Defeating Brute Force Attacks by Custom Regex in CSF

Just noticed a few IP's still manage to hammer the login on Wordpress sites.
Will need to search the logs how/what they use.
 
Still getting a lot failed mail logins on my server where they try to guess common usernames on the domains on my server.
They all fail for this certain domain because it has no mailaccounts.
Is there any regex to block this PoS on the first try?

Code:
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=test@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=sales@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:56 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=info@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=office@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=guest@###########.net)
2017-01-31 11:44:57 login authenticator failed for (just-TESTING) [80.82.64.136]: 535 Incorrect authentication data (set_id=guest@###########.net)
2017-01-31 11:44:57 SMTP call from (just-TESTING) [80.82.64.136] dropped: too many nonmail commands (last was "RSET")


I also get a lot of this, which doesn't seem to be stopped by the custom regex (anymore?);
"#####.com" are domains on my server.


Code:
2017-01-31 11:53:53 H=(mata.com) [185.29.9.133] F=<[email protected]> rejected RCPT <otha@######.com>: 
2017-01-31 11:54:30 H=(mata.com) [185.29.8.198] F=<[email protected]> rejected RCPT <abram@######.com>: 
2017-01-31 11:56:10 H=(mata.com) [185.29.9.135] F=<[email protected]> rejected RCPT <giuseppe@######.com>: 
2017-01-31 12:22:58 H=(mata.com) [185.29.9.133] F=<[email protected]> rejected RCPT <otha@####.com>: 
2017-01-31 12:23:21 H=(mata.com) [185.29.8.198] F=<[email protected]> rejected RCPT <abram@####.com>: 
2017-01-31 12:24:11 H=(mata.com) [185.29.8.196] F=<[email protected]> rejected RCPT <enoch@####.com>: 
2017-01-31 12:24:55 H=(mata.com) [185.29.9.135] F=<[email protected]> rejected RCPT <giuseppe@####.com>: 
2017-01-31 12:30:58 H=(mata.com) [46.183.217.162] F=<[email protected]> rejected RCPT <raymon@####.com>: 
2017-01-31 12:30:58 H=(mata.com) [46.183.217.165] F=<[email protected]> rejected RCPT <ezequiel@####.com>: 
2017-01-31 12:33:07 H=(mata.com) [46.183.220.137] F=<[email protected]> rejected RCPT <shayne@####.com>: 
2017-01-31 12:34:03 H=(mata.com) [46.183.217.169] F=<[email protected]> rejected RCPT <buster@####.com>: 
2017-01-31 12:38:49 H=(mata.com) [46.183.223.239] F=<[email protected]> rejected RCPT <florentino@####.com>: 
2017-01-31 12:40:44 H=(mata.com) [46.183.220.139] F=<[email protected]> rejected RCPT <omer@####.com>: 
2017-01-31 12:41:46 H=(mata.com) [46.183.217.174] F=<[email protected]> rejected RCPT <barrett@####.com>: 
2017-01-31 12:45:09 H=(mata.com) [46.183.220.138] F=<[email protected]> rejected RCPT <columbus@####.com>:

Code:
2017-01-31 13:02:53 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:54 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:55 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:55 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:56 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:57 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:57 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:58 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 13:02:59 H=rrcs-97-77-96-99.sw.biz.rr.com (ylmf-pc) [97.77.96.99] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

Code:
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:52 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:54 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
2017-01-31 15:21:55 H=(ylmf-pc) [217.160.142.22] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
 
OLD TOPIC, but would like to pick the brains a bit more here.

My VPS logs report various login-attempts at Exim and Wordpress-sites.

Just about all them manage to get 15-17 login attempts at a time per IP until they get Temp-blocked.
In CSF I've entered 3 login attempts as the max for various services before a temp block happens... but still most IP's manage to get 15-17 login-attempts in.

Of course I want to fix this properly as regular users are indeed blocked at 3 wrongful attempts to login.

I think this might be a time-span issue, as the hack IPs probably spread out their logins over time, thereby flying under the Brute Force-radar?
 
It might be a timing issue indeed. Probably it either checks less often or declares it as a dist attack and then the LF_DIST_INTERVAL setting might be too high.
# This is the interval during which a distributed FTP or SMTP attack is
# measured
LF_DIST_INTERVAL =
But I'm not sure if the custom regexp uses the same or is using something else to time or check logfiles.

Interesting question though.
 
I think this might be a time-span issue, as the hack IPs probably spread out their logins over time, thereby flying under the Brute Force-radar?

These long-spaced attempts are indeed tricky. But as I understand it, this is where DA's Brute Force Monitor comes in. Contrary to CSF, it scans log files less frequent, but for much longer periods. You can make CSF and BFM work in tandem through Alex's solution:

https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm
 
I've got BFM already blocking IP's but I'm not sure how effective this (still) is.
I seem to recall at the time I installed this (some years ago), it didn't work smoothly and I focussed more on CSF on doing the job.
The scripts are undoubtly outdated by now.
 
I've got BFM already blocking IP's but I'm not sure how effective this (still) is.
I seem to recall at the time I installed this (some years ago), it didn't work smoothly and I focussed more on CSF on doing the job.
The scripts are undoubtedly outdated by now.
Hey BBM
Thats the very guide I used and it has a autoinstaller now as well. Alex's Guide links CSF with BFM. You can see it is still spoken of in both Alex's Site and Help. Maybe you should revisit the both and make sure you have it all set like you want per the guides.

https://help.poralix.com/articles/how-to-block-ips-with-csf-directadmin-bfm

https://help.directadmin.com/item.php?id=527
 
I used the auto-installer from Alex's site and re-installed the files over my old ones. That alone seemed to help a lot.
Will keep an eye on it for awhile.
 
I used the auto-installer from Alex's site and re-installed the files over my old ones. That alone seemed to help a lot.
Will keep an eye on it for awhile.
Ok let us know. You can use his guide to look at it all manually as well.
 
Well, looked promising, but it didn't help the script turned off the notifications all together... Missed that part.
Turned on the notifications again after 2 days and everything unfortunatly "returned to normal"; wordpress and exim getting hammered with 10-16 attempts per IP.

And for some reason, an occassional IP manages to really hammer Exim;
Code:
A brute force attack has been detected in one of your service logs.

IP 94.177.252.4 has 188 failed login attempts: exim2=188
 
Just noticed a lot IP's are blocked twice in the block list at DA's Brute force page;
 

Attachments

  • screenpic 21.jpg
    screenpic 21.jpg
    107.9 KB · Views: 21
Just noticed a lot IP's are blocked twice in the block list at DA's Brute force page;
Did you have a look at the DA block settings? It could be blocks are temp 2 hour or 4 hour blocks, which could indeed cause them to be blocked multiple times.
 
Actually a list of blocked IPs that DA manages can be found in /root/blocked_ips.txt and IPs are added into the file only by DirectAdmin. Neither CSF nor the custom script written by me add any IP into the file. And DirectAdmin reads the file and list blocked IPs in Web-UI of the BFM page.

So if it contains duplicates you will need to fix it manually.

Maybe @Zeiter can help.

Alex help us out here buddy.
 
The /root/blocked_ip list matches the list shown in DA (Which has a sorting bug when trying to sort by ip-number btw).
It appears DA doesn't seem to check if the ip is already blocked, *I think*.

Another thing I noticed (again) ;
Just about all BF ip's shown in the "message system" have about 10-25 login attempts shown. But then suddenly there's 1 IP that manages to slip in 204 login attempts...!
Code:
IP 37.49.227.49 has 204 failed login attempts: exim2=204
IP 78.157.210.66 has 12 failed login attempts: wordpress1=12
User hostmaster has 51 failed login attempts: exim2=51

How's this at all possible??
(there is no user hostmaster on the server btw).
 
Directadmin purely relies on /root/blocked_ips.txt, it does not communicate with iptables for this. If you think there is a bug in DirectAdmin you should open a ticket with DA support and provide them with an access to your server.

Directadmin checks login failures once a minute with a cron. In theory it is possible to do 204 connections within 1 minute or two. For more information you need to check logs.
 
Hi guys, sorry for boosting up an old topic. I've added the Regex in the file. I have one question, my .pm file says to use $1 for the IP address, in these regex $2 is used:

# Example:
# if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
# return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
# }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled

I have one more question. In my blocked_ips.txt is this IP address blocked:

[root@server]# grep '91.243.45.40' /root/blocked_ips.txt
91.243.45.40=dateblocked=1611598622

Allthough tailing my mainlog of exim, it still gives readings of this IP address:

2021-01-28 11:52:13 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=[email protected])
2021-01-28 11:52:16 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=pvdleij)
2021-01-28 11:52:16 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=[email protected])
2021-01-28 11:52:20 login authenticator failed for ([91.243.45.40]) [91.243.45.40]: 535 Incorrect authentication data (set_id=pvdleij)

How is this possible? Am I doing something wrong. Reading the Exim logs i'm getting a lot of attacks which slows down all mail send to and from my customers on the server. I got it a bit better but still a few questions :) Thank you in advance. I find most problems to be solved by a Google search and reading this forum but now I don't know where to look further.
 
Did you define CUSTOM1_LOG in csf.conf?

Try to change CUSTOM1_LOG

to
Code:
if (($globlogs{HTACCESS_LOG}{$lgfile})

in your regex code or define CUSTOM1_LOG.

$1 is the first match found between ( ), $2 is the second match found between () and so on. In your regex after pure-ftpd: is the ip address so you need to use $1.

Test your regex against a log entry on: https://regex101.com/
 
Last edited:
Back
Top