Defeating Brute Force Attacks by Custom Regex in CSF

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Hi Everyone,

After many long years of using Directadmin, I've decided to start a new thread in DA forums specifically for Custom Regex in CSF. I've had many brute force attacks specially on EXIM which forced me to start adding regex to CSF, I thought it would be very wise to share all my active regex lines here.

I will add more and more over time so please be patient and share your logs here so that I can provide a regex for it.

First of all, make sure to add your exim reject log to CSF config file (/etc/csf/csf.conf) its in almost end of the config file.
I've added exim log to CUSTOM2_LOG

Code:
CUSTOM2_LOG = "/var/log/exim/rejectlog"

after doing so lets move on to the actual regex file (/etc/csf/regex.custom.pm)

First usual attacks I get includes "(User)" So I prepared this :

Code:
# User Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(User\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("User Attack From ",$2,"UserAttack","1","1");
   }


Second ones are with some kind of host name and a local IP address, here is the regex to filter it :

Code:
# Fake Host Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \S+\s+\(\[\S+\]\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("Fake Host From ",$2,"FakeHost","1","1");
   }

Another attacks are with some kind of local IP in the string, regex code as below :

Code:
# Local IP Attacks
 if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(\S+\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("Local IP Attack From ",$2,"LocalIPAttack","1","1");
   }

This attack is one of the most common one with (info-api.ru) String :

Code:
# info-api Attacks
 if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(info-api.ru\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("info-api From ",$2,"InfoAPI","1","1");
   }

I used to have hundreds of attacks from the Chinese YLMF with (ylmf-pc) String :

Code:
# YLMF Attacks
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(ylmf-pc\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }

Another very common ones are RCPT, I've used these 2 codes to block them:

Code:
# RCPT Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: /))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }


Don't forget to restart CSF and LFD after first time you've done all these. Second time on wards you'll need to restart LFD only


Let me know if you have any specific logs in exim which you would like to be added

Cheers,
 
Thanks for sharing, i'll give it a try :)

I just did something different (not yet sure would work), instead of using CUSTOM2_LOG i named the variable SMTPREJECT_LOG and added just after the exim/mainlog file, just to keep things in order ;)

Best regards
 
Thanks for sharing, i'll give it a try :)

I just did something different (not yet sure would work), instead of using CUSTOM2_LOG i named the variable SMTPREJECT_LOG and added just after the exim/mainlog file, just to keep things in order ;)

Best regards

Thanks for trying , yeah if you use a better named variable , should keep things tidy and easier to manage . Well I have more regex coming up soon . Will try to add more logs other than exim as well . I find these very useful to fight against brute force.
 
Not to hijack this thread, but I'm struggling with the sudden outburst of "Brute-Force Attack detected in service log" messages since a few days. I'm not sure what caused it, because as I understand it, normally CSF&LFD would intercept these and act accordingly (block through iptables). Now suddenly DA's BFM kicks in all the time, and is quite useless, to be honest. What's the use of sending me notifications all the time? How would that be helpful, instead of just blocking the IP address?

So please enlighten me: apart from failed logins on DA itself, what is the use of DA's BFM when I have CSF&LFD up and running?
 
and added just after the exim/mainlog file, just to keep things in order

On my CentOS 6.8 box, rejectlog doesn't contain failed SMTP authentication warnings, they go into exim/mainlog, so I would also not have CSF&LFD scan the reject log (it's huge, mostly containing reports for rejected spam on non-existent e-mail addresses).
 
Not to hijack this thread, but I'm struggling with the sudden outburst of "Brute-Force Attack detected in service log" messages since a few days. I'm not sure what caused it, because as I understand it, normally CSF&LFD would intercept these and act accordingly (block through iptables). Now suddenly DA's BFM kicks in all the time, and is quite useless, to be honest. What's the use of sending me notifications all the time? How would that be helpful, instead of just blocking the IP address?

So please enlighten me: apart from failed logins on DA itself, what is the use of DA's BFM when I have CSF&LFD up and running?

Well I don't quite get you as this thread is all about Custom regex in CSF , nothing related to BFM here ! This is just to enhance CSF to catch brute force attacks on first try and block them immediately.
 
On my CentOS 6.8 box, rejectlog doesn't contain failed SMTP authentication warnings, they go into exim/mainlog, so I would also not have CSF&LFD scan the reject log (it's huge, mostly containing reports for rejected spam on non-existent e-mail addresses).

It's true that the spam related info are in rejectlog as well as failed attemps which we have to block. you don't have to worry about SMTP attempts as CSF will detect them automatically just change the value of "LF_SMTPAUTH" in the csf.conf as you desire !

the main purpose of custom regex is to input the attacks that are always similar in the rejectlog and block them immediately ( By first attempt ).

