Mercurial > syslog2iptables

annotate syslog2iptables.conf.top @ 63:60f59936fabb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
good authentication prevents ip blocking for awhile
author Carl Byington <carl@five-ten-sg.com>
date Sat, 19 Dec 2015 10:12:24 -0800
parents d80641be405b
children f17e6599b82c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 context general {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 threshold 550;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 add_command "/sbin/iptables -I INPUT --src %s --jump DROP";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 ignore {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 127.0.0.0/8; // localhost
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 file "/var/log/secure" {
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
12 pattern "manual unblock (.*)" {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
13 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
14 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
15 message "manual unblock";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
16 };
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17 pattern "sshd.*Failed password .* from ::ffff:(.*) port" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
19 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
20 message "ssh failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
21 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
22 pattern "sshd.*Failed password .* from (.*) port" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
23 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
24 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
25 message "ssh failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
26 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 pattern "sshd.*authentication failure; .* rhost=(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30 message "ssh failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
31 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
32 pattern "sshd.*Did not receive identification string from (.*)" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
33 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
34 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
35 message "ssh failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
36 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
37 pattern "proftpd.*no such user found from (.*) \[" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
38 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
40 message "ftp failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
41 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
42 pattern "proftpd.* authentication failure; .* rhost=(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
43 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
44 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
45 message "ftp failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
46 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
47 pattern "vsftpd.* authentication failure; .* rhost=(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
48 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
49 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
50 message "ftp failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
51 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
52 pattern "dovecot.* authentication failure; .* rhost=::ffff:(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
53 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
54 bucket 100;
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
55 message "dovecot failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
56 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
57 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
58 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
59 bucket 100;
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
60 message "dovecot failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
61 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
62 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
63
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
64 file "/var/log/messages" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
65 pattern "dovecot.* authentication failure; .* rhost=(.*) " {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
66 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
67 bucket 100;
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
68 message "dovecot failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
69 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
70 pattern "kernel.*local-net-to.*SRC=(.*) DST=.*DPT=" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
71 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
72 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
73 message "kernel firewall blocked packet";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
74 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
75 pattern "kernel.*outside-net-from.*SRC=(.*) DST=.*DPT=" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
76 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
77 bucket 400;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
78 message "kernel firewall blocked packet";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
79 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
80 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
81
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 file "/var/log/maillog" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
83 pattern "lost input channel from.* \[(.*)\] .* after (mail|rcpt|auth)" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
84 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
85 bucket 100;
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
86 message "sendmail spammer dropping connection";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
87 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
88 pattern " \[(.*)\].* possible SMTP attack" {
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
89 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
90 bucket 100;
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
91 message "sendmail authentication attack";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
92 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
93 pattern "rejecting commands from.* \[(.*)\] due to pre-greeting traffic" {
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
94 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
95 bucket 1800;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
96 message "sendmail pre-greeting";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
97 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
98 pattern "authentication failure: checkpass failed, .*\[(.*)\]" {
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
99 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
100 bucket 100;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
101 message "sendmail authentication failed";
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
102 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
103 pattern "dovecot.*Aborted login .* rip=(.*)," {
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
104 index 1; // zero based
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
105 bucket 100;
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
106 message "dovecot failed password";
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
107 };
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
108 pattern "dovecot.*Login: .* rip=(.*)," {
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
109 index 1; // zero based
63
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
110 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
111 message "dovecot good authentication";
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
112 };
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
113 pattern "sendmail.*AUTH=server, .*\[(.*)\]," {
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
114 index 1; // zero based
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
115 bucket -5000;
60f59936fabb good authentication prevents ip blocking for awhile
Carl Byington <carl@five-ten-sg.com>
parents: 61
diff changeset
116 message "sendmail good authentication";
61
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
117 };
d80641be405b add script to build syslog2iptables.conf
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
118 };