Defeating Brute Force Attacks by Custom Regex in CSF

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Hi Everyone,

After many long years of using Directadmin, I've decided to start a new thread in DA forums specifically for Custom Regex in CSF. I've had many brute force attacks specially on EXIM which forced me to start adding regex to CSF, I thought it would be very wise to share all my active regex lines here.

I will add more and more over time so please be patient and share your logs here so that I can provide a regex for it.

First of all, make sure to add your exim reject log to CSF config file (/etc/csf/csf.conf) its in almost end of the config file.
I've added exim log to CUSTOM2_LOG

Code:
CUSTOM2_LOG = "/var/log/exim/rejectlog"
after doing so lets move on to the actual regex file (/etc/csf/regex.custom.pm)

First usual attacks I get includes "(User)" So I prepared this :

Code:
# User Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(User\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("User Attack From ",$2,"UserAttack","1","1");
   }

Second ones are with some kind of host name and a local IP address, here is the regex to filter it :

Code:
# Fake Host Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \S+\s+\(\[\S+\]\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("Fake Host From ",$2,"FakeHost","1","1");
   }
Another attacks are with some kind of local IP in the string, regex code as below :

Code:
# Local IP Attacks
 if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(\S+\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("Local IP Attack From ",$2,"LocalIPAttack","1","1");
   }
This attack is one of the most common one with (info-api.ru) String :

Code:
# info-api Attacks
 if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(info-api.ru\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("info-api From ",$2,"InfoAPI","1","1");
   }
I used to have hundreds of attacks from the Chinese YLMF with (ylmf-pc) String :

Code:
# YLMF Attacks
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(ylmf-pc\) \[(\S+)\]: 535 Incorrect authentication data/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
Another very common ones are RCPT, I've used these 2 codes to block them:

Code:
# RCPT Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: /))  {
      return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
   }

Don't forget to restart CSF and LFD after first time you've done all these. Second time on wards you'll need to restart LFD only


Let me know if you have any specific logs in exim which you would like to be added

Cheers,
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Thanks for sharing, i'll give it a try :)

I just did something different (not yet sure would work), instead of using CUSTOM2_LOG i named the variable SMTPREJECT_LOG and added just after the exim/mainlog file, just to keep things in order ;)

Best regards
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Thanks for sharing, i'll give it a try :)

I just did something different (not yet sure would work), instead of using CUSTOM2_LOG i named the variable SMTPREJECT_LOG and added just after the exim/mainlog file, just to keep things in order ;)

Best regards
Thanks for trying , yeah if you use a better named variable , should keep things tidy and easier to manage . Well I have more regex coming up soon . Will try to add more logs other than exim as well . I find these very useful to fight against brute force.
 

zmippie

Verified User
Joined
Apr 19, 2015
Messages
142
Not to hijack this thread, but I'm struggling with the sudden outburst of "Brute-Force Attack detected in service log" messages since a few days. I'm not sure what caused it, because as I understand it, normally CSF&LFD would intercept these and act accordingly (block through iptables). Now suddenly DA's BFM kicks in all the time, and is quite useless, to be honest. What's the use of sending me notifications all the time? How would that be helpful, instead of just blocking the IP address?

So please enlighten me: apart from failed logins on DA itself, what is the use of DA's BFM when I have CSF&LFD up and running?
 

zmippie

Verified User
Joined
Apr 19, 2015
Messages
142
and added just after the exim/mainlog file, just to keep things in order
On my CentOS 6.8 box, rejectlog doesn't contain failed SMTP authentication warnings, they go into exim/mainlog, so I would also not have CSF&LFD scan the reject log (it's huge, mostly containing reports for rejected spam on non-existent e-mail addresses).
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Not to hijack this thread, but I'm struggling with the sudden outburst of "Brute-Force Attack detected in service log" messages since a few days. I'm not sure what caused it, because as I understand it, normally CSF&LFD would intercept these and act accordingly (block through iptables). Now suddenly DA's BFM kicks in all the time, and is quite useless, to be honest. What's the use of sending me notifications all the time? How would that be helpful, instead of just blocking the IP address?

So please enlighten me: apart from failed logins on DA itself, what is the use of DA's BFM when I have CSF&LFD up and running?
Well I don't quite get you as this thread is all about Custom regex in CSF , nothing related to BFM here ! This is just to enhance CSF to catch brute force attacks on first try and block them immediately.
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
On my CentOS 6.8 box, rejectlog doesn't contain failed SMTP authentication warnings, they go into exim/mainlog, so I would also not have CSF&LFD scan the reject log (it's huge, mostly containing reports for rejected spam on non-existent e-mail addresses).
It's true that the spam related info are in rejectlog as well as failed attemps which we have to block. you don't have to worry about SMTP attempts as CSF will detect them automatically just change the value of "LF_SMTPAUTH" in the csf.conf as you desire !

the main purpose of custom regex is to input the attacks that are always similar in the rejectlog and block them immediately ( By first attempt ).

Once you start using them, then you'll know what I mean as it will reduce the brute force attacks significantly.
 

zmippie

Verified User
Joined
Apr 19, 2015
Messages
142
Well I don't quite get you as this thread is all about Custom regex in CSF , nothing related to BFM here !
Yes, I understand, but it's related to the same exim log messages: e.g. "login authenticator failed for".

the main purpose of custom regex is to input the attacks that are always similar in the rejectlog and block them immediately ( By first attempt ).
Alright! I didn't get that. I thought what you posted here, was that CSF wasn't picking up on these failed authentications by default, and your scripts would be needed for that. Sorry for misreading that.

you don't have to worry about SMTP attempts as CSF will detect them automatically just change the value of "LF_SMTPAUTH" in the csf.conf as you desire !
Well, that's the whole problem: eventhough CSF catches these failed attempts (I assume, they stop pretty quickly), DA's BFM notices them too, and sends me (rather useless) reports about them (even when there's two failed attempts). I'm not sure why this has suddenly started.
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
435
Location
Arnhem, NL
Thanks, that's quite nice to immediately block IPs that are > 99% spam IPs :) Does this also works for Pure-FTP? Almost every ftp brute force is starting with attempts on users like "test,test1,testing,admin,administrator,demo,user,public,guest,ftp,ftpuser,webmaster,webadmin". It would be nice to immediately block these IPs if attempts are made on these usernames.
 
Last edited:

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Thanks, that's quite nice to immediately block IPs that are > 99% spam IPs :) Does this also works for Pure-FTP? Almost every ftp brute force is starting with attempts on users like "test,test1,testing,admin,administrator,demo,user,public,guest,ftp,ftpuser,webmaster,webadmin". It would be nice to immediately block these IPs if attempts are made on these usernames.
Hi,

please leave one of your logs here so that I can prepare a regex for it, then we'll try it out.

Thanks
 

Erulezz

Verified User
Joined
Sep 14, 2015
Messages
435
Location
Arnhem, NL
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
For # YLMF Attacks, we have:

2016-10-31 09:36:25 H=(ylmf-pc) [IP] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

Maybe you can blocked this in your YLMF Attacks regex? Thankyou!
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]

Can you check the following address for the log :

Code:
/var/log/pureftpd.log
see if the log is there and copy the exact log for me here, As I'm using proftpd myself, not sure where the correct log is for pureftp.

after this you have to check the csf config file and go to the bottom of the file and look for "FTPD_LOG" see the log that is set there and make sure its correct. then add the following to your regex :

Code:
   if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(.+) web01 pure-ftpd: \((\S+)\) \[WARNING\] Authentication failed for user \[(test|ftpadmin)/))  {
      return ("PureFTP Attack From ",$2,"pureFTPAttack","1","1");
   }
the above code will catch those with test and ftpadmin user as you mention in the log. add more users that are being used in attacks if you like.
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
For # YLMF Attacks, we have:

2016-10-31 09:36:25 H=(ylmf-pc) [IP] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

Maybe you can blocked this in your YLMF Attacks regex? Thankyou!
use the following regex and make sure "CUSTOM2_LOG" is set according to my main post.

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
I have a lot of these from different IPs so LFD isn't always picking them up:

Code:
test	1	pure-ftpd1	Oct 31 09:31:38 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [test]
ftpadmin	1	pure-ftpd1	Oct 31 09:31:04 web01 pure-ftpd: (?@ip) [WARNING] Authentication failed for user [ftpadmin]
Code:
   if (($lgfile eq $config{FTPD_LOG}) and ($line =~ /^(.+) web01 pure-ftpd: \((\S+)\) \[WARNING\] Authentication failed for user \[(test|ftpadmin)/))  {
      return ("PureFTP Attack From ",$2,"pureFTPAttack","1","1");
   }
you can use the regex above but make sure your FTPD_LOG is set correctly in the csf config file ( at the bottom of the csf config file )
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
use the following regex and make sure "CUSTOM2_LOG" is set according to my main post.

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
Thankyou! but it didn't work for:

H=tri1820523.lnk.telstra.net (ylmf-pc) [110.142.183.153] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,789
Location
A Coruña, Spain
Just a hint/suggestion, i wouldn't recommend to don't put the server name in the regex (web01) so it will work for everyone ;)

Best regards
 

soroosh-ab

Verified User
Joined
Oct 26, 2016
Messages
9
Thankyou! but it didn't work for:

H=tri1820523.lnk.telstra.net (ylmf-pc) [110.142.183.153] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
ok, that one is different and ylmf does it sometimes. add the following regex as well :

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\S+\s\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
 

dave097

Verified User
Joined
May 8, 2014
Messages
113
ok, that one is different and ylmf does it sometimes. add the following regex as well :

Code:
   if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\S+\s\(ylmf-pc\) \[(\S+)\] rejected EHLO or HELO \S+/))  {
      return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
   }
Sorry for my later comment! This works perfectly. Thankyou! :)
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Thank you, this series is great!

However I don't want a permanent block after 1 attempt, but a temp block after 5 attempts.
At this moment it gives a perm block after 1 attempt.
So I changed this part of the line:

Code:
return ("ylmf-pc Attack From ",$2,"ylmfAttack",[b]"1","1"[/b]);
to
Code:
return ("ylmf-pc Attack From ",$2,"ylmfAttack",[b]"5",,"3600"[/b]);
where the double comma is set because when using only one comma (the , character) still made perm bans.
I hope this will fix it and put only temp bans now.
 
Top