Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Help with CSF custom regex

Discussion in 'Security' started by phil99, Jun 10, 2018.

Tags:
  1. phil99

    phil99 Registered

    Joined:
    Jun 10, 2018
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi, I was wondering if someone might be able to help me understand why the following ConfigServer Firewall custom regex entry doesn't work.

    My /var/log/exim_mainlog gets flooded with entries like:

    Code:
    2018-06-10 10:10:34 SMTP connection from hostname [xx.xx.xx.xx]:52250 lost D=10s
    
    There are sometimes thousands of such entries in a short space of time. Whilst they are probably more of annoyance than a threat, I would like to block them.

    I have created the following entry in /usr/local/csf/bin/regex.custom.pm:

    Code:
    # SMTP connection flooding in exim_mainlog
    # Matches "SMTP connection from ... lost"
      if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) {
         return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0");
      }
    
    In csf.conf:

    Code:
    LF_TRIGGER = 0
    LF_TRIGGER_PERM = 1
    SMTPAUTH_LOG = "/var/log/exim_mainlog"
    
    I am restarting lfd after making changes to regex.custom.pm.

    But it does not work - there are no entries in lfd.log, no emails sent.

    I think that the regex itself it ok, as I have tested it against the exim_mainlog and it catches entries as expected:

    Code:
    # grep -P "^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost" exim_mainlog
    2018-06-10 10:10:34 SMTP connection from hostname [xx.xx.xx.xx]:52250 lost D=10s
    ...
    
    I have tried with {CUSTOM1_LOG} instead of {SMTPAUTH_LOG}, with a corresponding csf.conf entry, but it makes no difference.

    I have also tried with the alternative entry format that I have seen posted:

    Code:
      if (($lgfile eq $config{SMTPAUTH_LOG} and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) {
         return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0");
      }
    
    But still nothing.

    Anyone any ideas? Thanks.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    732
    Likes Received:
    251
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Try this:

    1) Make a file /usr/local/csf/bin/csfpre.sh
    2) Add the code
    Code:
    #!/bin/sh
    iptables -A INPUT -p tcp --match multiport --dport 10,25,26,465,587 -m string --string 'lost' --algo bm -j DROP
    3) Make the file executable
    4) Restart CSF

    I wrote this originally to stop connections from ylmf-pc computers - I don't know if it will work in your scenario that relies on "after connection" processing of the exim log.

    Edit:

    Looking at your regex, I wonder if the following would work
    Code:
    # Matches "SMTP connection from ... lost"
      if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /(^.+ SMTP connection from hostname .+ lost D=.+)/)) {
        return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0");
      }
    There are some good examples at
    CSF Firewall (regex.custom.pm) share custom rules

    and
    Custom REGEX rules for CSF. - ConfigServer Community Forum
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Jun 10, 2018
    Last edited: Jun 10, 2018
    cPanelLauren likes this.
  3. phil99

    phil99 Registered

    Joined:
    Jun 10, 2018
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi rpvw.
    Thanks for your help. Based on your edit, I tried the following (there isn't always a hostname or D=):

    Code:
      if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^.+ SMTP connection from .+ lost/)) {
          return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0");
      }
    
    Still no luck.

    The regex was again tested with grep -P and worked as expected. I'm not sure you could make the regex any simpler than that, but I am far from an expert in those.

    Thanks for the links. I've seen the examples in the csf forums, but I can't see what I'm doing wrong. I may post there as well.
     
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    85
    Likes Received:
    46
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    No time to test this for you, but I see an error in the logic of your regex.
    The ip would be stored in the $2 variable because it is the 2nd capture in the expression.
    So try...
    Code:
      if (($lgfile eq $config{SMTPAUTH_LOG} and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) {
         return ("Blocked SMTP connection lost from",$2,"customsmtp1","10","25,465,587","1","0");
      }
     
    rpvw likes this.
  5. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    85
    Likes Received:
    46
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    On closer inspection the ip would be in $3.
    Here is a different regex (simpler) that will capture the ip to $1
    I would also stick to using the CUSTOM1_LOG log file definitions untill its working before experimenting with using SMTPAUTH_LOG.
    Code:
    # SMTP connection flooding in exim_mainlog
    # Matches "SMTP connection from ... lost"
      if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ SMTP connection from \S+ \[(\S+)\]:\d+ lost D=\d+s/)) {
         return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1");
      }
     
    #5 fuzzylogic, Jun 10, 2018
    Last edited: Jun 10, 2018
    rpvw likes this.
  6. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    85
    Likes Received:
    46
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Found another issue...
    ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0")
    Should be...
    ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1")
     
    rpvw likes this.
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    732
    Likes Received:
    251
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I forgot all about the group assignation of the variables :( - thanks @fuzzylogic for the corrections.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. phil99

    phil99 Registered

    Joined:
    Jun 10, 2018
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi fuzzylogic.

    Thanks for your help, you solved it! Simply changing $1 to $3 worked with my original regex (which was based on some in RegexMain.pm anyway), whether there is a hostname or not ie

    Code:
     if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\]:)\S*)? lost/)) {
        return ("Blocked SMTP connection lost from",$3,"customsmtp1","10","25,465,587","1","0");
      }
    
    I don't know perl at all, and had wondered what the $1 was doing. Now I know (sort of *)

    About your last post, the final parameter is for CF_ENABLE, which I do not have enabled, but the expression works with the parameter in place (set to zero) anyway.

    * If you have a bit more time, I am unclear as to what the 3 catches are?

    But thanks for your time.
     
    cPanelLauren likes this.
  9. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    732
    Likes Received:
    251
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Here is the easy way of testing (that I should have done) and understanding the variables

    1) Go to Regex Tester and Debugger Online - Javascript, PCRE, PHP
    2) Paste the regex
    Code:
    ^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost
    into the top line

    3) Paste your log example
    Code:
    2018-06-10 10:10:34 SMTP connection from hostname [xx.xx.xx.xx]:52250 lost D=10s
    into the Test String area.

    You should see that it has indicated 1 Match and if you mouse over the Test String, you will get a popup of all the variables it has discovered showing that the xx.xx.xx.xx is the group #3
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  10. phil99

    phil99 Registered

    Joined:
    Jun 10, 2018
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Brilliant, thanks rpvw
     
  11. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,244
    Likes Received:
    161
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @fuzzylogic and @rpvw

    Nice work guys, thanks for all your help on this!

    @phil99 I'm glad to see they were able to help you get sorted please let us know if you have any further issues but for now I think we can safely mark this one as solved.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice