custom rules

-

CSF custom regex Centos -6

CSF setting to catch SASL LOGIN authentication failed on CentOS

#   vi /etc/csf/csf.conf

Find CUSTOM1_LOG and edit the content to:

CUSTOM1_LOG = "/var/log/maillog"

 Add the regex to catch the failed attempts against SASL

# cp /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.BK

# vi /usr/local/csf/bin/regex.custom.pm

Add the below regex between "Do not edit before this point" and "Do not edit beyond this point - ["3"- Block an IP that has 10 failed SASL login attempts ] ":

                                   --------------------------------------------------

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","3","25","3600");

}

                       --------------------Best [temporary IP entries]---------------------------   

                                                                      ------Iris----------------------

 if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

    return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");

 }

------------temporary IP entries------------------

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","3600");

}

                                    ------------X--------------

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtps\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","5","25,465,587,993,995","14400");

}

                           ------------X--------------

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","5","25,465,587,993,995","14400");

} 

                                   ------------X--------------

                            ---------------------------------------------------

Restart CSF:

# csf -r

# systemctl restart csf lfd

I'v added the code in regex.custom and changed to CUSTOM2_LOG because in CUSTOM1_LOG was some panel log in csf.conf.

Here's a asample from maillog:

Sep 29 14:56:46 vpsxxx postfix/smtpd[20536]: warning: static-***.net[100.*.*.*]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

                          ----------------------------------XXXXXXXXXXXXXXXXX---------------------------------

BEST - CENTOS 7

LFD mail example

As said, not all attackes are being picked up by the LFD mechanism. We can work around it with regular expressions. This is not very easy to do, but with these examples you can come a long way. As a first example we want to block these attempts:

Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[83.219.76.26]: SASL PLAIN authentication failed:

First step is to look in which log the brute force attempts occurs. This log should be added to the bottom of the # vi /etc/csf/csf.conf. In our case the mail.log.

CUSTOM1_LOG = "/var/log/mail.log"

You might notice that above this setting, other services are already looking at the exact same log. This does not matter. Just add this one as a custom log as well.

# cp /usr/local/csf/bin/regex.custom.pm /usr/local/csf/bin/regex.custom.pm.BK

Next add your regular expression ["10" -  Block an IP that has 10 failed SASL login attempts ]  to the :

# vi /usr/local/csf/bin/regex.custom.pm file.

# Permanently block an IP address that has 10 failed SASL login attempts

if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");

}

This will permanently block an IP that has 10 failed SASL login attempts.

Restart CSF and LFD.

# csf -r

# systemctl restart csf lfd

LF_TRIGGER = 0 

LF_TRIGGER_PERM = 1 

SMTPAUTH_LOG = "/var/log/maillog"

                                 ---------------------------------------OR----------------------------------------

Apache

CUSTOM1_LOG = "/var/log/maillog"

CUSTOM2_LOG = "/var/log/httpd/error_log"

# httpd "File does not exist"

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] File does not exist:/)) {

        return ("File does not exist",$1,"Apache",2,"80,443","1");

}

# httpd "invalid request"

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\s+\S+\] \[error\] \[client (\S+)\] invalid request:/)) {

        return ("invalid request",$1,"Apache",2,"80,443","1");

}

                                    ---------------------------X---------------------------

2 examples:

/var/log/mail.log

scan for smtp auth failures like

Jul 14 08:34:54 ns1 postfix/smtpd[20888]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

/var/log/auth.log

scan for dovecot imap login failures like

Jul 14 08:34:05 ns1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=contact rhost=xx.xx.xx.xx

in /etc/csf/csf.conf define

CUSTOM1_LOG = "/var/log/mail.log"

CUSTOM2_LOG = "/var/log/auth.log"

in /etc/csf/regex.custom.pm

add

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","5","list of ports to block this IP","14400");

}

if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ auth:\ pam_unix\(dovecot:auth\): authentication failure; .* rhost\=(\d+\.\d+\.\d+\.\d+)/)) {

return ("Failed dovecot auth login from",$1,"dovecot_auth_match","5","list of ports to block this IP","14400");

}

-----------------------------------------------------------------------------

Centos 6 log:

Code: Select all

Feb 21 09:14:45 web4 postfix/smtpd[4921]: warning: unknown[203.116.95.22]: SASL LOGIN authentication failed: authentication failure

Centos 7 log

Code: Select all

Feb 21 09:38:54 web5 postfix/smtpd[15471]: warning: 74-92-209-81-Colorado.hfc.comcastbusiness.net[74.92.209.81]: SASL Login authentication failed: authentication failure

