CSF Firewall (regex.custom.pm) share custom rules

redesb

redesb

Verified User
Joined
May 10, 2004
Messages
207
Location
Spain
As you all know, 'CSF Firewall' incorporates the option to add special rules to block anything that is not covered in the code base. In the 'CSF forums', there is a 'thread talking about' and describing some rules that users have been added. However, most are specific to CPanel and of little use to 'DirectAdmin' users.

For that reason, I open the present thread to share the rule that I added and to see if anyone is encouraged to share the rules you have created.

For those less familiar with the process of creating custom rules, I add a slight explanation of the process, although it is well explained in the 'CSF documentation'.

Create special rules

  1. Read the explanations in the 'regex.custom.pm' file that you can find in the '/usr/local/csf/bin' directory.
  2. Create a special rule that will serve to detect behavior that does not detect CSF. Personally, to create the rule, I used the 'Online Regex Tester' which has been of great use.
  3. Add the name of the log file (full path) to the CSF configuration file. This step can not be performed from the UI (DA CSF plugin), you must do it from the command line by editing the 'csf.conf' file that is in the '/etc/csf' directory. At the end of the file you will find a number of 'CUSTOM?_LOG' variables, edit the appropriate.
  4. Restart 'LFD' from the UI or from the command line.
Finally, I share the special rule that I added explaining before what is detected and why.

In recent weeks, during the daily review of log files, in 'exim/rejectlog' I noticed many entries as follows:
Code: 
2014-12-03 06:34:32 1Xw2a8-0006Di-67 H=s3mt3p.consultorpc.com [93.159.213.3] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:35:14 1Xw2ao-0006Ej-I6 H=mta15.informadirect.com [87.236.221.169] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:36:25 1Xw2bw-0006Fy-UZ H=mta28.informadirect.com [87.236.221.182] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:43:30 1Xw2io-0006Mx-5u H=mta19.informadirect.com [87.236.221.173] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:44:21 1Xw2jd-0006O5-EH H=mta25.informadirect.com [87.236.221.179] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
Which were not detected by CSF. And while connection attempts were rejected by the latest 'SpamBlocker' (4.3.0 - alpha-2), it bothered me that repeated attempts (over 8,000 in the last days) consume resources and bandwidth.

The special rule added
Code: 
# Exim_DKIM
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \S+ \S+ \[(\S+)\] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'/)) {
		return ("DKIM pubkey unavailable",$1,"Exim_DKIM","5","25,465,587","3600");
	}
Well, that's all, I hope that will be useful to someone.
 
Last edited:
New special rule added

Behavior detect: 'Attempts to access user accounts that do not exist in the system'.

For example:
Code: 
2014-12-05 15:53:17 H=(karpackie-b-sko15520022377.c200.msk.pl) [79.139.6.141] F=<[email protected]> rejected RCPT <[email protected]>: 
2014-12-05 15:47:59 H=([80.232.224.186]) [80.232.224.186] F=<[email protected]> rejected RCPT <[email protected]>: 
2014-12-05 15:48:35 H=(dsl-189-149-47-36-dyn.prod-infinitum.com.mx) [189.149.47.36] F=<[email protected]> rejected RCPT <[email protected]>:
NOTE: Users who do not exist and real domains changed.

The special rule to detect this behavior
Code: 
# Exim_NOUSER
	if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^.* H=.* \[(\S+)\] F=.* rejected RCPT <(\S+)>: (.*)$/)) {
		if ($3 eq "") {		# To avoid 'Blocked by ...'
			return ("User '$2' not exist.",$1,"Exim_NOUSER","3","25,465,587","3600");
		}
	}

The line in 'lfd.log' blocking the offender
Code: 
Dec  5 16:08:28 mail lfd[25144]: (Exim_NOUSER) User '[email protected]' not exist. 79.139.6.141 (PL/Poland/karpackie-b-sko15520022377.c200.msk.pl): 3 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]

Greetings
 
Last edited:
Correcting the four 'proftpd' rule on 'regex.pm'. Should detect the use of incorrect password for an existing user, but do not work due to incorrect regular expression.

