annotate syslog2iptables.conf @ 45:4fd5f0d51144

Added tag stable-1-10 for changeset 9e9f09cf411c
author Carl Byington <carl@five-ten-sg.com>
date Sat, 22 Mar 2008 11:01:54 -0700
parents d9ae11033b4b
children 75361069c6ef
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
1 threshold 550;
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
2
27
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
3 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
4 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
28fec0c67646 make add/remove commands configureable
carl
parents: 21
diff changeset
5
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
6 ignore {
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
7 127.0.0.0/8; // localhost
1
551433a01cab initial coding
carl
parents:
diff changeset
8 };
551433a01cab initial coding
carl
parents:
diff changeset
9
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
10 // file "/var/log/cisco.log" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
11 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
12 // index 2; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
13 // bucket 200;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
14 // message "cisco firewall blocked packet";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
15 // };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
16 // };
3
8fe310e5cd44 initial coding
carl
parents: 1
diff changeset
17
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
18 file "/var/log/secure" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
19 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
20 index 1; // zero based
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
21 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
22 message "ssh failed password";
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
23 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
24 pattern "sshd.*Failed password .* from (.*) port" {
276c4edc8521 initial coding
carl
parents: 4
diff changeset
25 index 1; // zero based
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
26 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
27 message "ssh failed password";
5
276c4edc8521 initial coding
carl
parents: 4
diff changeset
28 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
29 };
276c4edc8521 initial coding
carl
parents: 4
diff changeset
30
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
31 file "/var/log/httpd/access_log" {
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
32 // of course you cannot use this if you actually use cgi-bin directories
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
33 pattern "(.*) - - .* /cgi-bin" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
34 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
35 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
36 message "apache cgi-bin reference";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
37 };
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
38 // or if you actually have an index2.php script
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
39 pattern "(.*) - - .*/index2.php" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
40 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
41 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
42 message "apache index2.php reference";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
43 };
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
44 // or if you have a main.php script
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
45 pattern "(.*) - - .*/main.php" {
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
46 index 1; // zero based
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
47 bucket 400;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
48 message "apache main.php reference";
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
49 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
50 };
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
51
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
52 file "/var/log/maillog" {
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
53 pattern "lost input channel from .* \[(.*)\] .* after mail" {
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
54 index 1; // zero based
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
55 bucket 200;
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
56 message "sendmail spammer dropping connection";
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
57 };
42
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
58
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
59 // make sure your upstream MX servers are listed in the
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
60 // ignore block above, otherwise you will kill them off
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
61 // when they try to forward such mail to you.
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
62 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" {
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
63 index 1; // zero based
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
64 bucket 200;
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
65 message "sendmail rejected bounce";
d9ae11033b4b Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents: 35
diff changeset
66 };
20
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
67 };
0d65c3de34fd add better logging
carl
parents: 9
diff changeset
68
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
69 // file "/var/log/messages" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
70 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
71 // index 1; // zero based
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
72 // bucket 300;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
73 // message "ssh failed password";
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
74 // };
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
75 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" {
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
76 // index 1; // zero based
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
77 // bucket 300;
35
d2ceebcf6595 add message description in patterns
carl
parents: 27
diff changeset
78 // message "ssh failed password";
9
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
79 // };
d76f9ff42487 initial coding
carl
parents: 5
diff changeset
80 // };