Postfix SMTP AUTH regex fix for Centos 7

#Postfix SMTP AUTH (Plesk)

if (($config{LF_SMTPAUTH}) and ($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^(\S+|\S+\s+\d+\s+\S+) \S+ postfix\/smtpd(?:\[\d+\])?: warning: \S+\[(\S+)\]: SASL (?:(?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed/)) { $ip = $2; $ip =~ s/^::ffff://; if (checkip(\$ip)) {return ("Failed SMTP AUTH login from","$ip","smtpauth")} else {return} }

                  ------------------------------------------------------xxxxxxxxxxx--------------------------------------------------------

Recommended CSF/LFD Configuration for CWP

Configuration file: /etc/csf/csf.conf

LF_SSHD = "7" LF_SSHD_PERM = "1"  LF_FTPD = "7" LF_FTPD_PERM = "1"  LF_POP3D = "7" LF_POP3D_PERM = "1"  LF_IMAPD = "7" LF_IMAPD_PERM = "1"  LF_SMTPAUTH = "7" LF_SMTPAUTH_PERM = "1"  LF_HTACCESS = "7" LF_HTACCESS_PERM = "1"  LF_MODSEC = "7" LF_MODSEC_PERM = "1"

log paths :

HTACCESS_LOG = "/usr/local/apache/logs/error_log" MODSEC_LOG = "/usr/local/apache/logs/error_log" SSHD_LOG = "/var/log/secure" FTPD_LOG = "/var/log/messages" POP3D_LOG = "/var/log/dovecot-info.log" IMAPD_LOG = "/var/log/dovecot-info.log" SMTPAUTH_LOG = "/var/log/maillog"

Custom regex for mod security, file /etc/csf/regex.custom.pm :

#mod_security if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /^\[\S+ \S+ \S+ \S+ \S+\] \[(\w*)?:error\] (\[pid \d+(:tid \d+)\]) \[client \S+:\S+\] \[client (\S+)\] ModSecurity:(( \[[^\]]+\])*)? Access denied/)) {         my $ip = $4;         $ip =~ s/^::ffff://;         if (split(/:/,$ip) == 2) {$ip =~ s/:\d+$//}         my $ruleid = "unknown";         if ($line =~ /\[id "(\d+)"\]/) {$ruleid = $1}         if (checkip(\$ip)) {return ("mod_security (id:$ruleid) triggered by","$ip","mod_security-custom","4","80,443","1")} else {return} }      

--------------------------------------------------------------------------------

tep 1:

Go to Firewall Configuration (/etc/csf/csf.conf) and add these custom logs (they are at the end of the file):

CUSTOM2_LOG = “/var/log/maillog”

CUSTOM3_LOG = “/var/log/dovecot-info.log”” – (‘grep -rnw ‘auth failed’ /var/log/’ – to check where failed logins are logged)

Step 2:

Add this regex to /usr/local/csf/bin/regex.custom.pm or /etc/csf/regex.custom.pm :

# Do not edit before this point  if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) { return ("Failed SASL login from",$1,"mysaslmatch","3","25","1"); }

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ pop3\-login.*auth failed.*rip\=(\S+[0-9])/)) { return (“Pop3 failed login”,$1,”pop3failed”,”3″,”110″,”995″,”1″); }

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ imap\-login.*no auth attempts.*rip\=(\S+[0-9])/)) { return (“imap-login: Info: Disconnected (no auth attempts)”,$1,”imapnoauth”,”3″,”143″,”993″,”1″); }

if (($lgfile eq $config{CUSTOM3_LOG}) and ($line =~ /^\S+\s+\S+\s+\S+ imap\-login.*auth failed.*rip\=(\S+[0-9])/)) { return (“imap-login: Info: Disconnected: Inactivity (auth failed”,$1,”imapfailedlogins”,”3″,”143″,”993″,”1″); }

# Do not edit beyond this point

Restart CSF & LFD (csf -r & lfd -r)

If you run the CSF/LFD firewall on your server then you’ve no doubt seen the emails complaining about high resource usage for various accounts. This small tutorial will show you how to minimize them.

What does it mean?

Simply, it means that the process is using more resources than allowed.

Is it safe to change the default settings for it?

This is up to you – more than likely, if you’re searching for the term “Excessive resource usage”, then you are getting hammered with emails – which is actually worse because you’ll be numb to the alerts and won’t react if something really is going wrong (or won’t notice it because of all of the other email/alerts coming in all the time).

There are three thing you can do:

1. Disable the check

2. Modify the check

3. Ignore certain users/commands that frequently send resource emails

1. Disable:

If you want to disable the check (we recommend you modify it instead – since you actually DO want these emails.. if they’re real), simply edit /etc/csf/csf.conf and change:

PT_USERMEM = “200”

2. Modify:

If you would like to modify the check (we recommend), simply edit /etc/csf.csf.conf and change:

PT_USERMEM = “300”

This will raise the limit from 200mb to 300mb. You can put whatever you want there.. but you want to put it a little higher than what you’re seeing come through as your false positives.