Once you start using them, then you'll know what I mean as it will reduce the brute force attacks significantly.
 
Well I don't quite get you as this thread is all about Custom regex in CSF , nothing related to BFM here !

Yes, I understand, but it's related to the same exim log messages: e.g. "login authenticator failed for".

the main purpose of custom regex is to input the attacks that are always similar in the rejectlog and block them immediately ( By first attempt ).

Alright! I didn't get that. I thought what you posted here, was that CSF wasn't picking up on these failed authentications by default, and your scripts would be needed for that. Sorry for misreading that.

you don't have to worry about SMTP attempts as CSF will detect them automatically just change the value of "LF_SMTPAUTH" in the csf.conf as you desire !

Well, that's the whole problem: eventhough CSF catches these failed attempts (I assume, they stop pretty quickly), DA's BFM notices them too, and sends me (rather useless) reports about them (even when there's two failed attempts). I'm not sure why this has suddenly started.
 
Thanks, that's quite nice to immediately block IPs that are > 99% spam IPs :) Does this also works for Pure-FTP? Almost every ftp brute force is starting with attempts on users like "test,test1,testing,admin,administrator,demo,user,public,guest,ftp,ftpuser,webmaster,webadmin". It would be nice to immediately block these IPs if attempts are made on these usernames.
 
Last edited:
Thanks, that's quite nice to immediately block IPs that are > 99% spam IPs :) Does this also works for Pure-FTP? Almost every ftp brute force is starting with attempts on users like "test,test1,testing,admin,administrator,demo,user,public,guest,ftp,ftpuser,webmaster,webadmin". It would be nice to immediately block these IPs if attempts are made on these usernames.

Hi,

please leave one of your logs here so that I can prepare a regex for it, then we'll try it out.

Thanks
 
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]
 
For # YLMF Attacks, we have:

2016-10-31 09:36:25 H=(ylmf-pc) [IP] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

Maybe you can blocked this in your YLMF Attacks regex? Thankyou!
 
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]


Can you check the following address for the log :

Code:
/var/log/pureftpd.log

see if the log is there and copy the exact log for me here, As I'm using proftpd myself, not sure where the correct log is for pureftp.

after this you have to check the csf config file and go to the bottom of the file and look for "FTPD_LOG" see the log that is set there and make sure its correct. then add the following to your regex :

Code:
   if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(.+) web01 pure-ftpd: \((\S+)\) \[WARNING\] Authentication failed for user \[(test|ftpadmin)/))  {
      return ("PureFTP Attack From ",$2,"pureFTPAttack","1","1");
   }

the above code will catch those with test and ftpadmin user as you mention in the log. add more users that are being used in attacks if you like.
 
For # YLMF Attacks, we have:

2016-10-31 09:36:25 H=(ylmf-pc) [IP] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

Maybe you can blocked this in your YLMF Attacks regex? Thankyou!

use the following regex and make sure "CUSTOM2_LOG" is set according to my main post.

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
 
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]

Code:
   if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(.+) web01 pure-ftpd: \((\S+)\) \[WARNING\] Authentication failed for user \[(test|ftpadmin)/))  {
      return ("PureFTP Attack From ",$2,"pureFTPAttack","1","1");
   }
you can use the regex above but make sure your FTPD_LOG is set correctly in the csf config file ( at the bottom of the csf config file )
 
use the following regex and make sure "CUSTOM2_LOG" is set according to my main post.

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }

Thankyou! but it didn't work for:

H=tri1820523.lnk.telstra.net (ylmf-pc) [110.142.183.153] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
 
Just a hint/suggestion, i wouldn't recommend to don't put the server name in the regex (web01) so it will work for everyone ;)

Best regards
 
Thankyou! but it didn't work for:

H=tri1820523.lnk.telstra.net (ylmf-pc) [110.142.183.153] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

ok, that one is different and ylmf does it sometimes. add the following regex as well :

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\S+\s\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
 
ok, that one is different and ylmf does it sometimes. add the following regex as well :

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\S+\s\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }

Sorry for my later comment! This works perfectly. Thankyou! :)
 
Thank you, this series is great!

However I don't want a permanent block after 1 attempt, but a temp block after 5 attempts.
At this moment it gives a perm block after 1 attempt.
So I changed this part of the line:

Code:
return ("ylmf-pc Attack From ",$2,"ylmfAttack",[b]"1","1"[/b]);
to
Code:
return ("ylmf-pc Attack From ",$2,"ylmfAttack",[b]"5",,"3600"[/b]);
where the double comma is set because when using only one comma (the , character) still made perm bans.
I hope this will fix it and put only temp bans now.
 
Back
Top