTP"...
and your rule will look like this:
"SMTP spam attack -
Raymond_Elmo@domain.com",203.33.248.10,"SMTP","1","25,587,465","1"
and this will block the offending IP.
Hi Sergio, thanks for the reply.
I had done what you mentioned to replace $1 by $2, but still nothing captured in log file /var/log/postfix_reject.log.
And, in /var/log/lfd.log, only got the following shown.
May 3 14:26:05 server lfd[6723]: TERM
May 3 14:26:05 server lfd[6723]: daemon stopped
May 3 14:26:05 server lfd[7264]: daemon started on server.domain.com - csf v8.23 (generic)
May 3 14:26:05 server lfd[7264]: CSF Tracking...
May 3 14:26:05 server lfd[7264]: IPv6 Enabled...
May 3 14:26:05 server lfd[7264]: LOAD Tracking...
May 3 14:26:05 server lfd[7264]: Country Code Lookups...
May 3 14:26:05 server lfd[7264]: System Integrity Tracking...
May 3 14:26:05 server lfd[7264]: Exploit Tracking...
May 3 14:26:05 server lfd[7264]: Directory Watching...
May 3 14:26:05 server lfd[7264]: Temp to Perm Block Tracking...
May 3 14:26:05 server lfd[7264]: Connection Tracking...
May 3 14:26:05 server lfd[7264]: Process Tracking...
May 3 14:26:05 server lfd[7264]: Account Tracking...
May 3 14:26:05 server lfd[7264]: SSH Tracking...
May 3 14:26:05 server lfd[7264]: Webmin Tracking...
May 3 14:26:05 server lfd[7264]: SU Tracking...
May 3 14:26:05 server lfd[7264]: Console Tracking...
May 3 14:26:05 server lfd[7264]: Watching /var/log/messages...
May 3 14:26:05 server lfd[7264]: Watching /var/log/secure...
May 3 14:26:05 server lfd[7264]: Watching /var/log/postfix_reject.log...
May 3 14:26:05 server lfd[7264]: Watching /var/log/customlog...
May 3 14:26:05 server lfd[7264]: Watching /var/log/cwp_client_login.log...
May 3 14:26:05 server lfd[7264]: Watching /var/log/httpd/error_log...
I noticed that there is no "Watching /var/log/maillog...", is this normal? I guess this could be the reason why nothing being caught in log file.
Any help will be much appreciated. Thanks.
Re: csf custom regex not working
Posted: 03 May 2016, 08:59
by infinitech07
Okay I know the reason why now, my mistake.
I need to set the value of CUSTOM2_LOG to /var/log/maillog, it is working now.
Thanks again.
Re: csf custom regex not working
Posted: 03 May 2016, 16:40
by Sergio
infinitech07 wrote:Okay I know the reason why now, my mistake.
I need to set the value of CUSTOM2_LOG to /var/log/maillog, it is working now.
Thanks again.
Yes, that is important, you will always need to define from what log you want to get the info.
Nice to hear you issue is solved.
Sergio