3. Ignore certain users/commands:

If you want to ignore certain users or commands, then you would edit /etc/csf/csf.pignore and add a line for each user or command.

If you get an ‘excessive resource usage

exe:/usr/sbin/nrpe -c /etc/nagios/nrpe.cfg -d

exe:/usr/sbin/pmtad

exe:/usr/sbin/hald

exe:/usr/libexec/hald-addon-acpi

How to disable these alerts

Disabling these alerts is not a good method to be performed. This email alerts are very useful in monitoring the usage of server resources by the user accounts. If you find this particular process/service is necessary, you can enable them to continue using the server resources and disable the LFD notifications. You can disable LFD excessive memory usage notifications by using three methods. Each method is explained below. You can either access the CSF configuration via WHM/terminal. I have already explained how to access CSF configuration via WHM.

Method 1

This method will permanently disable the LFD excessive resource usage alert. Performing this method will pose a security issue.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to 0.

 PT_USERMEM = 0

PT_USERTIME = 0

4) Save the settings.

Method 2

In this method, we will increase the values of both memory and time to disable the LFD alerts. This method is a temporary one. If any process/service uses more resources than defined, you will continue to receive the LFD alerts.

1) Login to your WHM

2) Open the CSF Firewall configuration

3) Modify the value of directives PT_USERMEM and PT_USERTIME to desired.

PT_USERMEM = 500

PT_USERTIME = 150000

4) Save the settings

Method 3

This method is a standard technique to disable the LFD alerts. In this method, we will include the particular process/service in pignore of CSF. The pignore of CSF will ignore the particular process/service included in it and hence disables the LFD alerts.

1) Login to your server as root user.

2) Using your favorite editor open pignore of CSF. The common location of pignore is /etc/csf/csf.pignore.

3) Add the command line path specified in the alert to the pignore of CSF.

4) Save changes.

--------------------------------------------

 # vi /etc/csf/csf.conf

CUSTOM1_LOG = "/var/log/maillog"

CUSTOM2_LOG = "/var/log/cwp_client_login.log"

CUSTOM3_LOG = "/var/log/dovecot-info.log"

# vi /etc/csf/regex.custom.pm

----------

#!/usr/bin/perl

sub custom_line {

my $line = shift;

my $lgfile = shift;

# Do not edit before this point

#Postfix/smtpd SASL authentication failure

if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {

return ("Failed SASL login from",$1,"mysaslmatch","5","25,465,587","3600");

}

#Trying to download htaccess or htpasswd  (Default: 1 error bans for 24 hours)

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*\.(htpasswd|htaccess).*client: (\S+),.*GET)/) {

    return ("Trying to download .ht files",$2,"nginx_htfiles","1","80,443","86400");

}

# CWP Login failure

if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+Failed Login from:\s+(\S+) on: (\S+)/)) {

return ("Failed CWP-Login login for User: $1 from IP: $2 URL: $3",$2,"cwplogin","5","2030,2031","3600");

}

# POP3 Brute force

if (($globlogs{CUSTOM3_LOG}{$lgfile}) and ($line =~ /\S+\s+\d+\s+\S+ pop3-login: Info: (Aborted login|Disconnected)( \(auth failed, \d+ attempts\):)? user=<\S*>, method=\S+, rip=(\S+),/)) {

return ("POP3 bruteforce login from",$3,"pop3-login","5","110,995","3600");

}

# Do not edit beyond this point

return 0;

}

1;

            ------------XXXXXXXXXX--------------------

SMTPAUTH_LOG

 /var/log/maillog

In csf.conf:

Code:

LF_TRIGGER = 0 LF_TRIGGER_PERM = 1 SMTPAUTH_LOG = "/var/log/maillog"

1) Make a file /usr/local/csf/bin/csfpre.sh

2) Add the code

Code:

#!/bin/sh iptables -A INPUT -p tcp --match multiport --dport 10,25,26,465,587 -m string --string 'lost' --algo bm -j DROP

3) Make the file executable

4) Restart CSF

I wrote this originally to stop connections from ylmf-pc computers - I don't know if it will work in your scenario that relies on "after connection" processing of the exim log.

Edit:

Looking at your regex, I wonder if the following would work

Code:

# Matches "SMTP connection from ... lost"   if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /(^.+ SMTP connection from hostname .+ lost D=.+)/)) {     return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0");   }

There are some good examples at 

                                                                                         ----------------------------XXXXXXXXXXXXXXXXXXXXXXXX________________________________________________ 

-------------------------------------------------------

-