Skip to main content

Help with CSF custom regex

phil99
Hi, I was wondering if someone might be able to help me understand why the following ConfigServer Firewall custom regex entry doesn't work. My /var/log/exim_mainlog gets flooded with entries like: 2018-06-10 10:10:34 SMTP connection from hostname [xx.xx.xx.xx]:52250 lost D=10s
There are sometimes thousands of such entries in a short space of time. Whilst they are probably more of annoyance than a threat, I would like to block them. I have created the following entry in /usr/local/csf/bin/regex.custom.pm: # SMTP connection flooding in exim_mainlog # Matches "SMTP connection from ... lost" if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) { return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0"); }
In csf.conf: LF_TRIGGER = 0 LF_TRIGGER_PERM = 1 SMTPAUTH_LOG = "/var/log/exim_mainlog"
I am restarting lfd after making changes to regex.custom.pm. But it does not work - there are no entries in lfd.log, no emails sent. I think that the regex itself it ok, as I have tested it against the exim_mainlog and it catches entries as expected: # grep -P "^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost" exim_mainlog 2018-06-10 10:10:34 SMTP connection from hostname [xx.xx.xx.xx]:52250 lost D=10s ...
I have tried with {CUSTOM1_LOG} instead of {SMTPAUTH_LOG}, with a corresponding csf.conf entry, but it makes no difference. I have also tried with the alternative entry format that I have seen posted: if (($lgfile eq $config{SMTPAUTH_LOG} and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) { return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0"); }
But still nothing. Anyone any ideas? Thanks.

Comments

10 comments

Date Votes
  • rpvw
    Try this: 1) Make a file /usr/local/csf/bin/csfpre.sh 2) Add the code#!/bin/sh iptables -A INPUT -p tcp --match multiport --dport 10,25,26,465,587 -m string --string 'lost' --algo bm -j DROP
    3) Make the file executable 4) Restart CSF I wrote this originally to stop connections from ylmf-pc computers - I don't know if it will work in your scenario that relies on "after connection" processing of the exim log. Edit: Looking at your regex, I wonder if the following would work # Matches "SMTP connection from ... lost" if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /(^.+ SMTP connection from hostname .+ lost D=.+)/)) { return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0"); }
    There are some good examples at Custom REGEX rules for CSF. - ConfigServer Community Forum
    0
  • phil99
    Hi rpvw. Thanks for your help. Based on your edit, I tried the following (there isn't always a hostname or D=): if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^.+ SMTP connection from .+ lost/)) { return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0"); }
    Still no luck. The regex was again tested with grep -P and worked as expected. I'm not sure you could make the regex any simpler than that, but I am far from an expert in those. Thanks for the links. I've seen the examples in the csf forums, but I can't see what I'm doing wrong. I may post there as well.
    0
  • fuzzylogic
    No time to test this for you, but I see an error in the logic of your regex. The ip would be stored in the $2 variable because it is the 2nd capture in the expression. So try... if (($lgfile eq $config{SMTPAUTH_LOG} and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\](:\S*)? lost/)) { return ("Blocked SMTP connection lost from",$2,"customsmtp1","10","25,465,587","1","0"); }
    0
  • fuzzylogic
    On closer inspection the ip would be in $3. Here is a different regex (simpler) that will capture the ip to $1 I would also stick to using the CUSTOM1_LOG log file definitions untill its working before experimenting with using SMTPAUTH_LOG. # SMTP connection flooding in exim_mainlog # Matches "SMTP connection from ... lost" if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /^\S+ \S+ SMTP connection from \S+ \[(\S+)\]:\d+ lost D=\d+s/)) { return ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1"); }
    0
  • fuzzylogic
    Found another issue... ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1","0") Should be... ("Blocked SMTP connection lost from",$1,"customsmtp1","10","25,465,587","1")
    0
  • rpvw
    I forgot all about the group assignation of the variables :( - thanks @fuzzylogic for the corrections.
    0
  • phil99
    Hi fuzzylogic. Thanks for your help, you solved it! Simply changing $1 to $3 worked with my original regex (which was based on some in RegexMain.pm anyway), whether there is a hostname or not ie if (($globlogs{SMTPAUTH_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\[\d+\] )?SMTP connection from (\S+ )?\[(\S+)\]:)\S*)? lost/)) { return ("Blocked SMTP connection lost from",$3,"customsmtp1","10","25,465,587","1","0"); }
    I don't know perl at all, and had wondered what the $1 was doing. Now I know (sort of *) About your last post, the final parameter is for CF_ENABLE, which I do not have enabled, but the expression works with the parameter in place (set to zero) anyway. * If you have a bit more time, I am unclear as to what the 3 catches are? But thanks for your time.
    0
  • rpvw
    Here is the easy way of testing (that I should have done) and understanding the variables 1) Go to
    0
  • phil99
    Brilliant, thanks rpvw
    0
  • cPanelLauren
    @fuzzylogic and @rpvw Nice work guys, thanks for all your help on this! @phil99 I'm glad to see they were able to help you get sorted please let us know if you have any further issues but for now I think we can safely mark this one as solved.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post