Author Topic: CSF custom regex / Fail2ban regex  (Read 13597 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
CSF custom regex / Fail2ban regex
« on: May 02, 2016, 12:48:40 PM »
Hello everyone, my VPS getting lots of spam activities showing in the mail log. I know CSF or fail2ban might help on this but I need someone helping me on the custom regex on CSF / fail2ban for detecting the patterns at below.

Quote
Apr 29 21:50:20 server postfix/smtpd[20416]: NOQUEUE: reject: RCPT from LStLambert-657-1-68-104.w80-13.abo.wanadoo.fr[80.13.44.104]: 454 4.7.1 Service unavailable; Client host [80.13.44.104] blocked using dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?80.13.44.104; from=<> to=<Marrero_Cecil@domain.com> proto=ESMTP helo=<EX16.SUR-INTERNET.COM>
Apr 29 21:50:26 server postfix/smtpd[20419]: NOQUEUE: reject: RCPT from exchange.swissfilms.ch[213.200.251.180]: 450 4.1.1 <numbers_danial@domain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<numbers_danial@domain.com> proto=ESMTP helo=<exchange.swissfilms.ch>

I had this regex set in the file /etc/csf/regex.custom.pm, but it did not work.
Quote
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /^\S+\s+\S+\s+(\S+)\s+reject: RCPT from \S+: 450 4.1.1/))  {
      return ("SMTP spam attack",$1,"SMTP","1","1");
}

As for fail2ban, I enabled the [postfix-tcpwrapper] at /etc/fail2ban/jail.conf. And, in file /etc/fail2ban/filter.d/postfix.conf, I had the regex pattern set but nothing seems to work as nothing appended into file /etc/hosts.deny.
Quote
[postfix-tcpwrapper]
enabled  = true
filter   = postfix
action   = hostsdeny[file=/etc/hosts.deny]
logpath  = /var/log/postfix.log
bantime  = 604800
ignoreip = 127.0.0.1/8
findtime  = 300
maxretry = 1

Quote
failregex = reject: RCPT from .*\[<HOST>\]: 450 4.1.1
            .*postfix/\smtpd.*reject: RCPT from .*\[<HOST>\]: 450 4.1.1

Anyone can advise me on the regex pattern? Thanks.

Offline
*
Re: CSF custom regex / Fail2ban regex
« Reply #1 on: May 06, 2016, 07:55:17 AM »
Finally I managed to get both the CSF regex & fail2ban regex to work and the spam being minimized a lot. Hope this will help someone.  ;)

For CSF
========
1. Set the value of CUSTOM2_LOG in CSF to /var/log/maillog.

2. Set the following in /etc/csf/regex.custom.pm. You may also test your regex pattern at https://regex101.com.
Quote
if (($lgfile eq $config{CUSTOM2_LOG}) and ($line =~ /^.*postfix\/smtpd\[.*\]: NOQUEUE: reject: RCPT from (\S+)\[(\S+)\]: 450 4.1.1 <(\S+)>.*$/))  {
      #It will block permanently anyone with more than 1 matches.
      return ("450 4.1.1 spammer do not delete - $3",$2,"SMTP","1","25,587,465","1");
}

3. Restart CSF & LFD.
Quote
service lfd restart
csf -r

4. Check the CSF log file /etc/csf/csf.deny.


For fail2ban
========
1. In /etc/fail2ban/jail.conf, [postfix-tcpwrapper] section, set the following.
Quote
enabled  = true
filter   = postfix
action   = hostsdeny[file=/etc/hosts.deny]
logpath  = /var/log/maillog
bantime  = 604800
ignoreip = 127.0.0.1/8
findtime  = 300
maxretry = 3
You may adjust the value of bantime & maxretry with your own desire value.

2. Set the regex in /etc/fail2ban/filter.d/postfix.conf.
Quote
failregex = reject: RCPT from .*\[<HOST>\]: 450 4.1.1
            reject: RCPT from .*\[<HOST>\]: 454 4.7.1
            reject: RCPT from (.*)\[<HOST>\]: 554

3. You may test run the regex checking with the command as below.
Quote
fail2ban-regex /var/log/maillog /etc/fail2ban/filter.d/postfix.conf

4. Restart fail2ban service. (service fail2ban restart)

5. Check the file /etc/hosts.deny see if any IP being banned.