Results 1 to 5 of 5

Thread: CSF Firewall (regex.custom.pm) share custom rules

  1. #1
    Join Date
    May 2004
    Location
    Spain
    Posts
    207

    CSF Firewall (regex.custom.pm) share custom rules

    As you all know, 'CSF Firewall' incorporates the option to add special rules to block anything that is not covered in the code base. In the 'CSF forums', there is a 'thread talking about' and describing some rules that users have been added. However, most are specific to CPanel and of little use to 'DirectAdmin' users.

    For that reason, I open the present thread to share the rule that I added and to see if anyone is encouraged to share the rules you have created.

    For those less familiar with the process of creating custom rules, I add a slight explanation of the process, although it is well explained in the 'CSF documentation'.

    Create special rules

    1. Read the explanations in the 'regex.custom.pm' file that you can find in the '/usr/local/csf/bin' directory.
    2. Create a special rule that will serve to detect behavior that does not detect CSF. Personally, to create the rule, I used the 'Online Regex Tester' which has been of great use.
    3. Add the name of the log file (full path) to the CSF configuration file. This step can not be performed from the UI (DA CSF plugin), you must do it from the command line by editing the 'csf.conf' file that is in the '/etc/csf' directory. At the end of the file you will find a number of 'CUSTOM?_LOG' variables, edit the appropriate.
    4. Restart 'LFD' from the UI or from the command line.

    Finally, I share the special rule that I added explaining before what is detected and why.

    In recent weeks, during the daily review of log files, in 'exim/rejectlog' I noticed many entries as follows:
    Code:
    2014-12-03 06:34:32 1Xw2a8-0006Di-67 H=s3mt3p.consultorpc.com [93.159.213.3] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2014-12-03 06:35:14 1Xw2ao-0006Ej-I6 H=mta15.informadirect.com [87.236.221.169] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2014-12-03 06:36:25 1Xw2bw-0006Fy-UZ H=mta28.informadirect.com [87.236.221.182] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2014-12-03 06:43:30 1Xw2io-0006Mx-5u H=mta19.informadirect.com [87.236.221.173] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    2014-12-03 06:44:21 1Xw2jd-0006O5-EH H=mta25.informadirect.com [87.236.221.179] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
    Which were not detected by CSF. And while connection attempts were rejected by the latest 'SpamBlocker' (4.3.0 - alpha-2), it bothered me that repeated attempts (over 8,000 in the last days) consume resources and bandwidth.

    The special rule added
    Code:
    # Exim_DKIM
    	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \S+ \S+ \[(\S+)\] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'/)) {
    		return ("DKIM pubkey unavailable",$1,"Exim_DKIM","5","25,465,587","3600");
    	}
    Well, that's all, I hope that will be useful to someone.
    Last edited by redesb; 12-03-2014 at 09:18 AM.

  2. #2
    Join Date
    May 2004
    Location
    Spain
    Posts
    207
    New special rule added

    Behavior detect: 'Attempts to access user accounts that do not exist in the system'.

    For example:
    Code:
    2014-12-05 15:53:17 H=(karpackie-b-sko15520022377.c200.msk.pl) [79.139.6.141] F=<vbnn@roedekro.dk> rejected RCPT <fakeuser@realdomain.tld>: 
    2014-12-05 15:47:59 H=([80.232.224.186]) [80.232.224.186] F=<verlofjoljol@kwispel.be> rejected RCPT <fakeuserA@realdomainA.tld>: 
    2014-12-05 15:48:35 H=(dsl-189-149-47-36-dyn.prod-infinitum.com.mx) [189.149.47.36] F=<vaults723@sdc.cd.cz> rejected RCPT <fakeuserB@realdomainB.tld>:
    NOTE: Users who do not exist and real domains changed.

    The special rule to detect this behavior
    Code:
    # Exim_NOUSER
    	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\] F=.* rejected RCPT <(\S+)>: (.*)$/)) {
    		if ($3 eq "") {		# To avoid 'Blocked by ...'
    			return ("User '$2' not exist.",$1,"Exim_NOUSER","3","25,465,587","3600");
    		}
    	}
    The line in 'lfd.log' blocking the offender
    Code:
    Dec  5 16:08:28 mail lfd[25144]: (Exim_NOUSER) User 'fakeuser@realdomain.tld' not exist. 79.139.6.141 (PL/Poland/karpackie-b-sko15520022377.c200.msk.pl): 3 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]
    Greetings
    Last edited by redesb; 12-05-2014 at 08:21 AM. Reason: Some little errors

  3. #3
    Join Date
    May 2004
    Location
    Spain
    Posts
    207
    Correcting the four 'proftpd' rule on 'regex.pm'. Should detect the use of incorrect password for an existing user, but do not work due to incorrect regular expression.

