Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Is anyone good with CSF custom regex ?

Discussion in 'Security' started by keat63, Apr 6, 2018.

Tags:
  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I reguarly see the follwing error in my logs.

    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622

    I believe caused by unauthorised cpanel login attempts.

    Whilst I have HAC configured to only allow a small number of IP's cpanel access, i'd still like CSF to add the offending IP to the blocklist, but i've absolutely no idea how to write a custom regex.
    I've asked a few times on the CSF forum, but never had a reply.

    Are there any regex guru's on here who could help ?
     
    #1 keat63, Apr 6, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @keat63

    That message is a result of using Host Access control to limit access to the server. I know you mentioned you'd posted to the CSF forums already but I did find a thread called "Custom REGEX rules for CSF." which has quite a few examples of which you could most likely modify to suit your needs
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelLauren, Apr 6, 2018
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I too have seen that thread, however, it might as well be written in a foriegn langauge as it means absolutely nothing to me.
    It's just a series of numbers and commas.
     
    #3 keat63, Apr 6, 2018
  4. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Two requests.
    1. Could you post the full line of that log message? (anonymizing IP, username or host name)
      Knowing the date, time formats, number of spaces etc. before the word "Dropping" allows for much better performing regex.
    2. Which log file does that line occur in? (I am assuming /var/log/messages)
     
    #4 fuzzylogic, Apr 7, 2018
  5. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I recreated this using my mobile phone, which is not included in HAC.

    The message appears in usr/local/cpanel/logs/error_log

    No server names or time stamps just the following message.

    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622.
     
    #5 keat63, Apr 9, 2018
  6. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Actual version for Keat because his errors have no date/time stamp or hostname.
    Sample log line...
    Code:
    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers
    In /etc/csf/csf.conf at about line 2600 (40 lines from end of file) set...
    Code:
    CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"
    Then save - Hint: this edit can not be done from within the CSF ui, it must be done by ssh console

    In /usr/local/csf/bin/regex.custom.pm
    Add the following code...
    Code:
    if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of tcp_wrappers/)) {
    return ("5 cPanel login attempts from IP not in Host Access Control list",$1,"keats_hammer_4","5","2077,2078,2082,2083,2086,2087,2095,2096","1");
}
    Restart lfd
    Generate 5 test log lines either using your mobile phone as you posted or...
    by using the following command from a ssh console (in which you can use any valid ip address)...
    Code:
    echo "Dropping connection xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622" >> /usr/local/cpanel/logs/error_log
    This should achieve blocking of the ip
    Depending on your settings in /etc/csf/csf.conf the block can take 2 forms...
    If
    Code:
    LF_TRIGGER = 0
LF_TRIGGER_PERM = 1
    You will get permanent block with ip added to deny list

    Read the following from /usr/local/csf/bin/regex.custom.pm to acheive temperary blocking or port specific blocking.
    Code:
    # Example:
#    if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#        return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#    }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled
    # In my test the ip was added to the deny list and the following email was generated...
    -----
    Time: Tue Apr 10 17:13:04 2018 +1000
    IP: xxx.xxx.xxx.xxx (CN/China/-)
    Failures: 5 (keats_hammer_4)
    Interval: 86400 seconds
    Blocked: Permanent Block [LF_CUSTOMTRIGGER]

    Log entries:

    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622
    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622
    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622
    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622
    Dropping connection from xxx.xxx.xxx.xxx because of tcp_wrappers at cpsrvd.pl line 3622
    -----
     
    #6 fuzzylogic, Apr 10, 2018
    cPanelMichael likes this.
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I followed the instructions, but it CSF doesn't seem to block the IP.
    Initially, I used the echo method, and after a few attempts discovered a slight syntax error. (missing from)
    After it still didn't add the IP, i tried from my phone.
    I can see my IP is generating the string, but still doesn't seem to add my IP to CSF block list.

    LF_TRIGGER = 0
    LF_TRIGGER_PERM = 1

    Code:
    CUSTOM1_LOG = "usr/local/cpanel/logs/error_log"
CUSTOM2_LOG = "/var/log/customlog"
CUSTOM3_LOG = "/var/log/customlog"
CUSTOM4_LOG = "/var/log/customlog"
CUSTOM5_LOG = "/var/log/customlog"
CUSTOM6_LOG = "/var/log/customlog"
CUSTOM7_LOG = "/var/log/customlog"
CUSTOM8_LOG = "/var/log/customlog"
CUSTOM9_LOG = "/var/log/customlog"
    Code:
    #!/usr/local/cpanel/3rdparty/bin/perl
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: [email protected]
###############################################################################
sub custom_line {
   my $line = shift;
   my $lgfile = shift;

