Mercurial > syslog2iptables
annotate syslog2iptables.conf @ 50:75361069c6ef
changes for fedora 10
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Wed, 24 Dec 2008 18:40:54 -0800 |
parents | d9ae11033b4b |
children | 206448c00b55 |
rev | line source |
---|---|
9 | 1 threshold 550; |
3 | 2 |
27 | 3 add_command "/sbin/iptables -I INPUT --src %s --jump DROP"; |
4 remove_command "/sbin/iptables -D INPUT --src %s --jump DROP"; | |
5 | |
3 | 6 ignore { |
7 127.0.0.0/8; // localhost | |
1 | 8 }; |
9 | |
20 | 10 // file "/var/log/cisco.log" { |
11 // pattern "Internet_Firewall denied (tcp|udp) ([^(]*)" { | |
12 // index 2; // zero based | |
13 // bucket 200; | |
35 | 14 // message "cisco firewall blocked packet"; |
20 | 15 // }; |
16 // }; | |
3 | 17 |
5 | 18 file "/var/log/secure" { |
19 pattern "sshd.*Failed password .* from ::ffff:(.*) port" { | |
20 index 1; // zero based | |
9 | 21 bucket 400; |
35 | 22 message "ssh failed password"; |
5 | 23 }; |
24 pattern "sshd.*Failed password .* from (.*) port" { | |
25 index 1; // zero based | |
9 | 26 bucket 400; |
35 | 27 message "ssh failed password"; |
5 | 28 }; |
50 | 29 pattern "proftpd.*no such user found from (.*) \[" { |
30 index 1; // zero based | |
31 bucket 400; | |
32 message "ftp failed password"; | |
33 }; | |
34 }; | |
35 | |
36 file "/var/log/messages" { | |
37 pattern "ipop3d.* Login failed .* \[(.*)\]" { | |
38 index 1; // zero based | |
39 bucket 400; | |
40 message "pop3 failed password"; | |
41 }; | |
5 | 42 }; |
43 | |
20 | 44 file "/var/log/httpd/access_log" { |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
45 // of course you cannot use this if you actually use cgi-bin directories |
20 | 46 pattern "(.*) - - .* /cgi-bin" { |
47 index 1; // zero based | |
48 bucket 400; | |
35 | 49 message "apache cgi-bin reference"; |
20 | 50 }; |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
51 // or if you actually have an index2.php script |
20 | 52 pattern "(.*) - - .*/index2.php" { |
53 index 1; // zero based | |
54 bucket 400; | |
35 | 55 message "apache index2.php reference"; |
20 | 56 }; |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
57 // or if you have a main.php script |
20 | 58 pattern "(.*) - - .*/main.php" { |
59 index 1; // zero based | |
60 bucket 400; | |
35 | 61 message "apache main.php reference"; |
62 }; | |
50 | 63 pattern "(.*) - - .*/awstats.pl" { |
64 index 1; // zero based | |
65 bucket 400; | |
66 message "apache awstats.pl reference"; | |
67 }; | |
68 pattern "(.*) - - .*/adxmlrpc" { | |
69 index 1; // zero based | |
70 bucket 400; | |
71 message "apache adxmlrpc reference"; | |
72 }; | |
35 | 73 }; |
74 | |
75 file "/var/log/maillog" { | |
50 | 76 pattern "lost input channel from .* \[(.*)\] .* after (mail|rcpt|auth)" { |
35 | 77 index 1; // zero based |
78 bucket 200; | |
79 message "sendmail spammer dropping connection"; | |
20 | 80 }; |
50 | 81 pattern " \[(.*)\]: possible SMTP attack" { |
82 index 1; // zero based | |
83 bucket 600; | |
84 message "sendmail authentication attack"; | |
85 }; | |
86 pattern "rejecting commands from .* \[(.*)\] due to pre-greeting traffic" { | |
87 index 1; // zero based | |
88 bucket 200; | |
89 message "sendmail pre-greeting"; | |
90 }; | |
91 pattern "dovecot.*Aborted login.*rip=(.*)," { | |
92 index 1; // zero based | |
93 bucket 100; | |
94 message "dovecot failed password"; | |
95 }; | |
96 pattern "dovecot: pop3-login: Disconnected: Shutting down.*rip=(.*)," { | |
97 index 1; // zero based | |
98 bucket 100; | |
99 message "dovecot failed password"; | |
100 }; | |
42
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
101 |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
102 // make sure your upstream MX servers are listed in the |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
103 // ignore block above, otherwise you will kill them off |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
104 // when they try to forward such mail to you. |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
105 pattern "sendmail.*from=<>,.*nrcpts=0,.*\[(.*)\]" { |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
106 index 1; // zero based |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
107 bucket 200; |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
108 message "sendmail rejected bounce"; |
d9ae11033b4b
Add default config to firewall systems that send bounces to non-existant accounts.
Carl Byington <carl@five-ten-sg.com>
parents:
35
diff
changeset
|
109 }; |
20 | 110 }; |
111 | |
9 | 112 // file "/var/log/messages" { |
113 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*) user=" { | |
114 // index 1; // zero based | |
115 // bucket 300; | |
35 | 116 // message "ssh failed password"; |
9 | 117 // }; |
118 // pattern "sshd.pam_unix.*authentication failure.*rhost=(.*)$" { | |
119 // index 1; // zero based | |
120 // bucket 300; | |
35 | 121 // message "ssh failed password"; |
9 | 122 // }; |
123 // }; |