Mercurial > syslog2iptables
annotate xml/syslog2iptables.in @ 56:73dd2daeaf8e stable-1-0-13-2
switch to auto requires
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 17 Aug 2011 10:12:16 -0700 |
parents | d6fb7fca0394 |
children | b45dddebe8fc |
rev | line source |
---|---|
11 | 1 <reference> |
50 | 2 <title>@PACKAGE@ - Version @VERSION@</title> |
11 | 3 <partintro> |
4 <title>Packages</title> | |
44
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
5 |
11 | 6 <para>The various source and binary packages are available at <ulink |
19 | 7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink> |
12 | 8 The most recent documentation is available at <ulink |
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink> | |
11 | 10 </para> |
44
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
11 |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
12 <para>A <ulink |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
14 code repository for this project is available at <ulink |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>. |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
16 </para> |
9e9f09cf411c
Add fixes for Solaris from sm-archive.
Carl Byington <carl@five-ten-sg.com>
parents:
42
diff
changeset
|
17 |
11 | 18 </partintro> |
19 | |
20 <refentry id="@PACKAGE@.1"> | |
21 <refentryinfo> | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
22 <date>2009-01-25</date> |
11 | 23 </refentryinfo> |
24 | |
25 <refmeta> | |
26 <refentrytitle>@PACKAGE@</refentrytitle> | |
27 <manvolnum>1</manvolnum> | |
28 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
29 </refmeta> | |
30 | |
31 <refnamediv id='name.1'> | |
32 <refname>@PACKAGE@</refname> | |
33 <refpurpose>a simple adaptive firewall</refpurpose> | |
34 </refnamediv> | |
35 | |
36 <refsynopsisdiv id='synopsis.1'> | |
37 <title>Synopsis</title> | |
38 <cmdsynopsis> | |
39 <command>@PACKAGE@</command> | |
40 <arg><option>-c</option></arg> | |
41 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg> | |
42 </cmdsynopsis> | |
43 </refsynopsisdiv> | |
44 | |
45 <refsect1 id='description.1'> | |
46 <title>Description</title> | |
12 | 47 |
48 <para><command>@PACKAGE@</command> is a simple adaptive firewall. It | |
49 maintains the INPUT chain of the <citerefentry> | |
50 <refentrytitle>iptables</refentrytitle> <manvolnum>1</manvolnum> | |
51 </citerefentry> firewall set based on syslog entries. These syslog | |
52 entries are typically generated by your hardware firewall, but they | |
53 could come from any source. Any syslog entry that contains a host name | |
54 or ip address can be used as input to this package.</para> | |
11 | 55 |
12 | 56 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle> |
57 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files | |
58 to be monitored, and the regular expressions (<citerefentry> | |
59 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum> | |
60 </citerefentry>) to be applied to new lines in those files. Each | |
61 regular expression needs an index to specify the matching substring that | |
62 contains either an ip address or host name, and a bucket count which is | |
63 added to the leaky bucket for that ip address when a matching line is | |
64 read from that syslog file.</para> | |
11 | 65 |
12 | 66 <para>Each ip address has an associated leaky bucket, which leaks one |
67 token per second. Once the bucket contains more than a configurable | |
68 threshold number of tokens, that ip address is added to the INPUT chain | |
69 with a DROP target. When the bucket is drained to zero, that ip address | |
70 is removed from the INPUT chain.</para> | |
71 | |
72 <para>The discussion has focused on syslog files, but any ascii text | |
73 file can be used, so long as some other process appends lines to that | |
74 file, and those lines containing hostname or ip addresses can be matched | |
75 with some regular expression.</para> | |
76 | |
77 <para>Considering syslog files in particular, these are normally rotated | |
78 via logrotate. <command>@PACKAGE@</command> properly detects and | |
79 handles this case by closing the old file, and reopening the newly | |
80 created file.</para> | |
11 | 81 </refsect1> |
82 | |
83 <refsect1 id='options.1'> | |
84 <title>Options</title> | |
85 <variablelist> | |
86 <varlistentry> | |
87 <term>-c</term> | |
88 <listitem> | |
89 <para> | |
90 Load the configuration file, print a cannonical form | |
91 of the configuration on stdout, and exit. | |
92 </para> | |
93 </listitem> | |
94 </varlistentry> | |
95 <varlistentry> | |
96 <term>-d <replaceable class="parameter">n</replaceable></term> | |
97 <listitem> | |
98 <para> | |
99 Set the debug level to <replaceable class="parameter">n</replaceable>. | |
100 </para> | |
101 </listitem> | |
102 </varlistentry> | |
103 </variablelist> | |
104 </refsect1> | |
105 | |
16 | 106 <refsect1 id='usage.1'> |
11 | 107 <title>Usage</title> |
108 <para><command>@PACKAGE@</command> -d 2</para> | |
109 </refsect1> | |
110 | |
16 | 111 <refsect1 id='configuration.1'> |
11 | 112 <title>Configuration</title> |
113 <para> | |
114 The configuration file is documented in <citerefentry> | |
115 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum> | |
12 | 116 </citerefentry>. Any change to the config file will cause it to be |
117 reloaded within three minutes. | |
11 | 118 </para> |
119 </refsect1> | |
120 | |
24 | 121 <refsect1 id='todo.1'> |
122 <title>TODO</title> | |
123 <para> | |
124 The following ideas are under consideration. | |
125 </para> | |
126 <para> | |
127 Add a configuration option for the iptables table name in the | |
128 pattern statement. This implies handling multiple tables, so each | |
129 table needs its own map of ip addresses and bucket values. | |
130 </para> | |
131 </refsect1> | |
132 | |
16 | 133 <refsect1 id='copyright.1'> |
11 | 134 <title>Copyright</title> |
135 <para> | |
31 | 136 Copyright (C) 2007 by 510 Software Group <carl@five-ten-sg.com> |
11 | 137 </para> |
138 <para> | |
139 This program is free software; you can redistribute it and/or modify it | |
140 under the terms of the GNU General Public License as published by the | |
31 | 141 Free Software Foundation; either version 3, or (at your option) any |
11 | 142 later version. |
143 </para> | |
144 <para> | |
145 You should have received a copy of the GNU General Public License along | |
146 with this program; see the file COPYING. If not, please write to the | |
147 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
148 </para> | |
149 </refsect1> | |
31 | 150 |
151 <refsect1 id='version.1'> | |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
152 <title>Version</title> |
31 | 153 <para> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
154 @VERSION@ |
31 | 155 </para> |
156 </refsect1> | |
11 | 157 </refentry> |
158 | |
159 | |
160 <refentry id="@PACKAGE@.conf.5"> | |
161 <refentryinfo> | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
162 <date>2009-01-25</date> |
11 | 163 </refentryinfo> |
164 | |
165 <refmeta> | |
166 <refentrytitle>@PACKAGE@.conf</refentrytitle> | |
167 <manvolnum>5</manvolnum> | |
168 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo> | |
169 </refmeta> | |
170 | |
171 <refnamediv id='name.5'> | |
172 <refname>@PACKAGE@.conf</refname> | |
173 <refpurpose>configuration file for @PACKAGE@</refpurpose> | |
174 </refnamediv> | |
175 | |
176 <refsynopsisdiv id='synopsis.5'> | |
177 <title>Synopsis</title> | |
178 <cmdsynopsis> | |
179 <command>@PACKAGE@.conf</command> | |
180 </cmdsynopsis> | |
181 </refsynopsisdiv> | |
182 | |
183 <refsect1 id='description.5'> | |
184 <title>Description</title> | |
185 <para>The <command>@PACKAGE@.conf</command> configuration file is | |
27 | 186 specified by this partial bnf description. The entire config file |
187 is case sensitive. All the keywords are lower case. | |
188 </para> | |
11 | 189 |
190 <literallayout class="monospaced"><![CDATA[ | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
191 CONFIG = {CONTEXT ";"}+ |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
192 CONTEXT = "context" NAME "{" {STATEMENT}+ "}" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
193 STATEMENT := (THRESHOLD | ADD-CMD | REM-CMD | IGNORE | FILE) ";" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
194 THRESHOLD := "threshold" THRESHOLD-INTEGER-VALUE |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
195 ADD-CMD := "add_command" IPT-CMD |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
196 REM-CMD := "remove_command" IPT-CMD |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
197 IGNORE := "ignore" "{" IG-SINGLE+ "}" |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
198 IG-SINGLE := IP-ADDRESS "/" CIDR-BITS |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
199 FILE := "file" FILENAME "{" PATTERN+ "}" |
35 | 200 PATTERN := "pattern" REGULAR-EXPRESSION "{" {INDEX | BUCKET | MESSAGE}+ "};" |
11 | 201 INDEX := "index" REGEX-INTEGER-VALUE ";" |
29 | 202 BUCKET := "bucket" BUCKET-ADD-INTEGER-VALUE ";" |
35 | 203 MESSAGE := "message" REASON ";" |
204 REASON := string to appear in syslog messages | |
27 | 205 IPT-CMD := string containing exactly one %s replacement token for |
29 | 206 the ip address]]></literallayout> |
11 | 207 </refsect1> |
208 | |
209 <refsect1 id='sample.5'> | |
210 <title>Sample</title> | |
211 <literallayout class="monospaced"><![CDATA[ | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
212 context dns { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
213 threshold 1100; |
11 | 214 |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
215 add_command "/sbin/iptables -I INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
216 remove_command "/sbin/iptables -D INPUT --protocol udp --destination-port 53 --src %s --jump DROP"; |
11 | 217 |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
218 ignore { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
219 127.0.0.0/8; // localhost |
11 | 220 }; |
221 | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
222 file "/var/log/messages" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
223 pattern "named.*client (.*)#.*query.*cache.*denied" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
224 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
225 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
226 message "DNS attack"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
227 }; |
35 | 228 }; |
229 }; | |
230 | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
231 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
232 context general { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
233 threshold 550; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
234 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
235 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
236 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
237 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
238 ignore { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
239 127.0.0.0/8; // localhost |
35 | 240 }; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
241 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
242 file "/var/log/secure" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
243 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
244 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
245 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
246 message "ssh failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
247 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
248 pattern "sshd.*Failed password .* from (.*) port" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
249 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
250 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
251 message "ssh failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
252 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
253 pattern "proftpd.*no such user found from (.*) \[" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
254 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
255 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
256 message "ftp failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
257 }; |
35 | 258 }; |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
259 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
260 file "/var/log/messages" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
261 pattern "ipop3d.* Login failed .* \[(.*)\]" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
262 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
263 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
264 message "pop3 failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
265 }; |
35 | 266 }; |
267 | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
268 file "/var/log/httpd/access_log" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
269 // of course you cannot use this if you actually use cgi-bin directories |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
270 pattern "(.*) - - .* /cgi-bin" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
271 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
272 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
273 message "apache cgi-bin reference"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
274 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
275 // or if you actually have an index2.php script |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
276 pattern "(.*) - - .*/index2.php" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
277 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
278 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
279 message "apache index2.php reference"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
280 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
281 // or if you have a main.php script |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
282 pattern "(.*) - - .*/main.php" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
283 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
284 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
285 message "apache main.php reference"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
286 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
287 pattern "(.*) - - .*/awstats.pl" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
288 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
289 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
290 message "apache awstats.pl reference"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
291 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
292 pattern "(.*) - - .*/adxmlrpc" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
293 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
294 bucket 400; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
295 message "apache adxmlrpc reference"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
296 }; |
35 | 297 }; |
298 | |
53
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
299 file "/var/log/maillog" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
300 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
301 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
302 bucket 200; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
303 message "sendmail spammer dropping connection"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
304 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
305 pattern " \[(.*)\]: possible SMTP attack" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
306 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
307 bucket 600; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
308 message "sendmail authentication attack"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
309 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
310 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
311 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
312 bucket 200; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
313 message "sendmail pre-greeting"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
314 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
315 pattern "dovecot.*Aborted login.*rip=(.*)," { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
316 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
317 bucket 100; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
318 message "dovecot failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
319 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
320 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
321 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
322 bucket 100; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
323 message "dovecot failed password"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
324 }; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
325 |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
326 // make sure your upstream MX servers are listed in the |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
327 // ignore block above, otherwise you will kill them off |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
328 // when they try to forward such mail to you. |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
329 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
330 index 1; // zero based |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
331 bucket 200; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
332 message "sendmail rejected bounce"; |
d6fb7fca0394
Document multiple contexts
Carl Byington <carl@five-ten-sg.com>
parents:
50
diff
changeset
|
333 }; |
11 | 334 }; |
335 };]]></literallayout> | |
336 </refsect1> | |
337 | |
31 | 338 <refsect1 id='version.5'> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
339 <title>Version</title> |
31 | 340 <para> |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
36
diff
changeset
|
341 @VERSION@ |
31 | 342 </para> |
343 </refsect1> | |
344 | |
11 | 345 </refentry> |
346 </reference> |