The incorrect original rule (regex.pm)
Code: 
^(\S+|\S+\s+\d+\s+\S+) \S+ proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\)( -)?:? - USER (\S*) \(Login failed\): Incorrect password\.
You can check their ineffectiveness in the 'Online Regex Tester', personally I checked with records in the file '/var/log/secure' (Note: dummy user name and host IP).
Code: 
Jan  4 12:32:19 mail proftpd[6311]: 135.135.136.136 (105.107.114.111[105.107.114.111]) - USER fakeuser (Login failed): Incorrect password
Jan  4 12:32:20 mail proftpd[6311]: 135.135.136.136 (105.107.114.111[105.107.114.111]) - USER fakeuser (Login failed): Incorrect password
The correct rule (and less complicated)
Code: 
^.* proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) - USER (\S*) \(Login failed\): Incorrect password
And finally, the code added to 'regex.custom.pm'
Code: 
# ProFTPD_Login_Failed - 5 attempts in the last hour
	if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^.* proftpd\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) - USER (\S*) \(Login failed\): Incorrect password/)) {
		return ("Incorrect password for $2 ",$1,"ProFTPD_Login_failed","5","20,21","3600");
	}
Do not forget to add '/var/log/secure' to the variable 'CUSTOM?_LOG', In my case 'CUSTOM2_LOG'.

Greetings
 
Thank you for those rules! I will try it on my dev server probably next week!

Since i'm not a "regex master", I will probably not be able to help you or create new rules, but I will be happy to test those rules on my dev server and if everything works fine, I will use them in production...

Regards,
 
I meant to post here a custom regrex to filter some new FTP attacks we are having in our servers, but for some reason is not working, I tested the regular expression using a couple of tools online and they do match, but for some reason they are not triggering blocks.

Here are some examples of the logged events (our IP and domains have been obfuscated):
Code: 
Jul 13 06:19:29 serv016 proftpd[14821]: 10.172.6.2 (121.54.58.246[121.54.58.246]) - USER admin: no such user found from 121.54.58.246 [121.54.58.246] to ::ffff:10.172.6.2:21
Jul 16 09:12:58 serv016 proftpd[20750]: 10.172.6.2 (109.171.82.60[109.171.82.60]) - USER admin1: no such user found from 109.171.82.60 [109.171.82.60] to ::ffff:10.172.6.2:21
Jul 16 11:52:48 serv016 proftpd[15073]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER [email protected]: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
Jul 16 11:52:49 serv016 proftpd[15081]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER [email protected]: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
Jul 16 11:52:51 serv016 proftpd[15082]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER [email protected]: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21
Jul 16 11:52:53 serv016 proftpd[15093]: 10.172.6.2 (46.239.208.205[46.239.208.205]) - USER [email protected]: no such user found from 46.239.208.205 [46.239.208.205] to ::ffff:10.172.6.2:21

Rule to detect these attacks and a few other ones -PLEASE read all the users we included (between | marks) there might be some ones that you might want to remove from the list

Code: 
   if (($lgfile eq $config{CUSTOM4_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+\s+\S+ proftpd\[\S+\]: \S+ \(\S+\) - USER ([Aa]dmin1?2?3?(\@\S+)?|[Aa]dministrator1?2?3?(\@\S+)?|root(\@\S+)?|test1?2?3?|postmaster1?2?3?(\@\S+)?|web1?2?3?(\@\S+)?|[Aa]ccount1?2?3?(\@\S+)?|webmaster1?2?3?(\@\S+)?|www|[Uu]ser1?2?3?(\@\S+)?|backup1?2?3?|upload1?2?3?|uploader|ftpuser1?2?3?(\@\S+)?|ftp1?2?3?(\@\S+)?|demo1?2?3?(\@\S+)?|info|guest1?2?3?(\@\S+)?|testuser1?2?3?(\@\S+)?|support1?2?3?|ftpadmin1?2?3?(\@\S+)?|noauth(\@\S+)?|webadmin(\@\S+)?|fax|copier|lizdy|bill|global|pwrchute|server|access|xerox|informix|oracle|scan|mysql|sybase|contact|send(\@\S+)?|setting(\@\S+)?|scores?(\@\S+)?|vscan(\@\S+)?|video(\@\S+)?|reception(\@\S+)?|paul(\@\S+)?)(: no such user found from| \(Login failed\): Incorrect password)/))  {
      return ("ftp CUSTOM random users attack",$1,"CUSTOM--RandomFTPUsers","1","1");
   }

and in this case in /etc/csf/csf.conf we have:
Code: 
CUSTOM4_LOG = "/var/log/secure"

If anyone has any ideas, I'll be happy to hear.

Thanks
Ilan
 
You must log in or register to reply here.
Back
Top