    The incorrect original rule (regex.pm)
    Code:
    ^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password\.
    You can check their ineffectiveness in the 'Online Regex Tester', personally I checked with records in the file '/var/log/secure' (Note: dummy user name and host IP).
    Code:
    Jan  4 12:32:19 mail proftpd[6311]: 135.135.136.136 (105.107.114.111[105.107.114.111]) - USER fakeuser (Login failed): Incorrect password
    Jan  4 12:32:20 mail proftpd[6311]: 135.135.136.136 (105.107.114.111[105.107.114.111]) - USER fakeuser (Login failed): Incorrect password
    The correct rule (and less complicated)
    Code:
    ^.* proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) - USER (\S*) \(Login failed\): Incorrect password
    And finally, the code added to 'regex.custom.pm'
    Code:
    # ProFTPD_Login_Failed - 5 attempts in the last hour
    	if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.* proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) - USER (\S*) \(Login failed\): Incorrect password/)) {
    		return ("Incorrect password for $2 ",$1,"ProFTPD_Login_failed","5","20,21","3600");
    	}
    Do not forget to add '/var/log/secure' to the variable 'CUSTOM?_LOG', In my case 'CUSTOM2_LOG'.

    Greetings

  4. #4
    Join Date
    Feb 2008
    Location
    Québec, Canada
    Posts
    142
    Thank you for those rules! I will try it on my dev server probably next week!

    Since i'm not a "regex master", I will probably not be able to help you or create new rules, but I will be happy to test those rules on my dev server and if everything works fine, I will use them in production...

    Regards,
    Philippe Robert
    --

  5. #5
    Join Date
    Feb 2004
    Location
    Mexico City
    Posts
    43
    I meant to post here a custom regrex to filter some new FTP attacks we are having in our servers, but for some reason is not working, I tested the regular expression using a couple of tools online and they do match, but for some reason they are not triggering blocks.

    Here are some examples of the logged events (our IP and domains have been obfuscated):
    Code:
    Jul 13 06:19:29 serv016 proftpd[14821]: 10.172.6.2 (121.54.58.246[121.54.58.246]) - USER admin: no such user found from 121.54.58.246 [121.54.58.246] to ::ffff:10.172.6.2:21
    Jul 16 09:12:58 serv016 proftpd[20750]: 10.172.6.2 (109.171.82.60[109.171.82.60]) - USER admin1: no such user found from 109.171.82.60 [109.171.82.60] to ::ffff:10.172.6.2:21
    Jul 16 11:52:48 serv016 proftpd[15073]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER admin1@obfuscated.com: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
    Jul 16 11:52:49 serv016 proftpd[15081]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER admin123@obfuscated.com: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
    Jul 16 11:52:51 serv016 proftpd[15082]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER test@obfuscated.com: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
    Jul 16 11:52:53 serv016 proftpd[15093]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER test1@obfuscated.com: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
    Rule to detect these attacks and a few other ones -PLEASE read all the users we included (between | marks) there might be some ones that you might want to remove from the list

    Code:
       if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+\s+\S+ proftpd\[\S+\]: \S+ \(\S+\) - USER ([Aa]dmin1?2?3?(\@\S+)?|[Aa]dministrator1?2?3?(\@\S+)?|root(\@\S+)?|test1?2?3?|postmaster1?2?3?(\@\S+)?|web1?2?3?(\@\S+)?|[Aa]ccount1?2?3?(\@\S+)?|webmaster1?2?3?(\@\S+)?|www|[Uu]ser1?2?3?(\@\S+)?|backup1?2?3?|upload1?2?3?|uploader|ftpuser1?2?3?(\@\S+)?|ftp1?2?3?(\@\S+)?|demo1?2?3?(\@\S+)?|info|guest1?2?3?(\@\S+)?|testuser1?2?3?(\@\S+)?|support1?2?3?|ftpadmin1?2?3?(\@\S+)?|noauth(\@\S+)?|webadmin(\@\S+)?|fax|copier|lizdy|bill|global|pwrchute|server|access|xerox|informix|oracle|scan|mysql|sybase|contact|send(\@\S+)?|setting(\@\S+)?|scores?(\@\S+)?|vscan(\@\S+)?|video(\@\S+)?|reception(\@\S+)?|paul(\@\S+)?)(: no such user found from| \(Login failed\): Incorrect password)/))  {
          return ("ftp CUSTOM random users attack",$1,"CUSTOM--RandomFTPUsers","1","1");
       }
    and in this case in /etc/csf/csf.conf we have:
    Code:
    CUSTOM4_LOG = "/var/log/secure"
    If anyone has any ideas, I'll be happy to hear.

    Thanks
    Ilan

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •