soroosh-ab
Verified User
- Joined
- Oct 26, 2016
- Messages
- 9
Hi Everyone,
After many long years of using Directadmin, I've decided to start a new thread in DA forums specifically for Custom Regex in CSF. I've had many brute force attacks specially on EXIM which forced me to start adding regex to CSF, I thought it would be very wise to share all my active regex lines here.
I will add more and more over time so please be patient and share your logs here so that I can provide a regex for it.
First of all, make sure to add your exim reject log to CSF config file (/etc/csf/csf.conf) its in almost end of the config file.
I've added exim log to CUSTOM2_LOG
after doing so lets move on to the actual regex file (/etc/csf/regex.custom.pm)
First usual attacks I get includes "(User)" So I prepared this :
Second ones are with some kind of host name and a local IP address, here is the regex to filter it :
Another attacks are with some kind of local IP in the string, regex code as below :
This attack is one of the most common one with (info-api.ru) String :
I used to have hundreds of attacks from the Chinese YLMF with (ylmf-pc) String :
Another very common ones are RCPT, I've used these 2 codes to block them:
Don't forget to restart CSF and LFD after first time you've done all these. Second time on wards you'll need to restart LFD only
Let me know if you have any specific logs in exim which you would like to be added
Cheers,
After many long years of using Directadmin, I've decided to start a new thread in DA forums specifically for Custom Regex in CSF. I've had many brute force attacks specially on EXIM which forced me to start adding regex to CSF, I thought it would be very wise to share all my active regex lines here.
I will add more and more over time so please be patient and share your logs here so that I can provide a regex for it.
First of all, make sure to add your exim reject log to CSF config file (/etc/csf/csf.conf) its in almost end of the config file.
I've added exim log to CUSTOM2_LOG
Code:
CUSTOM2_LOG = "/var/log/exim/rejectlog"
after doing so lets move on to the actual regex file (/etc/csf/regex.custom.pm)
First usual attacks I get includes "(User)" So I prepared this :
Code:
# User Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(User\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("User Attack From ",$2,"UserAttack","1","1");
}
Second ones are with some kind of host name and a local IP address, here is the regex to filter it :
Code:
# Fake Host Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \S+\s+\(\[\S+\]\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("Fake Host From ",$2,"FakeHost","1","1");
}
Another attacks are with some kind of local IP in the string, regex code as below :
Code:
# Local IP Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(\S+\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("Local IP Attack From ",$2,"LocalIPAttack","1","1");
}
This attack is one of the most common one with (info-api.ru) String :
Code:
# info-api Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) plain authenticator failed for \(info-api.ru\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("info-api From ",$2,"InfoAPI","1","1");
}
I used to have hundreds of attacks from the Chinese YLMF with (ylmf-pc) String :
Code:
# YLMF Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) login authenticator failed for \(ylmf-pc\) \[(\S+)\]: 535 Incorrect authentication data/)) {
return ("ylmf-pc Attack From ",$2,"ylmfAttack","1","1");
}
Another very common ones are RCPT, I've used these 2 codes to block them:
Code:
# RCPT Attacks
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: authentication required/)) {
return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
}
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^(.+) H=\(\S+\) \[(\S+)\] F=\<\S+\> rejected RCPT \<\S+\>: /)) {
return ("RCPT NOT ALLOWED FROM ",$2,"RCPT","1","1");
}
Don't forget to restart CSF and LFD after first time you've done all these. Second time on wards you'll need to restart LFD only
Let me know if you have any specific logs in exim which you would like to be added
Cheers,