CSF / LFD regular expressions

lfdIn my last post I talked about two additions on my existing CSF / LFD configurations. The first one was a more transparent approach to the login failure deamon.

The second one is regular expressions to stop malicious IPs that aren’t being stopped via the build-in mechanism.

Simply put: not all attacks are recognized as such. You can make your own additions to avoid adding a lot of IPs manually to your denied list.

LFD mail example

As said, not all attackes are being picked up by the LFD mechanism. We can work around it with regular expressions. This is not very easy to do, but with these examples you can come a long way. As a first example we want to block these attempts:

Feb 16 08:13:32 mail02 postfix/submission/smtpd[4312]: warning: unknown[83.219.76.26]: SASL PLAIN authentication failed:

First step is to look in which log the brute force attempts occurs. This log should be added to the bottom of the /etc/csf/csf.conf. In our case the mail.log.

CUSTOM1_LOG = "/var/log/mail.log"

You might notice that above this setting, other services are already looking at the exact same log. This does not matter. Just add this one as a custom log as well.

Next add your regular expression to the /usr/local/csf/bin/regex.custom.pm file.

# Permanently block an IP address that has 10 failed SASL login attempts
if (($globlogs{CUSTOM1_LOG} {$lgfile}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ postfix\/submission\/smtpd\[\d+\]: warning:.*\[(\d+\.\d+\.\d+\.\d+)\]: SASL [A-Z]*? authentication failed/)) {
return ("Failed SASL login from",$1,"mysaslmatch","10","25,465,587","1");
}

This will permanently block an IP that has 10 failed SASL login attempts.

Restart CSF and LFD.

# csf -r
# systemctl restart csf lfd

As said, regular expression are not an easy task to setup. You can get a little bit of help with this site. Create your regular expression, paste in your error and see if it is a match.

LFD Nginx example

Block Nginx vulnerability scanners.

CUSTOM1_LOG = "/var/log/nginx/access.log"

Next add your regular expression to the /usr/local/csf/bin/regex.custom.pm file.

# NginX security rules trigger - 10 errors blocks for 24 hours
# Catch ip that attempts to access a URL that is forbidden by NginX rules
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*access forbidden by rule, client: (\S+).*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_security","10","80,443","86400");
}

# NginX 404 errors - 10 errors blocks for 24 hours
# Catch ip that accesses non-existant files and directories
if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /.*No such file or directory\), client: (\S+),.*/)) {
return ("NGINX Security rule triggered from",$1,"nginx_404s","10","80,443","86400");
}

Restart CSF and LFD.

# csf -r
# systemctl restart csf lfd

When you’re adding multiple custom logs, be sure to use the correct {CUSTOM1_LOG} in your expression.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.