# Do not edit before this point
###############################################################################
#
# Custom regex matching can be added to this file without it being overwritten
# by csf upgrades. The format is slightly different to regex.pm to cater for
# additional parameters. You need to specify the log file that needs to be
# scanned for log line matches in csf.conf under CUSTOMx_LOG. You can scan up
# to 9 custom logs (CUSTOM1_LOG .. CUSTOM9_LOG)
#
# The regex matches in this file will supercede the matches in regex.pm
#
# Example:
#   if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ pure-ftpd: \(\?\@(\d+\.\d+\.\d+\.\d+)\) \[WARNING\] Authentication failed for user/)) {
#       return ("Failed myftpmatch login from",$1,"myftpmatch","5","20,21","1");
#   }
#
# The return values from this example are as follows:
#
# "Failed myftpmatch login from" = text for custom failure message
# $1 = the offending IP address
# "myftpmatch" = a unique identifier for this custom rule, must be alphanumeric and have no spaces
# "5" = the trigger level for blocking
# "20,21" = the ports to block the IP from in a comma separated list, only used if LF_SELECT enabled. To specify the protocol use 53;udp,53;tcp
# "1" = n/temporary (n = number of seconds to temporarily block) or 1/permanant IP block, only used if LF_TRIGGER is disabled
# If the matches in this file are not syntactically correct for perl then lfd
# will fail with an error. You are responsible for the security of any regex
# expressions you use. Remember that log file spoofing can exploit poorly
# constructed regex's


if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^Dropping connection from (\S+) because of tcp_wrappers/)) {
    return ("5 cPanel login attempts from IP not in Host Access Control list",$1,"keats_hammer_4","5","2077,2078,2082,2083,2086,2087,2095,2096","1");
}

###############################################################################
# Do not edit beyond this point

   return 0;
}

1;


    I can see the string in the email though.
    Maybe I put the regex in the wrong place ??
     
    #7 keat63, Apr 10, 2018
    Last edited: Apr 10, 2018
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    You have...
    CUSTOM1_LOG = "usr/local/cpanel/logs/error_log"
    in /etc/csf/csf.conf
    I posted...
    CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"

    I forgot to add that after editing /etc/csf/csf.conf cfs should be restarted.
     
    #8 fuzzylogic, Apr 10, 2018
    cPanelMichael likes this.
  9. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Your custom regex appears to be in the right place and identical to my working version.
     
    #9 fuzzylogic, Apr 10, 2018
  10. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Code:
    You have...
CUSTOM1_LOG = "usr/local/cpanel/logs/error_log"
in /etc/csf/csf.conf
I posted...
CUSTOM1_LOG = "/usr/local/cpanel/logs/error_log"

    I looked at that for about 2 minutes, thinking, I don't see where the problem is.
    Then I spotted the preceeding /

    Guess what, it now works.

    Code:
    123.123.123.123 # lfd: (keats_hammer_4) 5 cPanel login attempts from IP not in Host Access Control list 123.123.123.123 (CN/China/Beijing/Beijing/-): 5 in the last 3600 secs - Tue Apr 10 13:10:33 2018
    This issue has taken me at least 2 years to finally get a resolution.
    I owe you a beer.

    Would you mind me sharing this on the CSF forum. ?
     
    #10 keat63, Apr 10, 2018
    cPanelMichael likes this.
  11. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I.m OK wit you adding it to Serge's list of CSF custom regex.
    Seems appropriate for that thread.
     
    #11 fuzzylogic, Apr 10, 2018
(You must log in or sign up to post here.)
Loading...
Similar Threads - anyone custom regex
  1. devzeronull

    Exim CVE-2019-10149 - Urgent Security Notice For Anyone Using cPanel & WHM Version 78 or lower

    devzeronull, Jun 4, 2019, in forum: Security
    Replies:
    1
    Views:
    1,227
    cPanelMichael
    Jun 4, 2019
  2. Metro2

    SOLVED Anyone else getting timeout yum update failures today?

    Metro2, Feb 19, 2019, in forum: CloudLinux
    Replies:
    3
    Views:
    413
    Metro2
    Feb 20, 2019
  3. BobHoliday

    Switching Off Port 993 - Is Anyone Using It?

    BobHoliday, Nov 23, 2018, in forum: Security
    Replies:
    6
    Views:
    351
    cPanelLauren
    Nov 26, 2018
  4. jazee

    Anyone Migrated from Local Email to 3rd Party Email Hosting?

    jazee, Mar 30, 2018, in forum: E-mail Discussion
    Replies:
    4
    Views:
    543
    jazee
    Sep 3, 2018
  5. ottdev

    Can anyone share profile for "Event" with mod_proxy_fcgi, php-fpm

    ottdev, Mar 18, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    387
    cPanelMichael
    Mar 20, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice