As you all know, 'CSF Firewall' incorporates the option to add special rules to block anything that is not covered in the code base. In the 'CSF forums', there is a 'thread talking about' and describing some rules that users have been added. However, most are specific to CPanel and of little use to 'DirectAdmin' users.
For that reason, I open the present thread to share the rule that I added and to see if anyone is encouraged to share the rules you have created.
For those less familiar with the process of creating custom rules, I add a slight explanation of the process, although it is well explained in the 'CSF documentation'.
Create special rules
In recent weeks, during the daily review of log files, in 'exim/rejectlog' I noticed many entries as follows:
Which were not detected by CSF. And while connection attempts were rejected by the latest 'SpamBlocker' (4.3.0 - alpha-2), it bothered me that repeated attempts (over 8,000 in the last days) consume resources and bandwidth.
The special rule added
Well, that's all, I hope that will be useful to someone.
For that reason, I open the present thread to share the rule that I added and to see if anyone is encouraged to share the rules you have created.
For those less familiar with the process of creating custom rules, I add a slight explanation of the process, although it is well explained in the 'CSF documentation'.
Create special rules
- Read the explanations in the 'regex.custom.pm' file that you can find in the '/usr/local/csf/bin' directory.
- Create a special rule that will serve to detect behavior that does not detect CSF. Personally, to create the rule, I used the 'Online Regex Tester' which has been of great use.
- Add the name of the log file (full path) to the CSF configuration file. This step can not be performed from the UI (DA CSF plugin), you must do it from the command line by editing the 'csf.conf' file that is in the '/etc/csf' directory. At the end of the file you will find a number of 'CUSTOM?_LOG' variables, edit the appropriate.
- Restart 'LFD' from the UI or from the command line.
In recent weeks, during the daily review of log files, in 'exim/rejectlog' I noticed many entries as follows:
Code:
2014-12-03 06:34:32 1Xw2a8-0006Di-67 H=s3mt3p.consultorpc.com [93.159.213.3] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:35:14 1Xw2ao-0006Ej-I6 H=mta15.informadirect.com [87.236.221.169] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:36:25 1Xw2bw-0006Fy-UZ H=mta28.informadirect.com [87.236.221.182] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:43:30 1Xw2io-0006Mx-5u H=mta19.informadirect.com [87.236.221.173] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
2014-12-03 06:44:21 1Xw2jd-0006O5-EH H=mta25.informadirect.com [87.236.221.179] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'
The special rule added
Code:
# Exim_DKIM
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ \S+ \S+ \[(\S+)\] temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'/)) {
return ("DKIM pubkey unavailable",$1,"Exim_DKIM","5","25,465,587","3600");
}
Last edited: